Key Benefits:
See the copyright notice Conditions of use .
In accordance with the decision of the Parliament:
This law provides for strong electronic identification and electronic signatures and for the provision of related services to service providers and to the public.
The law shall not apply to the provision of services used for internal Community identification or for the provision of services for electronic signatures within the Community.
Nor shall the law apply if the entity uses its own identification method to identify its own customers in its own services.
The law shall not apply to the manufacture, import or sale of identification or electronic signatures.
For the purposes of this law:
(1) Strong electronic identification The authentication of the person and the authenticity and accuracy of the identity by using the electronic method, based on at least two of the following three options:
(a) the password or any other type of identification the holder of the identification means;
(b) a chip card or any other form of identification of the holder of the identification instrument; or
(c) after fingerprinting or any other characteristic of the holder of the identification device;
(2) The identification instrument Objects and unique characteristics or features which together form the identifiers, identification tools and instruments needed for a strong electronic identification;
(3) The identification method A set of instruments which together constitute an identification tool and the system necessary for the implementation of a single strong electronic identification operation;
(4) The identification service provider A service provider providing a strong electronic identification service for service providers using them or issuing identification instruments to the public or both;
(5) Holder of the identification instrument The natural person to whom the identification service provider has issued an identification instrument;
(6) First identification Verification of the identity of the applicant for the identification of the instrument in connection with the acquisition of the instrument;
(7) With a certificate An electronic certificate to verify the identity of the identity or to verify the identity and to attach the signature verification data to the signatory, which may be used for electronic identification and for electronic signature;
(8) Validator A natural or legal person providing certificates to the public;
(9) By electronic signature Electronic information, which is connected or logically related to other electronic information and which is used as a means of verifying the identity of the signatory;
(10) With an advanced electronic signature Electronic signature:
(a) is clearly linked to its signature;
(b) to identify the signatory;
(c) has been created by a method which the signatory may keep under its exclusive control; and
(d) is connected to other electronic data in such a way that any changes to the information can be detected;
(11) Signature by means of creation The unique set of data used by the signatory to the electronic signature, such as codes and private keys;
(12) By the instrument of creation Software and equipment which, together with the creation of the signature, creates an electronic signature; (20,2015/139)
L to 139/2015 The amended paragraph 12 shall enter into force on 1 January 2016. The previous wording reads:
(12) By the instrument of creation Software and equipment to create an electronic signature together with the creation of the signature data; and
(13) The verification data of the signature A data set for the authentication of electronic signatures, such as codes and public keys; (20,2015/139)
L to 139/2015 The amended paragraph 13 shall enter into force on 1 January 2016. The previous wording reads:
(13) The verification data of the signature A data set for the authentication of electronic signatures, such as codes and public keys.
(14) Trust network, Network of the identification service providers notified to the Communication Office. (20,2015/139)
L to 139/2015 Paragraph 14 shall enter into force on 1 January 2016.
A contractual clause derogating from the provisions of this Act to the detriment of the consumer shall be null and void, unless otherwise specified below.
Identification tools may be used for electronic signatures and advanced electronic signatures, depending on their characteristics, unless otherwise provided for in other law or Article 18.
The identification instrument may be used for the adoption of a legal act, unless otherwise provided for in any other law or Article 18.
Where legal action is required by law to be signed, the requirement to fulfil at least an advanced electronic signature based on a quality certificate and created by a secure signature instrument. However, an electronic signature should not be refused any legal effect solely because it has been carried out in a manner other than that.
The use of electronic signatures in the administration is regulated separately.
The identity of the identity of the identity document may be processed by the identity of the identity of the identity of the identity of the identity of the identity of the person concerned in the calculation of the identity of the identity instrument. (523/1999) On the grounds referred to in paragraphs 1 and 2. The provider of electronic signatures shall, on the same grounds, process personal data required for the certification and maintenance of a certificate. In addition, for the purposes of this purpose, the identity of the person providing the identification and electronic signatures shall be able to collect personal data from the person himself.
For the purposes referred to in paragraph 1, personal data may be processed only on the grounds referred to in Article 8 (1) (1) of the Personal Data Act.
When checking the identity of the applicant, the identity service provider and the validator providing electronic signatures shall require the applicant to indicate the identity of the applicant. The identity number shall be processed by the identification service provider and the electronic signature certifier in its records for the purposes referred to in paragraph 1. The identification number shall be included in the identification instrument or certificate if the information content of the instrument or certificate is only available to the entity to which it is necessary for the performance of the service. Personal identification shall not be available from the public directory. (20,2015/139)
L to 139/2015 (3) will enter into force on 1 January 2016. The previous wording reads:
When checking the identity of the applicant, the identity of the person providing the identification and electronic signatures may require the applicant to indicate the identity of the applicant. The identity number shall be processed by the identification service provider and the electronic signature certifier in its records for the purposes referred to in paragraph 1. The identification number shall be included in the identification instrument or certificate if the information content of the instrument or certificate is only available to the entity to which it is necessary for the performance of the service. Personal identification shall not be available from the public directory.
