De-Mail Act

Original Language Title: De-Mail-Gesetz

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.

De-Mail-Law

Non-official table of contents

De-Mail-G

Date of issue: 28.04.2011

Full quote:

" De-Mail-Law of 28. April 2011 (BGBl. 666), as last amended by Article 3 (8) of the Law of 7. August 2013 (BGBl. I p. 3154) "

:Last modified by Art. 3 (8) G v. 7.8.2013 I 3154

For details, see Notes

Footnote

(+ + + Text evidence from: 3.5.2011 + + +)

The G was referred to as Article 1 of the G v. 28.4.2011 I 666 approved by the Bundestag. It's gem. Article 6 of this G entered into force on 3.5.2011.

Section 1
General rules

Non-official Table of Contents

§ 1 De-Mail Services

(1) De-Mail services are services on an electronic communications platform designed to ensure secure, confidential and verifiable business transactions for everyone on the Internet.(2) A De-Mail service must be a secure application, the use of a mail box and transit service for secure electronic mail as well as the use of a directory service and can additionally also provide identity confirmation and document filing services. . A De-Mail service is operated by a service provider accredited according to this law.(3) The electronic communications infrastructure and other applications that are used for the secure transmission of messages and data shall remain unaffected. Non-official table of contents

§ 2 competent authority

The competent authority under this law is the Federal Office for Security in the Information technology.

Section 2
Compulsory offers and optional offerings from the service provider

A non-official table of contents

§ 3 Opening of a De-Mail account

(1) A De-Mail account contract commits an accredited service provider to a user with a De-Mail account to the To be made available. A De-Mail account is an area in a De-Mail service that is assigned to a user in such a way that it can only be used by him. The accredited service provider has the technical means to ensure that only the user assigned to this De-Mail account can gain access to the De-Mail account assigned to him.(2) The accredited service provider shall have the identity of the user and, in the case of legal persons, partnerships or public authorities, the identity of their legal representatives or members of the body in addition to the identity of the accredited service provider. For this purpose, it collects and stores the following information:
1.
for a natural person, name, place of birth, date of birth and address;
2.
with a legal person or partnership or public authority company, name or name, legal form, register number, where available, address of the seat or the the principal place of business and the name of the members of the representative body or of the legal representatives; if a member of the representative body or the legal representative is a legal person, the company's name, name or name shall be legal, Registration number, where available, and address of the registered office or principal place of business.
(3) The accredited service provider shall verify the information provided for in paragraph 2 before the user's De-Mail account has been unchecked:
1.
for natural persons
a)
based on a valid official identity card, which is a a photograph of the holder and with which the passport and identity obligation is fulfilled in Germany, in particular on the basis of a passport, identity card or passport or passport, recognised or admitted in accordance with the provisions of foreign law, or
b)
on the basis of documents that are equivalent to a document as referred to in point (a),
c)
based on an electronic identity document in accordance with § 18 of the German Personnel Reference Act or § 78 (5) of the Residence Act,
d)
based on a qualified electronic signature according to § 2 (3) of the Signature Act, or
e)
based on other appropriate technical procedures with equivalent security to identify the documents referred to in point (a)
2.
for legal entities or partnerships, or in public places
a)
based on a Out of the trade or cooperative register, or from a comparable official register or directory,
b)
on the basis of the Foundation documents,
c)
on the basis of documents that are equivalent to the documents referred to in points (a) or (b), or
d)
by viewing the registry or directory data.
The accredited service provider can make a copy of the official ID. He shall immediately destroy the copy after the identification of the identity of the participant required for the identity of the person. The accredited service provider may, with the consent of the user, also process or use personal data collected at an earlier date in order to establish and verify the identity of the service provider, provided that such data are reliable. Ensure the identity of the user.(4) The use of the De-Mail services is only possible after the accredited service provider has enabled the user's De-Mail account to be activated. The activation takes place as soon as
1.
the accredited service provider has clearly identified the user and the identity data of the user and in the case of paragraph 2, point 2 the legal representative or the members of the organization have also been collected and successfully verified,
2.
the accredited service provider to the user of the
3.
the user has made the confirmation in accordance with § 9 (2),
4.
The user has consented to checking his messages for malicious software by the accredited service provider, and
5.
The user has shown that he has been able to use the login data successfully.
(5) The accredited service provider has a free circuit after the first registration. the De-Mail account of a user to ensure the accuracy of the identity data stored to the user. It shall verify the accuracy of the stored identity data at reasonable intervals and, if necessary, correct it. Non-official table of contents

