Full text of Act No. 486 / 2004 Coll.
Full text of Act No. 227 / 2000 Coll., on electronic signature and amending certain other laws (Act on electronic signature), as resulting from subsequent amendments
Valid
Declared full text
Text versions:
09.09.2004
Zobrazeno prvních 200 z celkem 364 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
486
PRESIDENT OF THE GOVERNMENT
announces the full text of Act No. 227 / 2000 Coll., on electronic signature and on the amendment of certain other laws (Act on electronic signature), as follows from the amendments made by Act No. 226 / 2002 Coll., Act No. 517 / 2002 Coll. and Act No. 440 / 2004 Coll.
THE LAW
on electronic signature
Parliament has decided on this law of the Czech Republic:
ELECTRONIC SIGNATURE
Purpose of the law
This Act regulates, in accordance with the law of the European Communities (1), the use of electronic signature, electronic marking, the provision of certification services and related services by providers established in the Czech Republic, the control of the obligations laid down by this Act and the penalties for infringements of the obligations laid down by this Act.
Definition of certain terms
For the purposes of this Act:
(a) by electronic signature, the data which are attached to, or are logically related to, the data message and which serve as a method for unambiguous verification of the identity of the signatory in relation to the data message;
(b) an electronic signature guaranteed by electronic signature meeting the following requirements:
1. is clearly linked to the signatory;
2. allows identification of the signatory in relation to the data message;
3. has been created and connected to the data message by means of means which the signatory can keep under his sole control;
4. is connected to the data message to which it relates in such a way that any subsequent change of data can be detected;
(c) by electronic means, the particulars which are attached to or are logically related to the data report and which satisfy the following requirements:
1. are clearly associated with the designating person and allow its identification through a qualified system certificate;
2. have been created and connected to the data message by means of an electronic tag creation device which the designating person can keep under his sole control;
3. are connected to the data message to which they relate in such a way that any subsequent change of data can be detected;
(d) by means of a data message, electronic data which can be transmitted by means of electronic communication and stored on recording media used in the processing and transmission of data by electronic means;
(e) the signatory is a natural person who holds an electronic signature device and acts on his or her behalf or on behalf of another natural or legal person;
(f) designating a person, a natural person, a legal person or an organisational entity of a State holding a means of creating electronic tags and indicating a data report by electronic means;
(g) by the holder of the certificate, a natural person, a legal person or an organisational entity of the State which has requested the issue of a qualified certificate or a qualified system certificate for itself or for the signatory or the designating person and which has been issued;
(h) by a certification service provider, a natural person, a legal person or an organisational body of a State that issues certificates and keeps records of them, or provides other services related to electronic signatures,
(i) by a qualified certification service provider, a certification service provider that issues qualified certificates or qualified system certificates or qualified time stamps or means for the secure creation of electronic signatures (hereinafter referred to as "qualified certification services") and has complied with the reporting requirements of Section 6;
(j) by an accredited certification service provider, a certification service provider granted accreditation under this law;
(k) a data message issued by a certification service provider by a certificate connects the data for the verification of electronic signatures with the signatory and enables the verification of his identity or links the data for the verification of electronic signs with the designating person and allows the verification of his identity;
(l) by a qualified certificate, a certificate which has the requirements of Section 12 and has been issued by a qualified certification service provider;
(m) by a qualified system certificate, a certificate which has the requirements of § 12a and has been issued by a qualified certification service provider;
(n) data for creating electronic signatures unique data used by the signatory to create electronic signatures;
(o) data for verifying electronic signatures unique data used for verifying electronic signatures;
(p) data for the creation of electronic tags unique data used by the designating person to create electronic tags;
(q) data for the verification of electronic marks unique data used for the verification of electronic marks,
(r) by a qualified time stamp, a data message issued by a qualified certification service provider that reliably links the data in electronic form to the time frame and ensures that the data in electronic form existed before that time;
(s) a means of creating electronic signatures of technical equipment or software used to create electronic signatures;
(t) a means of verifying electronic signatures of technical equipment or software used to verify electronic signatures;
(u) a means of secure creation of electronic signatures, an electronic signature-creation device which complies with the requirements laid down by this law;
(v) a means of secure verification of electronic signatures by means of a means of verification of signature which satisfies the requirements laid down in this law;
(w) an electronic signature tool for technical equipment or software, or components thereof, used to provide certification services or to create or verify electronic signatures;
(x) a means of creating electronic signs of equipment used by the designating person for the creation of electronic tags and which fulfils the other requirements laid down by this law;
(y) an electronic service facility for the public authority to receive and send data messages,
(z) by accreditation of a certificate that the certification service provider fulfils the conditions laid down by that law for the performance of the activities of an accredited certification service provider.