Other aspects of the processing of personal data are laid down in Articles 19, 24, 30, 37 and 38 and in the Personal Data Act.
The identification service provider and the validator providing electronic signatures shall obtain and update the information necessary for the purpose of providing the identification service from the population information system. In addition, the identification service provider shall ensure that the information needed to provide its identification service is up to date with the information on the population information system.
The information to be disclosed by the demographic information system is a public law. The payment of the charge is governed by the State payment law (150/1992) .
L to 139/2015 Article 7 shall enter into force on 1 January 2016. The previous wording reads:
For the purposes referred to in Article 8 (1) (1) and (2) of the Personal Data Act, and for the purposes referred to in Article 6 (1) of this Law, the provider of an identification service and the certifier providing electronic signatures shall obtain personal data and verify: The personal data provided by the applicant or the holder on the population information system.
The information to be disclosed by the demographic information system is a public law. The payment of the charge is governed by the State payment law (150/1992) .
The identification method shall meet the following requirements:
(1) the method is based on Article 17, on the basis of which the information is subsequently verified in accordance with Article 24;
(2) the method may unequivocally identify the holder of the identification instrument;
(3) the method can provide sufficient reliability to ensure that only the holder of the identification instrument can use the instrument; and
(4) the method is sufficiently secure and reliable, taking into account the security threats associated with the available technology.
Paragraph 1 shall not preclude the provision of a service by service, in such a way that the identity of the person providing the identification service is notified by the identification service provider to the identity of the holder of the identification instrument, or only a limited number of Personal data.
The Agency may provide more detailed technical provisions for the requirements referred to in paragraph 1.
A natural person acting as a service provider or a natural person acting on behalf of it, a provider of a Community service provider or a board of directors and alternate members and alternates of the Board of Supervisors, the Executive Director, the responsible partner or any other In a comparable situation, the following conditions must be met:
(1) they must be of age;
2) they must not be bankrupt; and
(3) their eligibility shall not be limited.
The identity of the identification service provider must be reliable. The provider of an identification service shall not be regarded as reliable if the person referred to in paragraph 1 has been convicted by a legal force for the last five years in prison or in the last three years for a financial penalty for the offence, Which may be considered to indicate that a person is manifestly unfit to provide the provision of the identification service.
Furthermore, the provider of an identification service shall not be regarded as reliable if the person referred to in paragraph 1 has otherwise demonstrated that he is manifestly unfit for the identity of the identity service.
Before the commencement of the operation, the Finnish-based identification service provider shall submit a written notification to the Communications Office. The notification may also be made by a consortium of service providers whose service is to be regarded as a single identification service.
The notification shall include:
(1) the name of the provider;
(2) full contact details of the provider;
(3) information on the services provided;
(4) information on the matters referred to in Articles 8, 9, 13 and 14; and
(5) other information necessary for control purposes.
The identification service provider shall immediately inform the Communications Office in writing of any changes to the information referred to in paragraph 2. The notification shall also be made for the cessation of activities and the transfer of activities to another service provider.
The Agency may issue the technical provisions necessary for monitoring activities in the light of the exact content of the information to be notified under this Article and the transmission of them to the Communications Agency.
The provisions of Article 10 shall not preclude the notification provided for in that Article by the identity service provider established in the European Economic Area.
The Agency shall maintain a public register of the identity of the identification service providers and the services they provide in accordance with Article 10.
Upon receipt of the notification referred to in Article 10, the Agency shall prohibit the service provider from offering its services as a strong electronic identifier where the service or service provider fails to meet the requirements set out in this Chapter. If the deficiency can only be considered to be low, the Agency may call on the service provider to correct the deficiency within the time limit.
When the identification service provider makes a notification under Article 10 to the Communications Office, the identification service provider is part of a trust network.
The identity of the identity service provider of the network of trust networks shall comply with administrative practices that enable the interoperability of services provided by electronic service providers offering identification services and using them And offer technical interfaces which create the conditions for action between operators providing identification services and those who make use of them.
When the provider of an electronic identification service sends information relating to the electronic identification instrument to another provider of electronic identification, the information to be transmitted shall be paid to the sender. The compensation to be recovered from the information to be transmitted shall not exceed 10 cents. The level of compensation will be assessed annually.
The identification service providers shall cooperate on the interoperability of technical interfaces and administrative practices.
More detailed provisions on the administrative practices, technical boundaries and administrative responsibilities of the network of trust will be laid down by the Government Decree.
L to 139/2015 Article 12a will enter into force on 1 January 2016.
The identification service provider shall ensure that its staff has sufficient expertise, experience and competence in relation to the scale of the activities carried out.
The provider of the identification service shall have sufficient financial resources to organise the operation and to cover any liability for damages. The service provider may also take other necessary measures in case of liability for damages.
