The Law On The Identification Of A Strong E-Commerce And On Electronic Signatures

Original Language Title: Laki vahvasta sähköisestä tunnistamisesta ja sähköisistä allekirjoituksista

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
In accordance with the decision of the Parliament, provides for: the scope of application of article 1 of Chapter 1 of the General provisions of this law on the identification of a strong e-commerce and electronic signatures, as well as the provision of related services that use them for service providers and the general public.
The law does not apply to intra-community services or the identification of the signing of the intra-Community supply of services to the electronic.
The law does not apply either, in the event of the Community method to identify their own customers ' use of their own identity.
The law does not apply to the manufacture of electronic instruments or instruments for the identification of the signature, on the importation or sale.

section 2 Definitions for the purposes of this law: 1. the identification of the person and a strong electronic identification) tag, authenticity and correctness of the e-authentication method based on at least two of the following three options: (a)) the password, or some other kind of identification of the holder of the instrument, what you know;
(b)) of the chip card, or some other kind of identification of the holder of the instrument, what is in possession; or (c)) of the finger after the identification of the holder of the instrument, or some other unique property;
2) detection instrument and personally identifying information or features that together make up a strong electronic identification tags, identification tools and verification;
3) detection method, which together make up the detection equipment, as well as the implementation of the electronic identification of the individual with a strong entry in the system;
4. the identification of the provider, the service provider) provides a strong electronic identification services for service providers or those issues identification tools to the general public, or a combination of both;
5 the holder of the instrument) the natural person (s) for which recognition is based on an agreement made by the service provider, the identification of the instrument;
6 the applicant for the identification of the instrument), ensitunnistamisella identity verification in the context of the acquisition of the instrument;
7) certificate of electronic certificate, which will authenticate the identity or authenticate the identity of the signer, and the signature-verification data and paste that can be used in the identification of an electronic signature by electronic means in the strong;
8) the CA shall mean any natural or legal person that provides certificates to the public;
by means of an electronic signature in electronic form 9) which are attached to or logically associated with other electronic data and which is used as a tool for the verification of the identity of the signatory;
10) advanced electronic signature: (a) the electronic signature) which is uniquely linked to the signatory;
(b)) which is capable of identifying the signatory;
(c)) that has been created by a method that the signatory can maintain under his sole control; and (d)) that is associated with other electronic data in such a way that any changes can be detected;
11) in the creation of the electronic signature with the signature of the signer uses a unique set of data, such as codes or private keys;
12) the signature-creation device, medium, together with software and hardware to create an electronic signature with the signature-creation data; (20.2.2015/139)
L:lla 139/2015 modified paragraph 12 shall enter into force on the 1.1.2016. The previous wording is: 12) the signature-creation device, medium, together with software and hardware to create an electronic signature with the signature-creation data; the information in the electronic signature verification and 13) to be used for signature verification data, such as codes or public keys; (20.2.2015/139)
L:lla 139/2015 modified paragraph 13 shall enter into force on the 1.1.2016. The previous wording is: 13) in the signature-verification data to be used for electronic signature verification data, such as codes, and public keys.
the trust of the Network Communication to the Office 14) notifying the network identification service providers. (20.2.2015/139)
L:lla 139/15 added to paragraph 14 shall enter into force on the 1.1.2016.
Chapter 2 the legal effects of the processing of personal data in view of the provision of paragraph 3, the provisions of this law, which differs from, to the detriment of the consumer, shall be null and void, unless otherwise provided for below.

section 4 of the Detection instruments for the identification of instruments can be used to make the tasks of electronic signatures, depending on the capabilities of the electronic signatures and advanced electronic signatures, subject to the rest of the law, or as otherwise provided for in article 18.

section 5 of the Legal operation Detection tool can be used to make the transaction, subject to the rest of the law, or as otherwise provided for in article 18.
If the legal action is required according to the law, a signature, an electronic signature satisfies the requirement of at least one advanced, which is based on the quality certificate and created by a secure-signature-creation device. An electronic signature is not denied legal effect solely on the grounds that it was made in a language other than in the manner described above.
The use of an electronic signature management provided for separately.

section 6 of the processing of personal data may be processed for the identification of the service provider for the calculation of the identification of the instrument into service, in the implementation of the necessary maintenance, as well as the identification of the service entry of personal data the personal data Act (523/1999) of section 8, subsection 1 for the reasons referred to in paragraphs 1 and 2. Electronic signatures, the CA shall be on the same basis to deal with the granting of the certificate and the maintenance of the necessary personal information. Identification of the service provider, and e-signatures, the certification authority will receive for purposes of the foregoing in addition to collecting personal information from the person themselves.
Personal data may be processed only for the purposes mentioned in paragraph 1, other than the personal data Act, section 8, subsection 1, for the reasons referred to in paragraph 1.
The identification of the provider, and electronic signatures to provide the identity of the applicant when reviewing the CA will require the applicant to notify the person ID. Identification of the service provider, and e-signatures, the certification authority will deal with the person in the ID rekistereissään for the purpose of subparagraph (1). Social security number be included in the instrument or certificate of identification, if the instrument or certificate information content is only available to the person to whom it is necessary to carry out service. A personal identification number may not be available in the public directory. (20.2.2015/139)
L:lla 139/2015 modified (3) shall enter into force on the 1.1.2016. The previous wording includes: detection of the service provider, and e-signatures, the certification authority may require the applicant to indicate the identity of the person of the applicant when reviewing the account. Identification of the service provider, and e-signatures, the certification authority will deal with the person in the ID rekistereissään for the purpose of subparagraph (1). Social security number be included in the instrument or certificate of identification, if the instrument or certificate information content is only available to the person to whom it is necessary to carry out service. A personal identification number may not be available in the public directory.
For the rest, the processing of personal data provided for in 19, 24, 30, 37 and 38 of the personal data act in article.