Compliance with signature requirements
(1) The data report is signed if it is accompanied by an electronic signature. If the opposite is not proved, the signatory shall be deemed to have become acquainted with the content of the data message before signing the data report.
(2) The use of a guaranteed electronic signature based on a qualified certificate and created by a secure signature creation device allows verification that the data message has been signed by a person named on that qualified certificate.
(1) The use of an electronic tag based on a qualified system certificate and generated by an electronic tag creation device allows verification that the data message has been marked by that electronic tag indicating the person.
(2) Where the designating person has identified the data message, it shall be deemed to have done so by automated means without direct verification of the content of the data message and thereby expressing its will.
Compliance with the original
The use of a guaranteed electronic signature or electronic tag ensures that if the contents of the data message are infringed as soon as it has been signed or labelled, such a breach can be detected.
Obligations of the signatory
(1) The signatory shall:
(a) treat the means and data for the creation of a guaranteed electronic signature with due care so that their unauthorised use cannot take place;
(b) inform without delay the certification service provider which issued the qualified certificate that there is a risk of misuse of its data to create a guaranteed electronic signature.
(2) The signatory shall be liable for any damage caused by the infringement referred to in paragraph 1 under specific legislation. (1a) However, liability shall be waived if it proves that the person who suffered the damage has not performed all the necessary actions to verify that the guaranteed electronic signature is valid and that his qualified certificate has not been invalidated.
Obligations of the designating person
(1) The indicating person shall:
(a) treat the device as well as the data for the creation of electronic marks with due care so that their unauthorised use cannot occur;
(b) inform without delay the certification service provider who issued the qualified system certificate that there is a risk of misuse of its data for the creation of electronic brands.
(2) The designating person shall ensure that the means of creating the electronic marks he uses complies with the requirements laid down in this law.
(3) The damage caused by the infringement referred to in paragraph 1 shall be the responsibility of the designating person, even if the damage was not caused, under special legislation, 1a) the liability for defects under special rules shall not be affected. (1a) However, liability shall be waived if it proves that the person who suffered the damage has not performed all the necessary actions to verify that the electronic mark is valid and that his qualified system certificate has not been invalidated.
Obligations of the certificate holder
The certificate holder shall provide accurate, true and complete information to the certification service provider in relation to the qualified certificate and in relation to the qualified system certificate without undue delay.
Qualified certification service provider
(1) A qualified certification service provider shall:
(a) ensure that each person can ascertain his or her identity and his or her qualified system certificate on the basis of which he or she identifies the issued qualified certificates or qualified system certificates and lists of certificates which have been invalidated or qualified time stamps;
(b) ensure that the provision of qualified certification services is carried out by persons with the expertise and qualifications necessary for the provision of the qualified certification service and familiar with the relevant security procedures;
(c) use secure systems and secure electronic signature tools, ensure sufficient security of the procedures that support such systems and tools and ensure sufficient cryptographic security of those instruments; systems and tools are considered safe if they comply with the requirements laid down in this Act and the Implementing Decree, or if they comply with the requirements of the technical standards set out in the Commission Decision issued on the basis of Article 3 (5) of Directive 1999 / 93 / EC,
(d) use secure systems for the retention of qualified certificates and qualified system certificates or qualified time stamps in verifiable form in such a way that only authorised persons can carry out records or their changes so that the accuracy of the records can be checked and that any technical or programme changes in breach of those security requirements are evident;
(e) have sufficient financial resources or other financial collateral for operation throughout their activities in accordance with the requirements laid down in this Act and taking into account the risk of liability;
(f) prior to the conclusion of a contract on the provision of qualified certification services with a person requesting the provision of services under this Act, inform that person in writing of the precise conditions for the use of qualified certification services, including any restrictions on their use, and of the conditions for complaints and resolution of disputes arising, and whether or not it is accredited by the Ministry of Informatics ("the Ministry") pursuant to Section 10; this information may be transmitted electronically.
(2) If the certification service provider is not accredited by the Ministry, it shall notify the Ministry at least 30 days before the start of the provision of the qualified certification service that it will provide it and the moment when it commences. At the same time, it shall transmit to the Ministry for verification its qualified system certificate referred to in paragraph 1 (a).