§ 4 Login to a De-Mail account

(1) The accredited service provider must provide the user with access to his or her email account. The email account and the individual services with a secure login or at the user's request also do not allow such a secure login. For the safe application, the accredited service provider shall ensure that access to the De-Mail account is only possible in order to protect against unauthorized use, if two suitable and mutually independent means of securing are used If secrets are used in the case of the security means, their single-mindedness and secrecy shall be ensured. Access to the De-Mail account is done without a secure login, if only a security, usually user name and password, is used. The user may require that the access to his De-Mail account be possible only with a secure login.(2) The accredited service provider shall ensure that the user is able to choose between at least two procedures for the safe notification referred to in the second sentence of paragraph 1. As a safe registration procedure, the user, insofar as he is a natural person, must be able to use the electronic proof of identity in accordance with § 18 of the German Personnel Reference Act.(3) The accredited service provider shall ensure that the communication link between the user and his or her De-Mail account is encrypted. Non-official table of contents

§ 5 Mailbox and Shipping Service

(1) The provision of a De-Mail account includes the use of a secure email account. electronic mail box and mail order service for electronic messages. For this purpose, a De-Mail address for electronic mail will be assigned to the user, which must include the following information:
1.
in the domain part of the De-Mail address Identification which may be used exclusively for De-Mail services;
2.
in the case of natural persons in the local part of their surnames and one or more first names, or a part of the first name (s) (main address);
3.
in the case of legal entities, partnerships or public entities in the domain part, a name in the form of a directly related to your company, name or other name.
(2) The accredited service provider may also provide users with pseudonymous De-Mail addresses on request, as long as the user is a natural user. Person. The use of a service by the user under a pseudonym shall be identified for third parties.(3) The Postal and Shipment Service shall ensure the confidentiality, integrity and authenticity of the messages. To this end, the accredited service provider shall ensure that
1.
means the communication from an accredited service provider to any other accredited service provider via an encrypted mutually authenticated channel (transport encryption) and
2.
the content of a De-mail message from the accredited Service provider of the transmitter to the accredited service provider of the receiver is transmitted encrypted.
The use of a continuous encryption between sender and receiver (end-to-end encryption) remains unaffected.(4) The sender can determine a secure declaration according to § 4 for the retrieval of the message by the recipient.(5) The accredited service provider must make it possible for the user to confirm his secure application in the sense of § 4 in the message in such a way that the unadultated nature of the confirmation can be checked at any time. In order to make this information recognizable to the recipient of the message, the accredited service provider of the sender confirms the use of the secure application in accordance with § 4. For this purpose, on behalf of the sender, he shall provide the message with a permanently verifiable qualified electronic signature; if the message is accompanied by one or more files, the qualified electronic signature shall also refer to this. In the case of natural persons, the confirmation shall contain the name and first names, in the case of legal persons, partnerships or public authorities, the name or name of the sender in the form in which it is referred to in Article 3 (2). shall be deposited. The fact that the sender has used this shipping method must result from the message in the form that arrives at the recipient. The affirmation in accordance with the first sentence shall not be allowed when using a pseudonymous De-Mail address as referred to in paragraph 2.(6) The accredited service provider, with the exception of the service providers in accordance with § 19, is obliged to send electronic messages in accordance with the regulations of the process regulations and the laws governing the administration of the service. To the extent of this obligation, the accredited service provider is equipped with sovereign powers (beliehener entreprentier). (7) The accredited service provider confirms the sending of a message at the request of the sender. The shipping confirmation must contain the following information:
1.
the mail address of the sender and the recipient;
2.
the date and time the message was sent from the sender's mail mailbox;
3.
the name and First name or the company of the accredited service provider who produces the shipment confirmation and
4.
the checksum of the message to be confirmed.
The Accredited service providers of the sender have to provide the shipping confirmation with a qualified electronic signature according to the signature law.(8) At the request of the sender, the receipt of a message will be confirmed in the recipient's De-Mail mailbox. In doing so, the accredited service provider of the sender and the accredited service provider of the recipient are acting together. The accredited service provider of the recipient creates an acknowledgement of receipt. The input confirmation contains the following information:
1.
the mail address of the sender and the recipient;
2.
the date and time of the receipt of the message in the recipient's mail mailbox;
3.
the name and first name or the company of the accredited service provider who produces the receipt and
4.
the checksum of the message to be confirmed.
The Accredited service provider of the recipient has to provide the acknowledgement of receipt with a qualified electronic signature according to the signature law. The accredited service provider of the recipient also sends the acknowledgement of receipt to the recipient.(9) A public authority, which is entitled to receive formal notification in accordance with the rules of the process regulations and the laws governing the administration of the administration, may require a letter of acceptance. From the acceptance confirmation, it follows that the recipient, after receipt of the message, has registered in the mailbox at his De-Mail account securely in the sense of § 4. In doing so, the accredited service provider shall cooperate with the public authority as a transmitter and the accredited service provider of the recipient. The accredited service provider of the recipient generates the pick-up confirmation. The removal confirmation must contain the following information:
1.
the mail address of the sender and the recipient;
2.
the date and time of the receipt of the message in the recipient's mail mailbox;
3.
the date and the time of the recipient's secure login to his De-Mail account within the meaning of § 4;
4.
the name and first name or the company of the accredited Service provider that generates the pickup confirmation and
5.
the checksum of the message to be confirmed.
The accredited service provider of the recipient has the A certificate of acceptance with a qualified electronic signature in accordance with the signature law. The accredited service provider of the recipient also sends this confirmation to the recipient. The data referred to in sentence 5 may only be processed and used for the purpose of proof of formal delivery within the meaning of Section 5 (6).(10) The accredited service provider shall ensure that messages for which an acknowledgement of receipt has been issued in accordance with paragraph 8 or a letter of removal as referred to in paragraph 9, by the addressee without a secure application to his De-Mail account, shall not be They can be deleted 90 days after their receipt.(11) Users who are natural persons shall offer the accredited service provider to forward a copy of all messages addressed to their De-Mail address to a De-Mail address previously specified by the user (forwarding address), without that the user must be logged in to his or her De-Mail account (automatic forwarding). The user may exclude that messages sent to him are forwarded to him within the meaning of paragraph 4. The user can take back the service of automatic forwarding at any time. In order to be able to use the service of automatic forwarding, the user must be securely logged in to his De-Mail account. Non-official table of contents