The identification service provider shall also provide for the protection of the data referred to in Article 32 of the Personal Data Sheet of its services and adequate information security.
The identification service provider shall be responsible for the reliability and effectiveness of the services and products produced by the persons they use.
The provider of the identification service shall have an identification code specifying in more detail how the provider fulfils the obligations laid down in this Act. In particular, it shall be specified how the identity of the identification service is carried out by the identification service provider as referred to in Article 17.
In addition, the identification principles shall include key information:
1) the service provider;
(2) the services to be provided and their prices;
(3) the principal partners of the service provider;
(4) inspections carried out by external assessment bodies; and
(5) other relevant factors enabling the performance and reliability of the service provider to be assessed.
Where electronic signatures or advanced electronic signatures can be made by means of identification, the identification service provider shall also provide information on the method, level and safety features of the identification.
The identification service provider shall keep the identification principles publicly available and up-to-date.
Before concluding an agreement with the applicant for identification, the identification service provider shall provide the applicant with:
1) the service provider;
2) on the services and prices to be provided;
(3) the identification principles referred to in Article 14;
(4) rights and obligations of the parties;
(5) any restrictions on liability;
(6) appeal and dispute settlement procedures;
(7) any of the prohibitions and restrictions referred to in Article 18; and
(8) other possible conditions of use of the identification instrument.
The information referred to in paragraph 1 shall be provided in writing or by electronic means so that the applicant for the identification instrument can record and duplicate them unchanged. If, at the request of the applicant for an identification instrument, the contract is concluded by means of distance communication, that the information and the terms of the contract cannot be given prior to the conclusion of the contract, the information shall be provided without delay in accordance with After the conclusion.
The obligation to provide information on the processing of personal data is laid down in the Personal Data Act.
The identification service provider shall report without undue delay to service providers using the identification service, the holders of identification equipment and any significant threats or disruptions to the information security of the service to the Agency.
In the event of a threat or disruption to the protection of the data referred to in Article 32 of the Personal Data Act, the identification service provider shall inform not only the entities referred to in paragraph 1 but also the Data Protection Supervisor.
At the same time, the notification shall include information on the activities available to the various bodies to combat threats or disturbances and the estimated costs of these measures.
If the applicant does not have an earlier strong electronic identification instrument in accordance with this law, the first identifier shall be made in person. If the applicant already has a strong electronic identification tool, the identification instrument referred to in this Act may be applied electronically.
In the case of a personal first award, the identification service provider shall identify the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the Member State of the European Economic Area, Switzerland or San Marino. The passport or identity card issued by the authority. If they wish, the identification service provider may also use a valid driving licence issued by an authority of a Member State of the European Economic Area after 1 October 1990, or a valid driving licence issued by another State authority The passport.
If the identity of the applicant for the identification instrument cannot be reliably verified, the first identification of the application shall be made by the police. The cost to the applicant of an identification instrument by the police is a public law. The payment of the charge shall be governed by the State payment law.
The existing strong electronic identification instrument must be able to apply for an equivalent level of electronic identification. The successful tenderer of a strong electronic identification service shall be responsible for any identification of the error in relation to the injured party.
L to 139/2015 Article 17 shall enter into force on 1 January 2016. The previous wording reads:
The initial identification shall take place in person. The identity of the identity of the identity of the identification instrument shall be carefully identified by the identification service provider by stating his identity on the passport or identity card issued by the Member State of the European Economic Area, Switzerland or San Marino. If they wish, the identification service provider may also use a valid driving licence issued by an authority of a Member State of the European Economic Area after 1 October 1990, or a valid driving licence issued by another State authority The passport.
The personal nature of the entensification may be waived if the identification service providers have concluded an agreement on the possibility of trusting each other to do their first identification. The identification instrument may then be applied electronically. In their agreement, the identification service providers shall determine the liability for any failure to share the original primary identifier in their mutual relationship. In relation to the victim, the injured party is responsible for the identity of the person who relies on the identification service.
The identification instrument may also be applied by electronic means if the applicant has a valid identification instrument issued by the same identification service provider. There is no need to redo the encoding.
If the identity of the applicant for the identification instrument cannot be reliably verified, the first identification of the application shall be made by the police. The cost to the applicant of an identification instrument by the police is a public law. The payment of the charge shall be governed by the State payment law.
Contracts between the identification service provider, the identification service provider and the holder of the identification instrument may be used to prevent any legal action. In addition, restrictions on the execution of legal acts may be imposed on both the use and the monetary value of the transactions.
The identification service provider shall ensure that the inhibitions or restrictions are known to all parties or perceptible easily. The provider of an identification service may also carry out inhibitions or restrictions by technical means. The provider of an identification service shall not be responsible for the actions taken in breach of the prohibitions or restrictions, despite the fact that the identification service provider has acted with care.
The identification service provider shall arrange for the identification service provider to check the inhibitions or restrictions associated with the identification instrument around the clock. However, there is no obligation if the use of the blocking or restriction of the identification instrument has been prevented by technical means.