(3) Where a qualified certification service provider who has obtained accreditation under Section 10 of this Act has been withdrawn by the Ministry, it shall inform the bodies to which it provides its qualified certification services and other persons concerned without delay.
(4) A qualified certification service provider provides services under this Act under contract. The contract must be written.
(5) A qualified certification service provider shall keep the information and documentation related to the qualified certification services provided under this Act, in particular:
(a) a contract for the provision of a qualified certification service, including a request for the provision of a service;
(b) a qualified certificate issued, a qualified system certificate issued or a qualified time stamp issued;
(c) a copy of the personal documents submitted signing the persons or documents on the basis of which the identity of the designating persons has been verified;
(d) a certificate of receipt of a qualified certificate or a qualified system certificate by the holder or, where appropriate, his consent to the publication of the qualified certificate in the list of issued qualified certificates;
(e) a declaration by the certificate holder that the information referred to in paragraph 1 (f) has been provided to him;
(f) documents and records related to the life cycle of a qualified certificate or a qualified system certificate, the details of which shall be specified in the implementing decree.
(6) All information and documentation on services provided under this Act is kept by a qualified certification service provider for at least 10 years. The qualified provider shall ensure that the information and documentation stored prior to the loss, misuse, destruction or damage is provided under conditions specified in the Implementing Decree. The information and documentation referred to in the first sentence may be obtained and stored electronically by the qualified certification service provider. Unless otherwise provided for in this law, the handling of information and documentation shall be carried out in accordance with a specific legislature.2)
(7) Staff of a qualified certification service provider, or other natural persons who come into contact with personal data and data for the creation of electronic signatures of signatories and of electronic labels shall be obliged to maintain confidentiality of such data and data and security measures, the disclosure of which would jeopardise the security of such data and data. The obligation of confidentiality shall continue after the end of a work or other similar relationship or after the work concerned has been carried out; the said person may waive the confidentiality of the person in whose interest they are required or the court.
Obligations of a qualified certification service provider when issuing qualified certificates and qualified system certificates
(1) A qualified certification service provider issuing qualified certificates or qualified system certificates (hereinafter referred to as "certificates issued as qualified") shall:
(a) ensure that certificates issued by him as qualified include all the formalities laid down by this law;
(b) ensure that the particulars given in certificates issued by him as qualified are accurate, true and complete;
(c) before issuing a certificate as qualified to safely verify by appropriate means the identity of the signing person or the identity of the designating person, or, where appropriate, its special characteristics, if the purpose of such certificate so requires,
(d) determine whether, at the time of the application for the issue of a certificate as qualified, the signatory had data for the creation of electronic signatures corresponding to the data for the verification of electronic signatures or the designating person had data for the creation of electronic marks corresponding to the data for the verification of electronic marks containing the application for the issue of the certificate,
(e) ensure the operation of a secure and publicly available list of certificates issued as qualified, for which the certificate holder has given his consent in accordance with Article 6 (5) (d), and ensure the availability of that list by remote access and the information contained in the list contained in each amendment without undue delay;
(f) ensure the operation of a safe and publicly accessible list of certificates issued as qualified and invalidated, including by remote access;
(g) ensure that the date and time, indicating the time, minutes and seconds in which the certificate issued as qualified is issued or invalidated, can be specified;
(h) take appropriate measures against misuse and falsification of certificates issued as qualified;
(i) provide to third parties, on request, relevant information on the conditions for the use of certificates issued as qualified, including restrictions on their use, and whether or not they are accredited by the Ministry; This information may be provided electronically.
(2) Where a qualified certification service provider issuing certificates as qualified creates electronic signature creation data for the signatory or for the designating person for the creation of electronic marks,
(a) they must ensure the confidentiality of such data before they are transmitted, must not copy and store such data for longer than is necessary;
(b) they must guarantee that these data correspond to the data for verifying electronic signatures or data for verifying electronic marks.
(3) A qualified certification service provider issuing certificates as qualified must immediately invalidate the certificate if the holder, the signatory or the designating person so requests, or if he informs him that there is a risk of misuse of their data to create electronic signatures or electronic signs, or if the certificate has been issued on the basis of false or incorrect data.
(4) A qualified certification service provider shall also immediately invalidate a certificate issued as a qualified, if it is established that the signatory or the designating person has died or died, or has been deprived or restricted by the court of legal capacity, 2a), or if the information on the basis of which the certificate was issued has become untrue.