section 7 (20.2.2015/139) use data from the population information system of the identification of the provider and to provide electronic signatures of the CA must obtain the information it deems necessary for the identification and the need to update the provision of a service in the population information system. In addition, the detection of the service provider must ensure that the provision of the information necessary for the identification of the service are updated with data from the population information system.
The population information system have been carried out in the data handed over is a body governed by public law. The Act provides for the payment by the State regarding the performance (150/1992).
L:lla 139/2015 amended section 7 shall enter into force on the 1.1.2016. The previous wording is: section 7 of the data stored in the system for the identification of the population using the data service provider and e-signatures, the certification authority will receive the personal data Act, section 8, subsection 1 for the reasons referred to in paragraphs 1 and 2, and article 6 of this law: (1) for the purpose of acquiring personal information, and to check the personal data provided by the applicant for, or holder of the population information system.
The population information system have been carried out in the data handed over is a body governed by public law. The Act provides for the payment by the State regarding the performance (150/1992).
Chapter 3 a strong electronic identification section 8 requirements for the identification of the method of detection of the method must comply with the following requirements: 1) the method is based on the ensitunnistaminen, in accordance with article 17 of which are in arrears in accordance with section 24 of the verifiable;
2), the holder of the instrument can be uniquely identified by the method of identification;
the method can be used to ensure that a sufficient level of confidence 3), that only the holder of the instrument can be used for the identification of the instrument; and 4) method is sufficiently safe and reliable, taking into account the currently available techniques are related to tietoturvallisuusuhat.

What States does not preclude the provision of the service in such a way that the service provider shall inform the holder of the instrument identification the identification uses the name of the password to the service provider or only in a limited amount of personal information.
The CRA can provide more detailed technical specifications of the requirements referred to in subparagraph (1).

requirements for the identification, section 9 of the service provider, the service provider identification of a natural person working for or on behalf of the community, as a service provider, or the Governing Board or the Management Board, the members and alternate members of the Executive Director, the Fund's or of any other of those treated as such shall be subject to the following conditions: 1) they must be of legal age;
2) they may not be in bankruptcy; and 3) their eligibility should not be limited.
Identification of the service provider must be reliable. Identification: a service provider is not considered to be a reliable, if the person referred to in subparagraph (1) is convicted by a final judgment of the last five years ' imprisonment or a fine penalty during the last three years for the crime, which may be considered to be manifestly inappropriate to the person identification service.
Identification: a service provider is not considered reliable either, if the person referred to in subparagraph (1) is shown to be manifestly inappropriate otherwise in an earlier identification of the service provider.

section 10 of the obligation to inform the service provider of Identification in Finland is the identification of the service provider prior to the start of the operation to be done written notification of the Communication to the Office. Notification may also be made by a consortium of service providers, which is managed by the service is to be regarded as one of the authentication service.
The notification shall contain: 1 the name of the service provider);
2) full details of the service provider;
3) details of any services;
4) information on 8, 9, 13 and 14 of the elements referred to in article; and 5) other information necessary for the performance of the control.
Identification of the service provider shall be informed without delay of any changes in the data referred to in paragraph 2, the writing Communication to the Office. The announcement is to be made at the winding, as well as the transition to another service provider operations.
The CRA may provide for the establishment of the necessary technical provisions for the operation of the control above the detailed content of the information to be referred to in this article and of the transmission of communication to the Office.

section 11 the rest of the European economic area, the identification of the service provider established in a Member State, article 10 shall not preclude the identification of the rest of the European economic area established within the service provider making the Declaration referred to in the said article.

Article 12 of the Identification service providers to maintain a public register of the Finnish communications regulatory authority, section 10 of the notice in accordance with the proportion of providers and the services they provide for the identification of the service.
Communications the Agency is in receipt of the notification referred to in article 10 shall prohibit a provider from offering its services to be strong in electronic form, if the service, or the service provider does not meet the requirements laid down in this chapter. If the irregularity may be considered only as a minor, the CRA may request the service provider to correct the defect within a time limit.

12 (a) of section (20.2.2015/139), the identification of the provider, the provider of the Network Identification when making the notification provided for in article 10 of the Communication to the Office, where the service provider is part of a network for the identification of the trust.
Confidence in the identification of the network service provider has to comply in respect of administrative practices that allow for the identification of the services and the interoperability of the services provided by the electronic voice service providers, as well as provide interfaces that create the conditions for the identification of the actors involved and for the functioning of the voice.
Electronic identification electronic identification device service provider submits the information to the other electronic identification is required, taking special account of the service provider, the information on the identification must be made to the sender. The remuneration for the provision of the information to be propagated to the tag can have up to 10 cents. The level of compensation will be to evaluate on an annual basis.
Identification service providers are responsible, in cooperation with the interoperability of technical interfaces, and administrative practices.
Confidence in the administrative practices of the network interfaces, the technical and administrative responsibilities of the provisions of the State Council, will be given more detailed regulation.
L:lla 139/15 added to article 12A shall enter into force on the 1.1.2016.

section 13 of the General obligations of the Recognition for the identification of the provider, the provider shall ensure that the personnel it employs is carried to the scale of their expertise, experience and competence.
Identification of the service provider must be carried to the scale of the necessary financial resources for the organisation and operation of the possible in order to cover the liability. We may also take any other necessary measures in the event of liability for possible damage.
In addition, the service provider must ensure the identification of the services with the personal data Act on the protection of the information referred to in article 32, as well as adequate security.
Identification of the service provider is responsible for the assistance of persons in the form of the reliability of the services and products they use and effectiveness.