§ 6 Identity confirmation service

(1) The accredited service provider can offer an identity confirmation service. Such is the case if the user is able to use the identity data stored in accordance with § 3 in order to have his identity confirmed electronically with respect to a third party, who is also a user of a De-Mail account. The transmission of the identity data takes place by means of a De-Mail message, which the accredited service provider sends on behalf of the user to the third party, to whom he wishes to communicate his identity data. The De-Mail-message is provided by the accredited service provider with a qualified electronic signature according to the signature law.(2) The accredited service provider shall make arrangements to ensure that identity data cannot be falsified or falsified unnoticed.(3) The competent authority may order the blocking of an identity date when facts justify the assumption that the date of identity has been issued on the basis of false information or is not sufficiently forgery-proof. Non-official table of contents

§ 7 Directory service

(1) The accredited service provider has, at the user's express request, the E-mail addresses, the identity data stored in accordance with § 3, the name and address, the information necessary for the encryption of messages to the user and the information on the possibility of secure registration in accordance with § 4 of the user in to a directory service. The accredited service provider may not make the opening of a De-Mail account for the user dependent on the user's request for sentence 1.(2) The accredited service provider shall immediately delete a De-Mail address, an identity date or the information necessary for the encryption of messages to the user from the directory service, if the user requires this, the data have been issued on the basis of incorrect information, the service provider is terminating its activity and the service provider is not being continued by another accredited service provider or the competent authority is to delete the data from the directory service shall be arranged. Further reasons for deletion can be contractually agreed.(3) The publication of the De-Mail address in the directory service to a request by the user as a consumer in accordance with paragraph 1 shall not be deemed to be the opening of access within the meaning of Section 3a (1) of the Administrative Procedure Act, Section 36a (1) of the First Book of Social Code or Section 87a (1) sentence 1 of the Tax Code. At the request of the user, the accredited service provider must, by means of a suitable addition, publish the user's statement in the directory service, the access within the meaning of § 3a of the Administrative Procedure Law, Section 36a (1) of the First Book The Social Code and the first sentence of § 87a (1) of the Tax Code are to be opened. The publication of the user's De-Mail address as a consumer with this addition in the directory service is considered to be an access opening. Sentence 2 shall apply in accordance with the decision of the user to withdraw the access opening.(4) § 47 of the Telecommunications Act shall apply accordingly. Non-official table of contents

§ 8 Document filing

The accredited service provider can provide the user with a document repository for the secure filing of Provide documents. If he offers the document file, he shall ensure that the documents are stored securely; confidentiality, integrity and constant availability of the filed documents must be guaranteed. The accredited service provider is obliged to deposit all documents in encrypted form. For each individual file, the user can set up a secure login required for access in accordance with § 4. At the request of the user, the accredited service provider shall provide a protocol on the setting and removal of documents, which is secured with a qualified electronic signature according to the signature law.

Section 3
De-Mail Services Usage

Non-official table of contents

§ 9 Enlightenment and Information requirements

(1) The accredited service provider has the user prior to the first use of the De-Mail account regarding the legal consequences and costs of the use of De-Mail services, in particular the postal service and transit service according to § 5, the directory service in accordance with § 7, the use of the document file according to § 8, the blocking and dissolution of the De-Mail account according to § 10, the cessation of the activity pursuant to § 11, the termination of the contract in accordance with § 12 and the inspection pursuant to § 13 (3) and inform about the measures necessary to prevent unauthorised access to the De-Mail account. This also includes, in particular, information