The identification service provider shall verify any inhibition or restriction of the systems and records maintained by the identity service provider in connection with the use of the identification instrument. However, it is not necessary to check if the use of the blocking or restriction of the identification instrument is prevented by technical means.
If the method of identification is based on a certificate, the certificate shall include at least:
1. Information on the certification authority;
(2) information on the certificate holder;
3) the unique identifier of the certificate holder;
(4) the duration of the certificate;
(5) identification code of the certificate;
(6) information on possible inhibit and limitations of the use of the certificate;
(7) the public key to the certificate holder and its intended use; and
8. Advanced electronic signature of the validator.
For its part, the certification service provider shall ensure that the service provider using the identification service has access to a data content of the certificate if it is necessary for the purposes of identification.
The mobilisation of the identification instrument shall be based on an agreement between the applicant and the identity of the identification service provider. The agreement shall be made in writing. The agreement may also be made by electronic means if its content cannot be unilaterally amended and remains available to the parties. The identification service provider shall treat its clients on a non-discriminatory basis and the applicants for identification shall be equal in the context of the award of the contract.
The agreement may be valid indefinitely or in time. The identification instrument may have a period of validity shorter than the duration of the contract.
The identification instrument is always given to a natural person. The identification instrument shall be personal. The identification instrument may be accompanied, where appropriate, by the fact that a person may also represent another natural or legal person on a case-by-case basis.
The identification service provider shall surrender the identification instrument to the applicant as agreed in the contract. The identity of the identification service provider must ensure that the identification instrument is not unlawfully placed in the hands of the other person when the instrument is released.
The identity of the identity of the identification service may be submitted to the holder by a new instrument without explicit request only if the previously issued identification instrument is to be replaced. In this case, the provisions of Article 21 shall apply.
The holder of an identification instrument shall use the identification instrument in accordance with the terms of the contract. The holder must keep the identification tool carefully. The holder's obligation to provide for the identification of the means of identification shall begin once he has received it.
The holder of an instrument of identification shall not disclose the instrument to another.
The identification service provider shall record:
(1) the information necessary for the verification of an individual identification transaction and electronic signature;
(2) the necessary information on the initial identification of the applicant referred to in Article 17 and the document used therein;
(3) information on any inhiuses and restrictions associated with the use of the identification tool referred to in Article 18; and
(4) for the certificate, the data content of the certificate referred to in Article 19.
The information referred to in paragraph 1 (1) shall be kept for five years from the identification transaction and the information referred to in paragraphs 2 to 4 for five years from the end of the customer relationship between the identification service provider and the identification instrument holder.
Personal data generated within the event of identification shall be disposed of after the period of identification, unless it is necessary to verify the individual identification sequence.
The identity of the identity of the identity service provider shall only deal with the data stored for the purposes of the execution and maintenance of the service, for billing, for the protection of its own rights in disputes and for the identification service provider, or At the request of the identification instrument holder. The identity of the time, reason and the handler shall be recorded by the identification service provider.
Paragraph 1 (1) and (3) shall not apply to a service provider which only sets out identification instruments. The five-year storage period referred to in paragraph 2 shall then be calculated from the expiry of the identification instrument.
The holder of an identification instrument shall inform the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the person concerned or of the loss of the identity of the identity of the identity of the person concerned. Fact.
The identification service provider shall provide the opportunity to make the declaration referred to in paragraph 1 at any time. The identification service provider shall, without delay, withdraw or prevent its use after having received the relevant notification.
The identity of the identity service provider shall be duly and promptly entered in the system from the date of the withdrawal or suspension of the information. The holder of an identification instrument shall be entitled, upon request, to a certificate stating that he has made the declaration referred to in paragraph 1. The certificate shall be requested within 18 months of the notification.
The system shall be such that the identity of the service provider using the identification service can easily be checked around the clock. However, there is no obligation to arrange an inspection if the use of the identification instrument can be technically prevented or closed.
The identification service provider shall check the systems and registers maintained by the identity service provider in connection with the use of the identification instrument. However, such verification is not necessary if the use of the identification instrument can be technically prevented or closed.
Where the identification service is based on certificates and cancelled certificates are provided by means of a checklist, the certification service provider shall be allowed to record the data on the verification of the validity of the certificate. Alternatively, the certificate may be stored by the verifier.
In addition to Article 25, the identification service provider may withdraw or block the identification instrument if:
(1) the identification service provider has reason to suspect that someone other than the person to whom the identification instrument was issued uses it;
(2) the identification instrument contains a manifest error;
(3) the identification service provider has reason to suspect that the security of the use of the identification instrument has been compromised;
(4) the identity of the identification instrument is substantially used by the identification instrument in an equivalent manner; or
5) the identification instrument holder is dead.
The identification service provider shall inform the holder as soon as possible of the withdrawal or blocking of the identification instrument and the timing of the withdrawal or blocking of use and the reasons for it.