the principles of section 14 Identification Identification identification of the service provider has to be principles, which define in more detail how the service provider fulfils its obligation referred to in this Act. In particular, the need to define more precisely the identification service provider implement the ensitunnistamisen referred to in article 17.
In addition, the identification of the main principles of the information shall be provided: 1) to the service provider;
2) the services provided and their prices;
3 of the most important partners of the service provider);
the inspections carried out by the non-assessment bodies 4); as well as 5) on the basis of the other relevant aspects of the activities of the service provider and to assess the reliability of.
If the means of identification can be used to make electronic signatures or advanced electronic signatures, identification of the service provider must be informed of the level of implementation of the method, and also their safety.
The identification of the principles for the identification of the provider must be generally available and up to date.

Article 15 obligation to provide for the identification of the service provider prior to the conclusion of the contract, the identification of the instrument for the identification of the service provider, prior to the conclusion of an agreement with the applicant, shall issue to the applicant the information: 1) to the service provider;
2 the services provided and the prices);
3) identification of the principles referred to in;
4 the rights and obligations of the parties);
the possible limitations of the liability of 5);
6) procedures for complaints and dispute settlement;
7) of any of the referred to in article 18 of the kill bits and operating restrictions; as well as other possible means of detection for 8).
The information referred to in subparagraph (1) above shall be made in writing or by electronic means, in such a way that the applicant for the identification of the instrument allows him to store and reproduce them. If the contract is awarded to the identification of the instrument at the request of the applicant, of a means of distance using that information, and the terms of the contract can not be given prior to the conclusion of the contract, as specified above, the information shall be provided with a method called way without delay after the conclusion of the contract.
Information on the processing of personal data, provided for in the personal data Act.

section 16 of the Identification of the provider to the data security and data protection threats or interference Detection service provider shall notify without undue delay the detection instruments for the identification of service providers, and Communications to the Office on the major threats to the security of the service or interference.
In case of a threat or disorder is under the personal data Act, the protection of the information referred to in article 32, the service provider must inform the in addition to the entities referred to in paragraph 1 to the data protection officer.
The notification shall at the same time be informed of the measures which the various sides have at their disposal in order to combat the threats or interference, as well as the estimated costs to be incurred by these measures.

section 17 (20.2.2015/139), the identification of the applicant for the identification of the instrument if the applicant has no previous strong electronic identification instrument in accordance with this law, the ensitunnistaminen must be done in person. If the applicant is already in possession of a strong electronic identification tool for the identification of the instrument within the meaning of this law, may be brought by electronic means.
Personal identification by the service provider at the ensitunnistusta must identify the applicant for the identification of the instrument carefully by checking his identity from the force in the Member State of the European economic area, Switzerland or San Marino authorities grant a passport or identity card. If they so wish, you can use ensitunnistamisessa for the identification by the service provider of the European economic area Member State after 1 October 1990 by a valid licence or other authorisation issued by the authority of the State of a valid passport.

If the identity of the applicant for the identification of the instrument cannot be reliably verified, the file relating to the ensitunnistamisen makes the police. Police from the applicant for the identification of the instrument resulting from the cost of the ensitunnistamisesta is a body governed by public law. The Act provides for the payment by the State regarding the performance.
There is a strong electronic identification instrument is to be able to apply for the corresponding level of electronic identification instrument. The previous identification of trusting a strong electronic identification service provider is responsible for any differences in relation to the possible detection of injured.
L:lla 139/2015 modified section 17 shall enter into force on the 1.1.2016. The previous wording of section 17 of the Detection instrument for the applicant: ensitunnistaminen Ensitunnistamisen must be done in person. Identification of the service provider must identify the applicant for the identification of the instrument carefully by saying his identity from the force in the Member State of the European economic area, Switzerland or San Marino authorities grant a passport or identity card. If they so wish, you can use ensitunnistamisessa for the identification by the service provider of the European economic area Member State after 1 October 1990 by a valid licence or other authorisation issued by the authority of the State of a valid passport.
Ensitunnistamisen henkilökohtaisuudesta may be waived if the service providers have done this deal on the possibility of relying on each other to make a ensitunnistamiseen. In this case, the search for the identification of the instrument may be by electronic means. The identification of the provider is in their understanding of the possible responsibility of the the original ensitunnistamisen to define how the incorrectness of their mutual respect is divided into. In relation to the injured by the detection of the service provider, which rely on the other to do the ensitunnistamiseen.
Detection instrument can be retrieved also by electronic means, if the applicant is in possession of a valid identification issued by the service provider the same identification tool. Ensitunnistamista does not have to do it again.
If the identity of the applicant for the identification of the instrument cannot be reliably verified, the file relating to the ensitunnistamisen makes the police. Police from the applicant for the identification of the instrument resulting from the cost of the ensitunnistamisesta is a body governed by public law. The Act provides for the payment by the State regarding the performance.