1.
about the ability and importance of a secure Registration in accordance with § 4 paragraph 1 sentence 2 as well as an indication that access to the De-Mail account without a secure login does not offer the same protection as with a secure login and
2.
about the content and meaning of the transport encryption according to § 5 (3) sentence 2 as well as the encryption according to § 4 paragraph 3 as well as about the differences between these encryptions an end-to-end encryption in accordance with § 5 paragraph 3 sentence 3.
The accredited service provider must also inform the user of how to deal with malware-laden De-Mail messages.(2) The accredited service provider may only allow the use of the De-Mail account for the first time if the user has received the necessary information in text form and has confirmed in writing that he has received the information referred to in paragraph 1 and that he/she has received the necessary information in writing. Knowledge has been taken.(3) Information obligations under other laws shall remain unaffected. Non-official table of contents

§ 10 Disclosures and Resolution of the De-Mail Account

(1) The accredited service provider has access to a De-Mail account Suspend immediately if
1.
requires the user to
2.
Facts the adoption Justify the fact that the data stored in the accredited service provider for the clear identification of the user is not sufficiently forgery-proof or that the safe application according to § 4 has defects, which is an unnoticed falsification or compromise the login process,
3.
the competent authority arranges the lockout in accordance with paragraph 2 or
4.
the requirements of a contract between the accredited service provider and the user agreed upon.
In the case of the sentence 1, point 4, the accredited service providers to make the blocking such that the retrieval of messages remains possible; this does not apply in so far as the contractually agreed blocking reason excludes the retrieval of messages. The accredited service provider shall disclose to the users authorized users a telephone number under which they can immediately initiate a blocking of access.(2) The competent authority may order the blocking of a De-Mail account if the facts justify the assumption that the De-Mail account was opened on the basis of false information or that the user clearly identified the account when it was accredited. Service providers are not sufficiently forgery-proof or that the safe application in accordance with § 4 (1) has defects which allow unnoticed falsification or compromise of the registration process.(3) The accredited service provider has to re-grant the user access to the De-Mail account after the end of the blocking reason.(4) The accredited service provider shall immediately dissolve a De-Mail account if the user requests it or if the competent authority orders the resolution. The competent authority may order the dissolution if the conditions set out in paragraph 2 are met and a blocking is not sufficient. An agreement on other grounds for resolution is ineffective.(5) The accredited service provider shall, prior to a blocking pursuant to paragraph 1 or a resolution referred to in paragraph 4, be persuaded in an appropriate manner by the identity of the user authorized to block or dissolve.(6) In the event of a closure referred to in the first sentence of the first subparagraph of paragraph 1 to 3 or the first sentence of the first sentence of paragraph 1 in conjunction with the second sentence of the second sentence of paragraph 1 and the resolution referred to in paragraph 4, the accredited service provider shall have the receipt of messages in the second sentence of paragraph 1. To prevent the posting of a blocked or resolved De-Mail account and to inform the sender immediately.(7) If the blocking or dissolution of the De-Mail account takes place at the instigation of the accredited service provider or the competent authority, the user shall be informed of the blocking or dissolution. In the cases referred to in the first sentence of the first subparagraph of paragraph 1, the accredited service provider shall be obliged to inform the user that he/she is able to receive and retrieve messages in spite of a blocking action. Non-official table of contents