The identification service provider shall return the opportunity to use the identification instrument or provide the holder with a new instrument immediately after the reason referred to in paragraph 1 (2) and (3).
The holder of the identification instrument shall be responsible for the non-legal use of the identification instrument only if:
(1) he has transferred the identification instrument to another;
(2) the loss of the identity of the identification instrument, the unlawfully repossession or the right to use is due to his negligence, which is not mild; or
(3) he has failed to inform the offeror or any other entity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identity of the identification service.
However, the holder of an identification instrument shall not be responsible for the unauthorised use of the identification instrument:
(1) in so far as the identification instrument has been used after having informed the identity of the identity service provider of the loss of the identification instrument, the wrongful use of the latter or the right to use;
(2) where the holder of the identification instrument has not been able to report on the loss of the instrument, without undue delay, without undue delay, without undue delay, after finding that the identity of the identity service provider is: Failed to fulfil its obligation under Article 25 (2) to ensure that the holder of the identification instrument is able at any time to make that declaration; or
(3) the identity service provider of the identification service has failed to fulfil its obligation under Article 18 (4) or Article 25 (5) to check the existence of a restriction on the use of an instrument or the use of an instrument; or Closure.
The instrument for the creation of a secure signature shall ensure that:
(1) the inventories of the signatures are virtually unique and remain confidential;
(2) the information on the creation of the signature cannot be deduced from other information;
(3) the signature is protected against counterfeiting;
(4) the signatory may protect the signature of the signature from other uses; and
(5) the instrument of creation does not alter the information to be signed and does not prevent the disclosure of information to the signatory before signing.
A signature instrument shall always be deemed to comply with the requirements laid down in paragraph 1 if:
(1) it complies with generally recognised standards established by the Commission of the European Communities and published in the Official Journal of the European Union; or
(2) the designated inspection body designated for the assessment of the requirements, located in Finland or in any other State belonging to the European Economic Area, has approved it.
The Agency may designate inspection bodies to assess whether the instrument of creation fulfils the requirements laid down in Article 28 (1). Inspection institutions may be private or public institutions.
The designation of the inspection body shall be subject to:
(1) the control body is functionally and economically independent;
(2) its operation is reliable, appropriate and non-discriminatory;
(3) it has sufficient financial resources to provide for appropriate action and to cover potential liability;
(4) it has sufficient skilled and impartial staff at its disposal; and
5) it has the facilities and equipment necessary for its operation.
The Agency shall designate the inspection bodies on the basis of an application. The application shall include, in addition to the applicant's contact information and the trade register or the corresponding report, a statement of compliance with the conditions referred to in paragraph 2 for the applicant's activities. Where appropriate, the Agency shall provide guidance on the information to be included in the application and its transmission to the Communications Office.
The Office shall supervise the operation of the control body. Where the control body does not comply with the requirements laid down or acts contrary to the provisions, the Communication Office shall withdraw the designation decision. The control body shall inform the Communications Agency of any changes affecting the conditions of the designation of the control body.
The inspection body may, in the assessment mission, be assisted by persons outside the institution. The inspection body shall also be responsible for the work of the persons employed.
A quality certificate shall mean a certificate that satisfies the requirements laid down in paragraph 2 and issued by a certified certificate complying with the requirements of Articles 33 to 38.
The quality certificate shall include:
(1) that the certificate is a quality assurance certificate;
(2) information on the certifier and the country of establishment;
(3) the name of the signatory or an alias showing that it is a pseudonym;
(4) verification of the signature of the signature under the signature of the signatory;
(5) the duration of the quality certificate;
(6) Identification of the quality certificate;
7) the developed electronic signature of the validator;
(8) any restrictions on the use of a quality certificate; and
(9) specific information relating to the signatory if they are necessary for the purpose of the quality certificate.
Where the certification authority providing quality certificates also provides the identification service referred to in Chapter 3, the requirements of Article 19 (1) shall always be considered to meet the requirements of Article 19 (1).
The certificate offered by a certified quality certificate other than that established in Finland shall be deemed to comply with the quality certification requirements laid down in this law if:
(1) the verifier is established in the State of the European Economic Area and the certificate satisfies the requirements for quality assurance in the State of establishment;
(2) the certifier has joined the voluntary accreditation system in the European Economic Area and fulfils the European Parliament and Council Decision establishing a Community framework for electronic signatures in that State; Directive 1999 /93/EC, hereinafter ' the Electronic signature directive , the national requirements for transposition;
(3) a certificate is guaranteed by a validator established in a country belonging to the European Economic Area and satisfies the national requirements laid down in that State in order to bring into force the electricity signature directive; or
(4) certificates or certificates have been recognised under a bilateral or multilateral agreement between the European Community and one or more third countries or international organisations.
EPNDir 1999 /93/EC on the Community framework for electronic signatures has been repealed with effect from 1 July 2016, cf. EPNAs (EU) No 910/2014 On the electronic identification and electronic transactions of transactions in the internal market and repealing Directive 1999 /93/EC.