the adoption of section 18 of the Act on restrictions on the Identification of the provider, they and the identification of the holder of the instrument as well as the identification of the service provider that uses the service agreements can be use to make legal action to prevent the identification of the instrument. In addition, you can set the deadline for submission of the legal acts, as well as the purpose that the events relating to the value of the rahamääräiseen.
Identification of the service provider shall ensure that restrictions or limitations are known to all the parties or noticeable in an easy way. Identification of the service provider may also carry out any restrictions or limitations by technical means. Service provider is not responsible for the identification of the measures, which have been blocking or in breach of those restrictions, despite the fact that the service provider has been carefully.
The identification must be provided for the identification of the provider of the service to the service provider that uses the opportunity to verify the detection instrument related to the restrictions or limitations in 24 hours a day. The obligation is not, however, if it is contrary to the restrictions on use of the instrument has been blocked or technical means.
Detection using the service provider shall check the maintenance of systems for the identification of the provider and registers any inhibitions or limitations in connection with the use of the identification of the instrument. However, it is not necessary, if the verification of the identification of the instrument has been blocked or contrary to the restrictions on the use of technical means.

section 19 of the contents of the Certificate if the detection method is based on the certificate, the certificate shall include at least: 1) to the user if a computer;
2 the holder of the certificate);
the unique identifier of the subject 3);
4) the validity period of the certificate;
the unique identifier of the certificate 5);
the use of the certificate for any kill bits, 6) and restrictions;
7 the holder of the certificate, the public key and information) the purpose for which they are intended; the advanced electronic signature of the CA, as well as 8).
For its part, the certification service provider will help to ensure that the service provider has access to the identification service that uses a certificate to your content, if it is necessary to carry out the identification.

section 20 of the Act of putting into circulation for the identification of the instrument is based on the identification of the instrument for the identification of the instrument into the applicant's and the recognition agreement between the service provider. The agreement shall be made in writing. The agreement can also be done by electronic means, if the content cannot be unilaterally changed, and it will remain available to the parties. Identification of the service provider should be treated equally without discrimination and detection instruments for its customers in the applicants in the context of the award of the contract.
The agreement may be valid for an indefinite period or for a period. The period of validity of the identification instrument can have its own time that is shorter than the period of validity of the contract.
Detection equipment is always given to a natural person. The identification of the instrument must be personal. Detection instrument can be accompanied, if appropriate, an indication that the person can also represent another means any natural or legal person.

section 21 of the handing over of the applicant for the identification of the provider of the identification of the instrument shall be handed to the detection instrument for the applicant, as it has been agreed in the contract. Identification of the service provider is sufficient to ensure that the detection equipment will not unlawfully seized by the transfer of another instrument.

section 22 of the renewal of the identification of the instrument Identification the service provider may not be delivered to the holder of the new instrument for the identification of the instrument without the express request only, if the earlier of the detection equipment must be replaced with a new one. Compliance with the provision in this case, the provisions of article 21.

Article 23 of the code of obligations of the holder of the identification of the holder of the instrument for the identification of the instrument is to be used for identification of the instrument in accordance with the conditions set out in the agreement. The identification must be kept by the holder of the instrument carefully. The identification of the holder of a duty of care to ensure the instrument begins, when he is the holder of the identification of the instrument requested. shall be made available, the use of the instrument in another.

Article 24 Recognition event, and the identification of the provider of data storage and the use of Detection must be stored: 1) an individual identification to verify the transaction and the information required for e-signature of the transaction;
2) with the information required in article 17, the applicant referred to in ensitunnistamisesta, as well as in the document.
3. the information referred to in article 18) of any kill bits for the identification of and restrictions on the use of; as well as 4) with regard to the certificate in the certificate referred to in article 19 of the data content.
Under paragraph 1, the information referred to in paragraph 1 shall be kept for five years from the identification of the event and the information referred to in paragraphs 2 to 4 of the five years, the holder of the instrument identification the identification between the service provider and the relationship with their customer has ended.
Identification in relation to the transaction, the personal information born shall be disposed of after the identification of the transaction, subject to verification of the identification of an individual event record is not necessary.
Identification of the service provider must not be treated in order to maintain the data that is stored only in the implementation of the service and, for billing purposes, for the of the dispute of their own rights, as well as the identification of the service to use the provider or at the request of the holder of the identification of the instrument. Identification of the service provider must save the date, reason, and the XDocument::OnSubmitRequest handler.
The first sentence of paragraph 1, and (3) do not apply to a service provider, which only counts for movement detection tools. The five-year storage period referred to in paragraph 2 shall be calculated in such cases, the detection of the end of the period of validity of the instrument.

section 25 of the prevention of the use of the identification of the instrument or the notice of Recognition, the identification of the holder of the instrument shall be notified to the service provider or to the body designated by the other party of this loss, the second means of identification of the instrument or the unauthorized use, without undue delay, the enormity of the issue.
Identification of the service provider must offer the possibility of making the Declaration referred to in paragraph 1 at any time. Identification of the service provider shall immediately withdraw the detection instrument, or upon receipt of a notice to prevent its use.
Identification of the service provider is properly and without delay, a major system of information for the prevention of the use of the withdrawal or the date. At the request of the holder of the identification of the instrument is entitled to receive a certificate stating that he has made the Declaration referred to in subparagraph (1). The certificate must be requested within 18 months of its notification.
The system shall be such that the detection of the service to which it relates may be easily checked using the information 24 hours a day. The obligation to arrange for inspection of the possibility, however, is not, if the detection instrument can technically block, or it can be closed.
Detection using the service provider shall check the maintenance of systems for the identification of the provider and registers, cancellations and restrictions on the use of in connection with the use of the identification of the instrument. However, it is not necessary, if the verification of the detection instrument can technically block, or it can be closed.