§ 11 Cessation of activity

(1) The accredited service provider has immediate effect on the termination of its activity. competent authority. He has to ensure that the De-Mail account can be taken over by another accredited service provider. He shall immediately inform the users concerned of the cessation of his activity and obtain their consent to the transfer of the De-Mail account by another accredited service provider.(2) When no other accredited service provider takes over the De-Mail account, the accredited service provider must ensure that the data stored in the mailbox and in the document repository for at least three months from the date of the Notification of the user remains available.(3) The accredited service provider has to hand over the documentation according to § 13 to the accredited service provider, who takes over the De-Mail account in accordance with paragraph 1. If no other accredited service provider takes over the De-Mail account, the competent authority shall take over the documentation. In such a case, the competent authority shall, in the event of a legitimate interest, provide information as far as this is possible without undue effort.(4) The accredited service provider shall immediately notify a request for the opening of insolvency proceedings of the competent authority. Non-official table of contents

§ 12 Contract Termination

The accredited service provider is obligated to provide the user for a period of three months to allow access to the data stored in the mailbox and in the document collection after the end of the contract, and to notify it of its deletion at least one month before the data is written in text form. Non-official table of contents

§ 13 Documentation

(1) The accredited service provider has all the measures to ensure the conditions of the Accreditation and compliance with the obligations referred to in § § 3 to 12 shall be documented in such a way that the data and its unadulterated nature are verifiable at any time. The documentation requirement includes the process of opening a De-Mail account, any change in data relevant to the management of a De-Mail account, as well as any change in the status of a De-Mail account. The third sentence of Section 3 (3) shall apply to the copies of official documents.(2) The accredited service provider shall keep the documentation referred to in paragraph 1 during the period of the contractual relationship existing between the service provider and the user and ten more years from the end of the year in which the contractual relationship shall be ends.(3) On request, the user shall be granted access to the data relating to him. Non-official table of contents

§ 14 Youth and consumer protection

The accredited service provider has the design and operation of the De-Mail services. comply with the requirements of the protection of minors and consumer protection. Non-official table of contents

§ 15 Data protection

The accredited service provider may only provide personal data with the user of a De-Mail account. collect, process and use, insofar as this is necessary for the provision of the De-Mail services and their implementation; moreover, the regulations of the Telemedia Act, the Telecommunications Act and the Federal Data Protection Act shall apply. Non-official table of contents