Prior to the commencement of the operation, a certificate for quality certificates shall be notified to the Communications Office. The notification shall include the name and contact details of the validator and the information on the basis of which the requirements laid down in Articles 30 and 33 to 38 are satisfied. The Agency may issue provisions on the exact content of the information to be reported and its transmission to the Communications Agency.
Upon receipt of a notification, the Agency shall, without delay, prohibit the certification of the certification of its certificates as quality certificates if the certificate does not meet the requirements of Paragraph 30 (2) or the verifier does not comply with the requirements laid down in Articles 33 to 38.
If the information referred to in paragraph 1 has changed, the certifier shall without delay inform the Communications Office in writing.
The Agency shall keep a public register of certifying certificates of quality certification.
A certificate for quality certificates may also make the declaration referred to in Article 10 if it wishes to provide an identification service in addition to quality certificates.
The validator shall have adequate technical and financial resources in relation to the extent of the activities carried out. The verifier shall be responsible for all aspects of the certification activity, including the reliability and effectiveness of the services and products produced by the potential validators.
The validator shall:
(1) ensure that its staff has the necessary expertise, experience and competence;
(2) provide adequate financial resources to organise its activities and to cover any liability for damages;
(3) to make available, in general, information on certification and certification to enable the validation and reliability of the validator; and
(4) ensure the confidentiality of the signature of the signature of the signature when the verifier himself produces the information.
The verifier shall not record or duplicate the signature of the signature of the signature given to the signatory.
The certification authority for quality certificates shall ensure that the systems, equipment and software used by it are sufficiently safe and reliable and protected against changes and counterfeiting.
A device or software relating to electronic signatures shall be deemed to comply with the requirements laid down in paragraph 1, whenever the apparatus or software is published in the Official Journal of the European Union Complies with generally recognised standards.
The certification authority for quality certificates shall, in a carefully and reliable manner, verify the identity of the applicant for the quality certificate and any other information related to the applicant's person in the calculation and maintenance of the quality certificate. The applicant for quality certificates shall identify the applicant personally. The validator shall treat its customers without discrimination and applicants for quality certificates in the context of the award of the contract.
Prior to the conclusion of the contract, the certification authority shall provide the applicant with a quality certificate with information on the conditions of use of the quality certificate, including any restrictions on use, information on voluntary accreditation schemes, On the regulatory oversight of the certification body and the procedures for complaint and dispute settlement. The information shall be provided in writing to the applicant of the quality certificate in a form such that the applicant can easily understand them.
The signatory shall, without delay, request the certifying authority of the quality certificate to withdraw the quality certificate if he has reasonable grounds for suspecting the unlawful use of the signature of the signature.
The certification authority for quality certificates shall, without delay, withdraw the quality certificate if the signatory so requests. A request for cancellation of a quality certificate shall be deemed to have been received by the certification authority when it has been available to the certification authority in such a way as to enable the request to be processed.
Quality certificates may also be withdrawn if there is a particular reason otherwise. The withdrawal of the quality certificate and the date of withdrawal shall always be notified to the signatory.
The certification authority for quality certificates must maintain a register of quality certificates ( Certification register ). The register shall indicate:
(1) the data content of the quality certificate as defined in Article 30 (2);
(2) information relating to the applicant, as referred to in Article 35 (1), including information on the identity of the applicant for the purposes of calculating the quality assurance procedure and the necessary information on the document used for identification; and
(3) The information referred to in Article 39 on the verification of the validity of the certificate, if the certificate of quality certification is used by the certification authority for quality certificates.
The certification authority for quality certificates shall ensure that a certificate, as defined in Article 30 (2), is available to the trusted party relying on a quality certificate for a certified electronic signature. However, the information referred to in paragraph (1) (3) does not need to be entered in the certificate if the verifier is otherwise responsible for ensuring that the party relying on the certificate is able to present a credible display of the closing list Verification.
The certification authority shall also maintain a register of quality certificates withdrawn by the parties relying on quality certificates ( On the feathers ). An indication of the withdrawal of the quality certificate and the exact date of withdrawal shall be included in the list of brackets without delay.
The information referred to in paragraphs 2 and 3 shall be available on a 24-hour basis.
The certification authority for quality certificates shall, in a reliable and appropriate manner, maintain the data of the certification register for a period of 10 years from the expiry of the certificate.
Notwithstanding Article 24, where a certification authority providing quality certificates also provides a strong electronic identification service, it may, notwithstanding Article 24, maintain the information in all respects within the meaning of paragraph 1.
The certification authority providing quality certificates shall record the data on the verification of the validity of the certificate. The stored data may be used only for verifying the use of certificates or for the verification of legal transactions carried out by means of a certified electronic signature.
The signatory shall be responsible for the damage caused by the unauthorised use of the advanced electronic signature of the developed electronic signature certified by the quality certificate until the request for withdrawal of the certificate has been received by the certification authority in accordance with Article 36 (2) Provides.