If the authentication service is based on the certificate and CRL information relating to the certificates shall be cancelled, the certification-service-provider may also store information on the validity of the certificate revocation list. Alternatively, you can store the CA CRL.

section 26 of the Identification by the service provider the right to cancel or block detection instrument in addition to the provisions of article 25 provides for the identification, the service provider may cancel the detection instrument or to prevent its use, if: 1) the service provider has reason to believe that someone other than the one in which the identification of the instrument has been issued, to use it;
2) detection instrument contains an obvious error;
3) service provider has reason to believe that the safety of the use of the identification of the instrument has been compromised;
4 the holder of the instrument used for identification of the instrument) fundamentally contrary to the terms of the contract; or 5 the holder of the instrument) is dead.
Identification of the service provider must inform the holder of the instrument as soon as possible, the withdrawal of or the prevention of the use of the identification and the date of the withdrawal or the blocking of the use of, and the reasons for it.
Identification of the service provider must be returned to the holder of the identification of the instrument or to be given the opportunity to use the new tool to immediately of the reason referred to in paragraphs 2 and 3.

the identification of the holder of the instrument for the identification of the instrument section 27 of the illicit use of limitation of liability concerning the Identification of the instrument holder is responsible for the identification of the instrument only if: 1 the identification of the instrument to the other), he has supplied;
2. the disappearance of the instrument, being unlawfully) in the second over, or use due to his negligence, which is not slight; or 3) he has neglected to inform the service provider or its indicated by the identification of the rest of the body of the second means of identification for the disappearance of the instrument, or the unauthorized use, without undue delay, it found.
The holder of the identification of the instrument does not, however, responsible for the unauthorized use of the identification of the instrument: 1) to the extent that it is used for the identification of the instrument after he has announced the disappearance of the identification of the instrument for the identification of the service provider, the use of another means of seizure or of unjust enrichment;
2 the holder of the instrument if it is not) could have made the announcement of the loss of the instrument, the use of another means of unjust enrichment or misappropriation of, without undue delay, it found that the detection of the service provider has not fulfilled Article 25 referred to in subsection 2, the obligations to ensure that the holder of the identification of the instrument at any time, the possibility of making the Declaration; or 3) detection service operating the service provider has not fulfilled under section 18 or subsection 5 of article 25 obligation to check the existence of a restriction of the use of the identification instrument or the instrument on the prevention of the use of or.
Chapter 4 section 28 of the Secure Electronic signature-signature-creation tool for Secure-signature-creation device, the instrument is reliable enough to ensure that: 1) to the signature-creation data are practically unique, and that they will remain confidential;
2) signature-creation data could not be inferred from the rest of the data;
3) signature is protected against falsification;
4) the signatory can protect the signature-creation data against the use of others; as well as 5) creation tool does not change the allekirjoitettavia data, and does not prevent the data presented to the signatory prior to the signature.
Signature-creation tool is always to satisfy the requirements laid down in paragraph 1, if: 1) it is established by the Commission of the European communities and published in the official journal of the European Union in accordance with generally recognised standards; or 2 the assessment of the requirements of the designated examination institution), which is located in Finland or another Member of a State, members of the European economic area.

section 29 of the inspection body, the CRA may designate the bodies which are responsible for assessing whether the signature-creation tool in accordance with § 28 of the requirements laid down in paragraph 1. Bodies can be private or public institutions.
The appointment is subject to the condition that the inspection body: 1) the inspection body is functionally and financially independent;
2) its operation is reliable, appropriate and non-discriminatory;
3) it is appropriate to arrange for adequate financial resources as well as the activities of potential liability;
4) it has at its disposal sufficient qualified and impartial staff; as well as 5) it has at its disposal the necessary for the operation of the facilities and equipment.
Communication on the basis of an application, the Agency shall be appointed by the inspection bodies. The application shall contain the applicant's contact details, and commercial register extract, in addition to the survey report, or equivalent, on the fulfilment of the conditions referred to in paragraph 2, the applicant's action. Communication of the information to be included in the application, the Agency shall, if necessary, instructions for the submission of Communications to the Office and the.
The CRA will monitor the activities of the inspection body. If the body does not meet the requirements laid down in the communication of the agency or to act in accordance with the law, shall withdraw the naming decision. The inspection body shall inform the Communications Agency working on the changes, which have an impact on the conditions of the appointment of the inspection body.
The inspection body may be assisted by people outside of the establishment of the assessment task. The body is also aided by the use of the work of individuals.

section 30 of the Quality certificate Quality certificate means a certificate which meets the requirements laid down in paragraph 2 and which is issued by the 33 – which meets the requirements provided for in § 38 of the CA.
The quality certificate shall include: 1) the fact that the certificate is a quality certificate;
2 the user if and sijoittautumisvaltiosta);
the name of the signatory or a pseudonym, 3), from which it is apparent that it is a pseudonym;
4) signature-verification data which correspond to signature-creation data of the signatory controlled;
5 the period of validity of the certificate);
the unique identification of the quality certificate, 6);
the advanced electronic signature of the CA, 7);
restrictions on the use of the certificate, any quality 8); as well as the specific information relating to the 9) signatory, if they are necessary for the purpose of the use of the certificate.
If the quality of the certificates, the CA provides the identification referred to in Chapter 3, shall be deemed to satisfy the requirements of the service, also referred to in subparagraph (1) of section 19 of the certificate information content requirements.

section 31, as the quality of the offered by the CA certificate in Finland, as provided by the certificate of the CA laatuvarmenteena in Finland shall be deemed to comply with the requirements of the quality certificate provided for in this Act, if: 1) the CA is established in the European economic area, forming part of the State, and the certificate meets the requirements set out in the certificate of establishment of quality;
2) the CA has joined in the State of the European economic area, concerning the voluntary accreditation system and fill in that State on a Community framework for electronic signatures of European Parliament and Council Directive 1999/93/EC, hereinafter referred to as the electronic signature in order to give effect to the requirements of the directive, laid down in national law;
CA certificate guarantees a 3), which is established in a country belonging to the European economic area, and fill in that State in order to give effect to the directive set out in the national electronic signature requirements; or 4) certificate or the CA is recognized by the European Community and one or more third countries or international organisations by virtue of a bilateral or multilateral agreement between.
EPNDir 1999/93/EC on a Community framework for electronic signatures has been revoked from, see 1.7.2016 EPNAs (EU) no 910/2014 e-commerce transactions relating to the trust on the identification and e-services in the internal market and repealing of Directive 1999/93/EC.