§ 16 Information claim

(1) An accredited service provider provides information to third parties on the name and address of a service provider. User if
1.
makes it credible to third parties to provide information for the prosecution of a legal claim against the user,
2.
The information is related to a legal relationship between the third party and the user, which has been created using De-Mail,
3.
The third party makes the information necessary to determine its identity within the meaning of § 3 paragraph 2,
4.
the accredited service provider has checked the accuracy of the information in accordance with § 3 paragraph 3,
5.
Demand is not legally abusive, in particular not solely for the purpose of uncovering a pseudonym, and
6.
the interests worthy of the user in the
() The third party shall submit to the accredited service provider, in accordance with paragraph 1 (1), electronic messages or documents from which the legal relationship with the user is obtained, as long as they are incurred. The accredited service provider shall inform the user of the request for information without delay and under the name of the third party, and shall give him the opportunity to comment on the request for information, insofar as this is the pursuit of the right to the right to request information. of the third party, not in individual cases.(3) The accredited service provider may require the replacement of the expenses required for the exchange of information.(4) § 7 of the Federal Data Protection Act shall apply accordingly.(5) The data obtained by the exchange of information may only be used for the purpose indicated in the case of the request.(6) The accredited service provider shall document the exchange of information in accordance with paragraph 1 and inform the user of the provision of the information. The documentation requirements referred to in the first sentence shall include the request for the exchange of information, including the third party referred to in paragraph 1, the decision of the accredited service provider, the identification data of the accredited staff member of the accredited staff. Service provider, the communication of the result to the third party requesting information, the communication on the exchange of information to the user and the respective legal time for individual processes within the exchange of information. The documentation shall be kept for three years.(7) § § 13 and 13a of the Act on injunctions in the case of consumer rights and other infringements shall remain unaffected.(8) The provisions of other legislation relating to information on public sector bodies shall remain unaffected.

Section 4
Accreditation

name="BJNR066610011BJNE001700000 " />Non-official table of contents

§ 17 Accreditation of service providers

(1) Service providers who wish to offer De-Mail services must be able to to have written application accredited by the competent authority. Accreditation shall be granted if the service provider proves that he meets the conditions laid down in § 18 and if the competent authority ensures the exercise of the supervision of the service provider. Accredited service providers shall receive a quality mark from the competent authority. The quality mark serves as proof of the comprehensively tested technical and administrative security of the De-Mail services. You may refer to yourself as an accredited service provider. Only accredited service providers are allowed to rely on proven security in commercial transactions and lead to the quality mark. Further labelling may be reserved for accredited service providers.(2) The application pursuant to Section 17 (1) sentence 1 shall be decided within a period of three months; Section 42a, paragraph 2, sentences 2 to 4 of the Administrative Procedure Act shall apply.(3) The accreditation is to be renewed after substantial changes, but at the latest after three years. Non-official table of contents