Obligations of a qualified certification service provider when issuing qualified time stamps
(1) A qualified certification service provider issuing qualified time stamps shall:
(a) ensure that the time stamps issued by him as qualified contain all the formalities laid down by this law;
(b) ensure that the time stamp entered in the qualified time stamp corresponds to the value of the coordinated world time when creating the qualified time stamp;
(c) ensure that the electronic data covered by the application for a qualified time stamp clearly corresponds to the electronic data contained in the qualified time stamp issued;
(d) to take appropriate measures against counterfeiting of qualified time stamps;
(e) provide to third parties, upon request, relevant information on the conditions for the use of qualified time stamps, including restrictions on their use and whether or not they are accredited by the Ministry; This information may be provided electronically.
(2) A qualified certification service provider shall issue a qualified time stamp immediately upon receipt of the request for certification.
Liability for damage
(1) A qualified certification service provider shall be responsible for the damage caused by the breach of obligations under this law under specific legislation. (1a)
(2) A qualified certification service provider shall not be liable for damage resulting from the use of a certificate issued as qualified resulting from non-compliance with the restrictions on its use provided for in Sections 12 (1) (i) and (j) and 12a (h).
Protection of personal data
The protection of personal data is governed by specific legislation.3)
Accreditation and supervision
(1) The granting of accreditation to operate as an accredited certification service provider as well as the supervision of compliance with this law is for the Ministry.
(2) Ministry
(a) grant and withdraw accreditation to operate as an accredited certification service provider to entities operating in the Czech Republic;
(b) supervise the activities of accredited certification service providers and qualified certification service providers, impose corrective measures and fines for infringements under this law;
(c) keep records of accreditation and changes thereto and records of qualified certification service providers;
(d) keep a register of issued qualified system certificates used by a qualified certification service provider pursuant to Article 6 (1) (a) and verified by the Ministry pursuant to Article 6 (2);
(e) publish on an ongoing basis an overview of the accreditation awarded, an overview of the qualified certification service providers and their qualified services and the qualified system certificates referred to in point (d), including in a way that allows remote access;
(f) evaluate the conformity of electronic signature instruments with the requirements laid down in this Act and the Implementing Decree;
(g) fulfil the other obligations laid down by this law.
(3) In order to exercise oversight, the accredited certification service provider and the qualified certification service provider shall be obliged to allow authorised Ministry staff to enter the commercial and operational premises to the extent necessary, to submit, upon request, all documentation, records, documents, documents and other supporting documents related to their activities, to the extent necessary, access to their information system and to provide information and any necessary synergies.
(4) Unless otherwise provided for by this Act, the Ministry shall act in the exercise of its supervision under a special legislature.4)
(5) An order fine of up to CZK 1 000 000 may be imposed on a qualified certification service provider who has failed to fulfil his obligation to cooperate in accordance with paragraph 3.
Conditions for granting accreditation for the provision of certification services
(1) Any certification service provider may request the Ministry to grant accreditation for the activities of an accredited certification service provider. The application for accreditation shall be subject to an administrative fee. 5)
(2) In the application for accreditation referred to in paragraph 1, the applicant shall provide evidence of:
(a) in the case of a legal person, the trading firm or the name, registered office or, where applicable, the address of the organisational component of a foreign person in the Czech Republic, and the applicant's identification number, if assigned; in the case of a natural person, the name and, where applicable, the name, surname, addendum, place of establishment, place of business, if different from the place of establishment, and the applicant's identification number, if assigned;
(b) proof of a business authorisation and, in the case of a person registered, an extract from the business register not earlier than 3 months;
(c) an extract from the criminal record of an entrepreneur - natural person or statutory representatives of a legal person, where the applicant is a legal person, not more than 3 months old;
(d) the substantive, personnel and organisational conditions for the activities of a qualified certification service provider under Sections 6, 6a and 6b of this Act;
(e) an indication of which qualified certification services the applicant intends to provide;
(f) proof of payment of the administrative fee.
(3) If the application does not contain all the information requested, the Ministry shall interrupt the procedure and invite the applicant to complete it within the time limit set. If the applicant fails to do so within that period, the Ministry shall terminate the proceedings. The administrative fee shall not be refunded in such a case.
(4) If the applicant fulfils all the conditions laid down in this Act for accreditation, the Ministry shall issue a decision granting him accreditation. Otherwise, it shall reject the application for accreditation.