Article 32 Statement of Quality certificates to provide the CA shall make a written declaration before the start of the operation of a communication to the Office. The notification shall contain the name and contact information, as well as information of the CA, on the basis of which 30 and 33 – 38, compliance with the requirements set out in article can be verified. The CRA can provide more detailed provisions on the content and delivery of the information to be provided to the Office of Communications.
From the date of receipt of the communication of the Agency shall, without delay, be banned for varmentajaa from varmenteitaan laatuvarmenteina, if the certificate does not meet the requirements of section 30, subsection 2 or the certificate authority does not meet the 33 – the requirements laid down in article 38.
If the information referred to in subparagraph (1) are changed, the CA shall be informed without delay of any changes in writing to the Office of communications.
The CRA considers the quality of the certificates in the user certificate authorities in the public registry.
The quality of the certificates, the CA can also be made in the Declaration referred to in article 10, if it wants to provide quality certificates in addition to the identification service.

section 33 Quality certificates offer the General obligations of the CA,


The CA shall have to be carried to the scale of the necessary technical skills and financial resources. The CA is responsible for all the areas of activity, including the certification of any of the persons in the form of services that are used by the CA, assisted by and the reliability of the products and performance.
The CA shall: 1) shall ensure that its staff have sufficient knowledge, experience and qualifications;
2) adequate financial resources for the organisation and its activities in order to cover the potential liability;
3) to keep the publicly available certificate and a certificate, information concerning the activity of the CA, on the basis of which the function and reliability can be assessed; as well as 4) to secure the confidentiality of the data at the time of creation of the signature when the CA itself to produce the information.
The CA shall not store or copy signature-creation data for the signer released.

34 section Reliable hardware and Software Quality certificates to provide the CA shall ensure that it systems, as well as hardware and software are safe enough and reliable, as well as changes to and protected against counterfeiting.
Electronic signature related to the device or the software shall be deemed to comply with the requirements set out in subparagraph (1) always, if hardware or software is laid down by the Commission of the European communities, the official journal of the European Union published in accordance with generally recognised standards.

any act of putting into circulation of a certificate under section 35 of the quality the quality of the certificates provide the CA will need to carefully and in a reliable way to check the quality of the identity of the subject, and other quality certificate for movement to a person of the applicant in the calculation and maintenance of the necessary information. The quality of the certificates provide the CA shall identify the applicant personally. The CA should be treated equally without discrimination, and the quality of the certificates to their customers, applicants in the context of the award of the contract.
The quality of the certificates, the CA will provide the quality of the certificate to the applicant prior to the conclusion of the contract to provide information concerning the quality of the conditions of use of the certificate, including any restrictions on the use of the information on the voluntary accreditation schemes, certification authorities, as well as procedures for complaints and dispute settlement. The information must be given in writing to the applicant of the quality certificate, in a form that can be easily understood by the applicant.

the quality of the withdrawal of the certificate of the signer to section 36 shall, without delay, request a certificate from a certificate of quality, as a result of the withdrawal of the certificate of the quality certificate, if he has a reasonable doubt as to the signature-creation data, illicit use.
The quality of the certificates to provide the quality certificate of the CA shall be promptly withdrawn, if so requested by the signatory. The quality of the certificate revocation request to the CA shall be deemed to have arrived when it has been in the CA available in such a way that the request can be processed.
The quality of the certificate may also be cancelled if there are other special reasons for this. The withdrawal of the certificate and the date of withdrawal, quality will always indicate the signer.

the quality of the certificates in the CA section 37 registers maintained by the Quality certificates to provide a provide quality certificates issued to the CA must maintain records (certificate). The register must be: 1) as defined in paragraph 2 of section 30 of the quality of the contents of the certificate;
2) referred to in article 35 (1) information relating to the person of the applicant, including the quality of the procedure for the identification of the applicant for the certificate used for the time they are put into circulation, and the necessary information for the identification of any document; as well as 3) the information referred to in section 39 shut-off on the review of the validity of the certificate in the list, if the quality of the certificates, the CA shall use in accordance with section 39 of the recording.
The quality of the certificates provide a CA must ensure that the quality of the advanced electronic signature certified by a certificate entitled, the party is available in section 30 of the Act specified in the contents of the certificate. The information referred to in paragraph 3, paragraph 1, does not need to store the certificate in the register, if the CA shall ensure in any other way the fact that the certificate the relying party is able to present a reliable display for the proper control of the CRL.
The CA must also maintain a register of the quality certificates available to relying parties cancelled quality certificates (CRL). Non-proliferation agenda shall, without delay, a major withdrawal of the right of withdrawal, as well as the quality of data, the exact date of the certificate.
The information referred to in paragraphs 2 and 3 shall be in a 24 x 7 basis.

the preservation of the quality of the information in the register under section 38 of the certificate of the CA to provide certificates will be a reliable and effective way to maintain certificate information in the registry for a period of 10 years from the end of the period of validity of the certificate.
If the quality of the certificates, the CA also offers a strong electronic identification service, it may, notwithstanding the provisions of article 24, to keep information about all aspects of the meaning of subparagraph (1).