§ 18 Requirements for accreditation; evidence

(1) As a service provider, only those who are accredited can be accredited.
1.
has the reliability and expertise required to operate De-Mail services
2.
Appropriate cover to meet its legal obligations to compensate for damage,
3.
the technical and organizational requirements for the obligations under § § 3 to 13 as well as in accordance with § 16 in such a way that it provides the services reliably and safely, it with to cooperate with other accredited service providers and to use, for the provision of services, only technical equipment which is located in the territory of the Member States of the European Union or of another Contracting State of the Agreement on The European Economic Area,
4.
meets the data protection requirements in the design and operation of the De-Mail services.
(2) Service providers have to comply with the technical and organisational requirements in accordance with § § 3 to 13 as well as in accordance with § 16 according to the state of the art. Compliance with the state of the art is presumed if the technical guideline 01201 De-Mail of the Federal Office for Information Security of the 23. March 2011 (eBAnz AT40 2011 B1) is complied with in the version published in the Federal Gazette. Before the Federal Office for Security in Information Technology makes substantial changes to the Technical Directive, it shall consult the De-Mail-Standardization Committee within the meaning of § 22, and the Federal Commissioner for Data Protection and the Federal Commissioner for Data Protection. Freedom of information will be given an opportunity to comment, provided that questions of data protection are affected.(3) The conditions set out in paragraph 1 shall be established as follows:
1.
The required reliability and expertise by means of proof of the personal characteristics, the conduct and the corresponding capabilities of the persons involved in his or her holding; as a proof of the required subject-matter, it is generally sufficient if appropriate certificates are available for the respective tasks in the holding; or proof of the knowledge, experience and skills required for this purpose;
2.
sufficient financial security through the conclusion of a Insurance or the exemption or warranty obligation of a credit company with a minimum gross margin of EUR 250 000 each for damage caused. The coverage can be provided by
a)
a liability insurance for one within the Member States of the European Union or in another. State party to the Agreement on the European Economic Area for the business of insurance undertakings or
b)
a waivers or Guarantee obligation of a credit institution authorised to operate in one of the Member States of the European Union or in another Contracting State of the Agreement on the European Economic Area, if it is guaranteed that:
Where insurance is provided by insurance, the following shall apply:
a)
On this § 113 (2) and (3) and § § 114 to 124 of the Insurance Contract Law apply.
b)
The minimum amount of insurance must be 2.5 million euros for the insurance contract. the individual insurance case. The insurance case is any breach of duty of the service provider, regardless of the number of claims that have been triggered. If an annual maximum amount is agreed for all damage caused in an insurance year, it must be at least four times the minimum insurance sum.
c)
The insurance can only be excluded from the insurance for replacement claims from intentionally committed breach of duty of the accredited service provider or of the persons, for which he has to stand.
d)
The agreement of a self-retention up to 1 percent of the minimum insurance sum is allowed;
3.
the fulfilment of the technical and organisational requirements for the obligations referred to in paragraph 1 (3) by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) according to § 9 (2), first sentence, of the Law on the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) certified IT security service providers; the interaction with the other accredited service providers can only be provided after sufficient checks; the security of the services can only be confirmed after a comprehensive examination of the security concept and the IT infrastructures deployed in the context of the award of the test; at the time of the Entry into force of the law issued certificates can be taken into account;
4.
the fulfilment of the data protection requirements to the data protection concept for the procedures and the information technology facilities used by the submission of appropriate evidence; the evidence is provided by the applicant service provider with a certificate from the Federal Commissioner for Data Protection and the freedom of information; the Federal Commissioner for Data Protection and the Freedom of Information, upon written request from the service provider, shall issue a certificate if the data protection criteria are met; the performance of the data protection criteria shall be established by an expert opinion drawn up by a competent authority recognised or publicly appointed or publicly appointed by the Federal Government or a country; the Federal Commissioner for Data Protection the data protection and the freedom of information can request additional information; the data protection criteria are defined in a criteria catalogue, which is the responsibility of the Federal Commissioner for Data Protection and the The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik-Bundesamt für Sicherheit in der Informationstechnik-Bundesamt für Sicherheit in der Informationstechnik-Bundesamt für Sicherheit in der Informationstechnik-Bundesamt für Sicherheit in der Informationstechnik) will be given an opportunity Information on IT security matters.
(4) The service provider may, by including in its concepts for the implementation of the requirements of paragraph 1, assign third parties to fulfil obligations under this law. Non-official table of contents

§ 19 Equal treatment of foreign services

(1) Comparable services from another Member State of the European Union or from another State Party to the Agreement on the European Economic Area, shall be treated as an accredited service provider, with the exception of those services which are connected with the exercise of public service activity, if their providers comply with § 18 equivalent conditions, they are proven to a competent authority and the continuation of the fulfilment of these conditions by a control existing in that Member State or State Party is guaranteed.(2) The examination of the equivalence of the foreign service provider referred to in paragraph 1 shall be the responsibility of the competent authority. The equivalence of foreign service providers shall be provided if the competent authority has established that in the country of origin of the service provider concerned
1.
Security requirements for service providers,
2.
the examination procedures for service providers as well as the requirements for the services responsible for the audit of the services and
3.
the control system
offer equivalent security.