However, the consumer shall bear the responsibility provided for in paragraph 1 only if:
(1) he has surrendered creation information to another;
(2) the creation of creation information for the purpose of their use is caused by his negligence, which is not of a minor nature; or
(3) after losing control of the creative information in a manner other than that referred to in paragraph 2, he has failed to request the withdrawal of the quality certificate as provided for in Article 36 (1).
The certification authority providing quality certificates shall be liable for the damage caused by the quality certificate to the pilot:
(1) the information entered in the quality certificate is incorrect at the time of issue of the certificate;
(2) the quality certificate does not contain the information mentioned in Article 30 (2);
(3) the person identified in the quality certificate, at the time of issue of the certificate, was not in possession of the signatures for the signature of the signature mentioned or specified in the certificate;
(4) the characteristics of the signature and verification of signatures created by the validator or by the person assisted by it are incompatible; or
(5) the verifier or the person employed by it has not withdrawn quality assurance as provided for in Article 36.
The guardian shall be released from the liability provided for in paragraph 1, if it appears that the damage was not caused by the negligence of the person or person assisted by it.
The verifier shall not be liable for any damage caused by the use of the service restriction contained in the quality certificate.
In other respects, the liability of the certification authority for the provision of quality certificates to the public is governed by the law on compensation (1999) .
The provisions of this Article shall also apply to the certification authority which guarantees the public a certificate of quality certification.
The general guidance and development of a strong electronic identification and electronic signature is part of the Ministry of Transport and Communications.
The task of the fcc is to monitor compliance with this law, with the exception of Article 1 (3). Where appropriate, the Agency shall provide technical regulations for the reliability and information requirements of the activities of the identification service providers and of the certification bodies providing quality certificates.
The Supervisor is responsible for monitoring compliance with the personal data provisions of this law.
Without prejudice to the confidentiality rules, the Agency shall, without prejudice to the provisions of Article 29, have access to the information provided by the service providers and the certification bodies, the control bodies referred to in Article 29, and the persons assisted by the Information necessary for the performance of the tasks.
The Data Protection Supervisor shall perform his/her duties in carrying out the information rights referred to in the Personal Data Act.
In addition to what the law on public authorities' activities (18/09/1999) , the Communication Office and the Data Protection Supervisor shall have the right to disclose to the Financial Supervisory Authority the information necessary to carry out its tasks without prejudice to the confidentiality provisions. Financial supervision shall have the same right to disclose to the Communications Agency and the Data Protection Supervisor the information necessary to carry out the duties provided for in this Act.
When carrying out the tasks under this Act, the Communications Office and the Data Protection Supervisor shall, where appropriate, cooperate with the Financial Supervisory Authority and the Office for Competition and Consumers. (30.11.2012/664)
In the event of any breach of this law or the provisions adopted pursuant to it, the Communications Office may oblige it to rectify its errors or omissions. The decision may impose a periodic penalty payment or a threat that the operation is suspended or suspended, or that the action which is not taken is carried out at the expense of the person concerned. The penalty payment, the suspension threat and the threat to be made shall be laid down in the (1113/1990) .
The costs of the operation carried out shall be borne by State resources and shall be charged to the defaulter in the order in which the law on the enforcement of taxes and charges is carried out. (20/2007) Provides.
The Communications Agency shall have the right to make an identification service and the service provided by it, the control body referred to in Article 29, its activities or the verification of the service provided by it and the service provided by it, if it has: Suspicions that they have substantially infringed this law or the provisions adopted pursuant to it.
Each year the Agency shall carry out an audit of the service providing quality certificates and the service it provides.
The Agency shall instruct the inspector to carry out the inspection referred to in paragraphs 1 or 2 above. The person providing the inspection shall have the right to examine the equipment and software of the identity of the identity service provider and of the person providing quality certificates, or of any software that may be relevant to or pursuant to this law. And monitoring compliance with the provisions adopted.
The inspector referred to in paragraph 3 shall, for inspection purposes, be allowed access to an inspector other than that of domestic peace, as referred to in paragraph 3, for inspection purposes other than those covered by Storage facilities.
The Communications Agency shall have the right to receive official assistance from the police to carry out the inspection referred to in this Article.
The Data Protection Supervisor shall perform his/her duties in the exercise of the right of scrutiny referred to in the Personal Data Act.
A registration fee of EUR 5 000 shall be made by an association of the identification service provider or service of service providers referred to in Article 10. In addition, the identification service provider or pool shall carry out an annual supervisory fee of eur 12 000 to the Communications Office.
The certification authority for issuing quality certificates referred to in Article 32 shall make a registration fee of eur 5 000 for the Communications Office. In addition, the certification authority for quality certificates shall pay a control fee of eur 40 000 per year to the Communications Office. Where a certification authority providing quality certificates also makes a declaration referred to in Article 10, it shall pay the registration fee referred to in paragraph 1.