section 39 Certificate validity on the revision of the information in the quality of the certificates, the CA shall store the data for the review of the validity of the certificate revocation list. The use of the certificates that are stored in the data may be used only for billing or a certificate of qualified electronic signature with legal action.

section 40 of the responsibility for the unauthorized use of the signature-creation data, the signatory is responsible for the quality of the certificate concerning the lack of an advanced electronic signature creation data certified use of the damage until the revocation of the certificate has arrived to the CA as provided for in article 36 (2).
The consumer is, however, the responsibility provided for in paragraph 1 only if: 1) he has made the creation data to another;
2 the use of, or the creation of the oikeudettomalle) is caused by his negligence, which is not slight; or 3) he lost creative control of the data other than in the manner referred to in paragraph 2 has failed to ask for the withdrawal of the quality certificate, as provided for in subparagraph (1) of section 36.

the quality of the certificates in the CA providing the article 41 liability to the quality of the certificates, the CA is responsible for the damage, that the quality of the certificate luottaneelle has been caused by the fact that: 1 the quality of the correctness of the certificate with the certificate) at the time of granting of the incorrect;
2 the quality of the certificate does not have section 30) of the information referred to in paragraph 2;
3 as described in the certificate in the certificate of the quality person) at the time of issue have been in possession of the signature-verification data given or identified in the certificate matching the signature-creation data;
4. a person that is used by the CA or assisted by) created by the signature-creation device and the authentication data are not compatible; or 5) the CA or its accompanied by the quality of the certificate that is used by the person not cancelled as provided for in article 36.
The CA is released from liability provided for in subparagraph (1), if it appears that the damage was not caused by its own or aided by the person that is used by the negligence.
The CA shall not be liable for any damage arising from the use of the quality certificate that is included in the constraint.
In other respects, the quality of the certificates to the public offer provided for in the CA's liability for damages Act (412/1974).
The provisions of this article shall also apply to the certification authority, which ensures the public certificate laatuvarmenteeksi.
Chapter 5 regulatory supervision article 42 General to command and control a strong electronic identification and electronic signatures in General, the development of control and include the Ministry of transport and communications.
Communication of the Agency's role is to monitor compliance with this Act, with the exception of section 1. The CRA will, if appropriate, the provisions of the recognition of the quality of technical service providers and providing cross-operation of the reliability of certificates and tietoturvallisuusvaatimuksista.
The data protection officer shall monitor the compliance with the provisions of this law, personal data.

Article 43 the right of access to communication, the Office shall have the right of service providers to detection, and notwithstanding the quality certificates within the varmentajilta, 29, from the inspection bodies referred to in article, as well as their assistance for persons operating in order to carry out the tasks laid down in article 42 of the necessary information.
The data protection officer must undertake their mission in conformity with the rights of access referred to in the personal data Act.

Article 44 cooperation between authorities and the right to share that information in addition to what the Act on the openness of government activities (621/1999), the Communication Agency and the data protection supervisor shall have the right to dispose of the financial monitoring information, notwithstanding the provisions on secrecy, which are necessary for the performance of its tasks. The financial control is the equivalent of the right to dispose of the communications agency, and notwithstanding the provisions on secrecy, data protection officer of the information that is necessary in order to carry out the tasks laid down in the law.
Communication between the Agency and the data protection officer shall, in discharging their responsibilities under this law to act in cooperation with the Financial supervision and, if necessary, an appropriate competition and consumer policies, as well as with each other. (30 November 2012/664) article 45 of the administrative pakkokeinot


If someone violates this law or provisions adopted pursuant thereto, the CRA may require this to correct the error or omission. The threat of a fine or a periodic penalty payment was intended can be set in the decision, the threat that the action will be suspended, in whole or in part, or that the expense of the party concerned, the action is executed, and without making a left. The threat of a fine, a suspension of the threat and the threat of a penalty provided for by law, teettämis (1113/1990).
The cost of contracting out the operation is carried out through State resources and laiminlyöjältä in the order in which the implementation of the law on taxes and charges (706/2007).

Article 46 right to communication, the Office shall have the right to make the detection of the service provider and the service provided by it, an inspection body referred to in article 29, and its activities or the quality of the service provided by varmentajaa, and providing certificates of inspection, if it has reason to suspect that they are fundamentally in breach of the provisions of this law or adopted pursuant thereto.
The CRA makes every year, the quality of the service provided by the CA, and the certificates of an audit.
The CRA to provide the number of the Inspector of the inspection as referred to in paragraph 1 or 2. Ideally the person shall have the right to examine the verification of the identification of the provider and the quality of the certificates that are used by the CA, or the assistance of a persons providing the hardware and software that may be relevant to this law, under the supervision of compliance with the provisions laid down in accordance with it.
Identification of service providers and the quality of the certificates that are used by persons providing cross-or assisted by individuals shall be tagged for inspection as referred to in sub-section 3 of the auditor other than the home of peace, for the matters covered by the manufacturing, commercial and storage areas.
Communication, the Office shall have the right to obtain the assistance of the police in order to carry out the inspection referred to in this article.
The data protection officer is carrying out the inspection referred to in the personal data Act.