Conditions for extending the services of an accredited certification service provider
(1) An accredited certification service provider may extend the provision of qualified certification services to issue qualified certificates, qualified system certificates, qualified time stamps or to issue means for the safe creation of electronic signatures under this Act ("extended services").
(2) The accredited certification service provider shall notify the extension referred to in paragraph 1 to the Ministry in such a way that the Ministry receives the notification at least 4 months before the service is provided.
(3) In the notification, the accredited certification service provider shall demonstrate the factual, personnel and organisational conditions for the provision of extended services.
(4) If the accredited certification service provider fails to demonstrate the facts referred to in paragraph 3, or if those facts are incomplete or inaccurate, the Ministry shall notify the accredited certification service provider that it will not prohibit such defects by the decision to extend the services within the time limit set by it.
(5) The Ministry will prohibit the notified extension if the accredited certification service provider has not complied with all the conditions laid down by this Act for the provision of extended services.
(6) The decision to prohibit the extension of the provision of qualified certification services shall be taken by the Ministry no later than 90 days after the notification has been received.
(1) In the field of public authorities, only guaranteed electronic signatures and qualified certificates issued by accredited certification service providers ("recognised electronic signature ') may be used for signature purposes. This also applies to the exercise of public authority vis-à-vis natural and legal persons. Where a recognised electronic signature is used in the field of public authorities, the qualified certificate shall contain such information that the person is clearly identifiable. The structure of data on which a person can be clearly identified shall be determined by the Ministry by implementing legislation.
(2) The documents of public authorities in electronic form bearing an electronic mark based on a qualified system certificate issued by an accredited certification service provider or signed by a recognised electronic signature have the same legal effects as those issued by those authorities.
(3) The public authority shall receive and send the data messages referred to in paragraph 1 via an electronic mail office.
Requirements for a qualified certificate
(1) The qualified certificate shall contain:
(a) an indication that it is issued as a qualified certificate under this law;
(b) in the case of a legal person, the trading firm or name and the State in which the qualified provider is established; in the case of a natural person, the name, surname or addendum and the State in which the qualified provider is established;
(c) the name and, where appropriate, the names of the signatory or pseudonym with the appropriate indication that it is a pseudonym;
(d) the specific characteristics of the signatory, where the purpose of the qualified certificate so requires;
(e) the signature verification data corresponding to the signature creation data under the control of the signatory;
(f) the electronic brand of the certification service provider based on the qualified system certificate of the provider issuing the qualified certificate;
(g) the number of the qualified certificate unique to that certification service provider;
(h) the beginning and expiry of the qualified certificate;
(i) where appropriate, details as to whether the use of a qualified certificate is restricted by nature and scope only for certain uses;
(j) where appropriate, limitations on the transaction values for which a qualified certificate may be used.
(2) The restrictions on the use of the qualified certificate referred to in points (i) and (j) of paragraph 1 must be apparent to third parties.
(3) Additional personal data may contain a qualified certificate only with the permission of the signatory.
Requirements for a qualified system certificate
A qualified system certificate shall include:
(a) an indication that it is issued as a qualified system certificate under this law;
(b) in the case of a legal person, the trading firm or name and the State in which the qualified provider is established; in the case of a natural person, the name, surname or addendum and the State in which the qualified provider is established;
(c) a clear identification of the identifying person or, where appropriate, the means of creating electronic marks;
(d) data for the verification of electronic marks which correspond to the data for the creation of electronic marks under the control of the designating persons;
(e) the electronic brand of the certification service provider based on the qualified system certificate of the provider issuing the qualified system certificate;
(f) the number of the qualified system certificate unique to the qualified certification service provider;
(g) the beginning and expiry of a qualified system certificate;
(h) restrictions on the use of a qualified system certificate, which must be apparent to third parties.
Forms of qualified time stamp
The qualified time stamp shall contain:
(a) the number of the qualified time stamp unique to the qualified certification service provider;
(b) a description of the rules under which the qualified certification service provider issued the qualified time stamp;
(c) in the case of a legal person, the trading firm or name and the State in which the qualified provider is established; in the case of a natural person, the name, surname or addendum and the State in which the qualified provider is established;
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Full text of Act No. 486 / 2004 Coll., Act No. 227 / 2000 Coll., on Electronic Signature and on the Amendment of Certain Other Acts (Electronic Signature Act), as resulting from subsequent amendments |
|---|---|
| Regulation Type | Declared full text |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 09.09.2004 |
|---|---|
| Effective from | - |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0