The control body designated in accordance with Article 29 shall pay a fee of eur 10 000 to the Communications Office. In addition, a control fee of eur 15 000 per year shall be carried out by the control body.
The registration fee, the designation fee and the supervisory fee shall correspond to the costs incurred by the Communications Office for the performance of the tasks provided for in this Act, with the exception of the tasks referred to in Article 46 (1). The supervisory fee shall also be paid in full during the first year of activity, even if the activity is started in the course of the year. The control fee shall not be reimbursed even if the service provider ceases to operate in the course of the year.
The amount of the registration fee, the designation fee and the control fee shall be payable by the Office for Communications. The decision to impose a payment by the Agency shall be subject to appeal as provided for in Article 49 (1). More detailed provisions on the implementation of payments may be made by a regulation of the Ministry of Transport and Communications.
The registration fee, the designation fee and the supervisory fee may be charged without judgment or decision in the order in which the law on the enforcement of taxes and charges is laid down. If no payments are made at the latest on the maturity date, the amount of the annual default interest shall be charged to the unpaid amount (633/1982) According to the interest rate referred to in paragraph 1. Instead of an interest rate, the Authority may charge a delay of eur 5 if the amount of the default interest is below this.
If, pursuant to Article 46 (1), the identity of the identity service provider is to be checked, the costs of the verification shall be borne by the identification service provider as provided for by the State payment law.
Penalty report is punishable by criminal law (39/1889) chapter 9 of Chapter 38 And the violation of personal registration in Article 48 (2) of the Personal Data Act.
The decision of the Office shall be subject to appeal by the administrative court in accordance with the administrative law (18/06/1996) Provides.
The decision on the decision on the withdrawal of the appointment of a control body shall be subject to appeal against the decision of the Court of Justice as laid down by the Law on Administrative Law. An appeal against any other decision of the administrative court may be lodged only if the Supreme Administrative Court grants an appeal.
In its decision, the Office may order that the decision be complied with before it has received the force of the law. However, until the appeal is resolved, the appeal authority may prohibit the implementation of the decision.
The appeal against the decision of the edps is laid down in the Personal Data Act.
L to 17/2015 Article 49 enters into force on 1 January 2016. The previous wording reads:
Application for amendment to the decision of the Communications Agency under this Act is governed by the law on administrative law (18/06/1996) .
In its decision, the Office may order that the decision be complied with before it has received the force of the law. However, until the appeal is resolved, the appeal authority may prohibit the implementation of the decision.
The appeal against the decision of the edps is laid down in the Personal Data Act.
This Act shall enter into force on 1 September 2009.
This law repeals the Law of 24 January 2003 on electronic signatures (2003) . However, the provisions adopted by the Agency under the repealed law shall remain in force until new provisions are adopted pursuant to this Act.
Before the law enters into force, action can be taken to enforce the law.
The identification service providers shall make the notification referred to in Article 10 of the Communications Agency within six months of the entry into force of the law. During that period, a strong electronic identification service and an identity service provider shall be regarded as the electronic identification service covered by Article 1 and the provider of an electronic identification service fulfilling the obligations referred to in Article 2 (1) and (4). Definitions.
Identification instruments issued before the entry into force of this Act or during the transitional period referred to in paragraph 1 shall be considered as a means of strong electronic identification if the identification service provider makes the declaration referred to in Article 10 (1) Within a period of time. The identification service and the identity service provider shall then comply with all the requirements laid down in this Act, except for the requirements laid down in Article 17.
Where the identification service providers have concluded an agreement within the meaning of Article 17 (2) on the possibility of relying on each other for the first identification, and the service provider has not issued the identification equipment used in the initial identification, 10 § in the period referred to in paragraph 1, the first identifier shall, in the case of identification instruments issued in this way, be made without delay within the meaning of Article 17.
There is no need for a new notification to be submitted by the certification authority for quality certificates which has made a notification under Article 9 (1) of the Law on electronic signatures and continued its activities without interruption until the entry into force of this Act. In accordance with Article 32 (1). The certification authority providing quality certificates will then be able to submit a written declaration to the Communications Office for the continuation of its activities. Upon entry into force of this Act, certification of quality certificates shall be paid by the Ministry of Transport and Communications (1175/2005) Until 31 December 2009, irrespective of the date of the written notification.
THEY 36/2009 , LiVM 12/2009, EV 90/2009This Act shall enter into force on 1 January 2013.
THEY 108/2012 , TaVM 9/2012, EV 98/2012
This Act shall enter into force on 1 January 2016. However, Article 12a shall apply only from 1 May 2017.
THEY 272/2014 , LiVM 33/2014, EV 257/2014
This Act shall enter into force on 1 January 2016.
In the case of appeals before the entry into force of this Act, the provisions in force at the time of entry into force of this Act shall apply.
THEY 230/2014 , LaVM 26/2014, EV 319/2014