the fees payable to the Office under section 47 of the communication referred to in article 10, the identification of the provider or providers issuing the alert shall be carried out by an Association of Communications to the Office the registration fee of EUR 5 000. In addition, the Association shall be carried out for the identification of the provider, or the Communication to the Office each year, control the payment of EUR 12 000.
The Declaration referred to in article 32 above, to have made the quality of the certificates to provide the Office of communication of the CA shall be carried out subject to a registration fee of EUR 5 000. In addition, the quality of the certificates provide the CA shall be carried out in a communication to the Office each year, EUR 40 000, control the payment. If the quality of the certificates, the CA will also make the Declaration referred to in article 10, is it required to pay the registration fee referred to in subparagraph (1).
In accordance with article 29 of the designated body shall carry out the Communication Agency designation fee of EUR 10 000. In addition, the inspection body must make a Communication to the Office each year, EUR 15 000 or more in control.
The registration fee, the designation fee and control costs, the payment is equivalent to that caused by the Communication Agency in the performance of the duties provided for by law, under section 46 of the tasks referred to in paragraph 1 with the exception of the. Control of the payment must be made in full for the first year of operation, even though the action will also be initiated during the year. The monitoring fee will not be refunded, even if the service provider would stop its activities during the year.
The registration fee, to be paid by the amount of the designation fee and the control of the payment to the CRA. Communication of the Agency's payment decision may be appealed as provided for in subparagraph (1) of section 49. More detailed provisions on the implementation of the payments may be provided by the regulation of the Ministry of transport and communications.
The registration fee, the designation fee and the fee will be charge control without judgment or decision in the order in which the implementation of the law on taxes and fees. If the required fees are not paid by the due date, the fee for the annual interest rate maksamattomalle the number of the Act (633/1982), according to the interest rate referred to in paragraph 1. Instead of the authority may charge interest on five of the finance charge, the amount of the interest rate remains lower than if this.
If the action will have to be a service provider under section 46, the fee for the costs incurred by the service provider for the audit of the identification as the basis for payment of the State is required by law.
Chapter 6 miscellaneous provisions article 48 penalty provisions of the Criminal Code provides for the punishment of a person for an offence in the registry (39/1889), Chapter 9, section 38 and the registry, breach of the personal data Act, section 48 of the Act.

49 section (7.8.2015/997) review Communication of the Agency's decision may be appealed to the Administrative Court as the administrative act (586/1996).
The decision of the administrative law on the issue of the withdrawal of the designation of the inspection body may be appealed to the administrative law. The rest of the decision may be appealed only if the Supreme Administrative Court grants leave to appeal.
The CRA may, in its decision direct that a decision must be respected before it is final. The appeal authority may, however, prohibit the enforcement of the decision until the appeal is resolved.
Appeal the decision of the data protection supervisor provided for in the personal data Act.
L:lla 997/49 entry into force of the amended section 1.1.2016 by 2015. The previous wording: article 49 an appeal on how to challenge a decision of the Agency's Communication under this law provides for the administrative act (586/1996).
The CRA may, in its decision direct that a decision must be respected before it is final. The appeal authority may, however, prohibit the enforcement of the decision until the appeal is resolved.
Appeal the decision of the data protection supervisor provided for in the personal data Act.
Chapter 7 the entry into force of section 50 of the date of entry into force of this law shall enter into force on 1 September 2009.
This Act repeals the law of 24 January 2003 on electronic signatures (13/2003). The provisions of the annulled law issued by the Office of communication, however, are valid until new rules are adopted under this Act.
Before the entry into force of the law can be taken in the implementation of the law.

51 section transitional provision must be made for the identification of the provider of the communications agency, the Declaration referred to in article 10, within six months of the entry into force of the law. During the strong electronic identification as a service and the provider of the service is considered an identification section 1 which fall within the scope of the electronic detection service and electronic identification: a service provider who fulfils the obligations of section 1, and the definitions referred to in paragraph 4.
Before the entry into force of this law, or within the transitional period referred to in subparagraph (1) mobilization of the calculated detection tools is considered a strong electronic identification instruments, if the service provider will make the Declaration referred to in article 10 within the time limit referred to in subparagraph (1). Detection and identification of the provider of the service is to meet all the requirements laid down in this law for them, with the exception of the requirements set out in section 17 of the Act.
If the service providers have made 17 of the contract referred to in article (2) of the possibility of relying on each other to make a ensitunnistamiseen, and the ensitunnistamisessa used in the detection instruments for movement down the service provider has not made the declaration provided for in article 10, subparagraph 1 within the time referred to in this way, ensitunnistaminen is placed in relation to the identification of the instruments as referred to in article 17 without delay.
The quality of the certificates provide a certificate authority (CA), which has made electronic signatures Act 9 section 1 of the notice in accordance with the law and operate without interruption until the entry into force of this, there is no need to make a new notice in accordance with section 32. The quality of the certificates, the CA may give written notice to the Agency in its Communications on the continuation of the free-form. The quality of the certificates at the time of entry into force of this Act to provide the CA is required to pay the Ministry of transport and communications on certain fees of the Agency on the regulation of communications (1175/2005) the certificate referred to in article 12 of the fee until 31 December 2009, the free-form, irrespective of the date of the written notification.
THEY'RE 36/2009, Kouba 12/2009 2009 acts, EV 90 entry into force and application in time: 30 November 2012/664: this law shall enter into force on 1 January 2013.
THEY TaVM 9/108/2012, 2012, EV 98/2012 20.2.2015/139: this law shall enter into force on the 1 January 2016. Article 12 (a) shall apply only from 1 may 2017.
THEY 272/2014, Kouba 33/2014, EV 257/2014 7.8.2015/997: this law shall enter into force on the 1 January 2016.
On appeal before the entry into force of this law shall apply to the Management Board on the date of entry into force of this law, the provisions in force.
THEY'RE 230/26/2014 2014, LaVM, EV 319/2014

Related Laws