Section 5
Supervision

Non-official Table of Contents

§ 20 Supervisory Measures

(1) The competent authority is responsible for supervising compliance with this law. With the accreditation service providers are subject to the supervision of the competent authority.(2) The competent authority may take measures with regard to service providers to ensure compliance with this law.(3) notwithstanding the fact that the test has been carried out within the meaning of Article 18 (3) (3), the competent authority may temporarily prohibit, in whole or in part, an accredited service provider, if the facts justify the assumption that:
1.
A prerequisite for accreditation in accordance with § 17 paragraph 1 has been omitted,
2.
invalid solicitation for the De-Mail service offering, or is confirmed,
3.
sustainably, significantly or permanently violating obligations, or
4.
other requirements for the accreditation or for the recognition under this Act are not fulfilled.
(4) The validity of the confirmations issued by an accredited service provider in the framework of the postal and transit service, and Removal confirmations shall remain unaffected by the underwriting of the holding, the cessation of the activity, the withdrawal or the revocation of an accreditation.(5) In so far as it is necessary for the performance of the tasks entrusted to the competent authority as a supervisory authority, the accredited service providers and the third parties acting in accordance with Section 18 (4) shall have the competent authority and the third party responsible for the tasks in their To enable persons acting on behalf of the business premises to enter the premises during the normal operating hours, at the request of the books, records, documents, documents and other documents which may be considered, in a suitable manner for inspection. shall provide information and provide the necessary assistance to the extent that they are carried out electronically. Access to De-Mail messages from users by the competent authority as a supervisory authority does not take place. The person responsible for providing information may refuse to provide information if he or she himself or one of the members of the civil procedure referred to in Article 383 (1) (1) (1) to (3) of the Code of Civil Procedure is liable to prosecution for a criminal offence or of a procedure under the Law on Administrative Offences. He must be informed of this right. Non-official table of contents

§ 21 Information Obligation

The competent authority has the names of the accredited service providers as well as the foreign To keep the service provider according to § 19 accessible to everyone via publicly accessible communication links, specifying the markings used exclusively for the De-Mail services pursuant to § 5 (1) sentence 2 number 1. name="BJNR066610011BJNG000600000 " />

Section 6
Final Provisions

Non-Official Table of Contents

§ 22 Committee De-Mail-Standardization

The technical and organisational requirements for the obligations pursuant to § § 3 to 13 as well as in accordance with § 16 will be further developed with the participation of accredited service providers; this does not apply to requirements which the interaction between the accredited service providers as such or the security. To this end, a committee of De-Mail standardization will be established, which will include at least all accredited service providers, one representative of each of the two federal associations whose interests are affected, the Federal Office for Security in the information technology, the Federal Commissioner for Data Protection and Freedom of Information, a representative of the federal states, who is appointed by the IT Planning Council, and a representative of the Council of the Federal Government's IT officers. The decision on which two associations are to belong to the committee is at the discretion of the competent authority. If the Council of the Federal Government of the Federal Republic of Germany is dissolved, the successor organisation determined by the Federal Government shall be replaced by the Federal Government. The committee shall meet at least once a year. Unofficial Table Of Contents

§ 23 Fines

(1) is an order that is intentional or negligent,
1.
contrary to § 3 paragraph 1 sentence 3, it does not ensure that only the user can gain access,
2.
contrary to § 3 (3), first sentence 1, point 1, first half-sentence or number 2, if not checked in time, or not checked in time,
3.
contrary to § 4 (1) sentence 2 ensures that a secure login occurs only in the cases mentioned there,
4.
contrary to § 4 paragraph 3, it does not ensure that a communication link
5.
contrary to § 7, paragraph 2, sentence 1, data referred to there is not deleted or not deleted in time,
6.
contrary to § 10 (1) sentence 1 or paragraph 4 sentence 1, access to a De-Mail account is not blocked or does not block in time or the De-Mail account is not or not in good time dissolves,
7.
contrary to § 11, paragraph 1, sentence 1, an advertisement not, not correct or not reimbursed in time,
8.
contrary to § 11, paragraph 1, sentence 3, a user not, not correct or not notified in time,
9.
contrary to § 11 paragraph 2, it does not ensure that the data referred to there remains available,
10.
§ 12 does not allow access to the data referred to therein, or does not provide an indication, not correct or not in good time,
11.
contrary to § 13, paragraph 1, a Documentation not created or not created correctly,
12.
contrary to § 13, paragraph 2, a documentation not or not at least 10 years retained,
13.
contrary to § 15, the data referred to there for a different purpose is collected or processed,
14.
contrary to § 16 Paragraph 5 uses data for a different purpose or
15.
contrary to § 17, paragraph 1, sentence 6, refers to the proven security or the quality mark
() In the cases referred to in points 5, 6, 13 and 14 of paragraph 1, the administrative offence may be punishable by a fine of up to three hundred thousand euros and, in the other cases, with a fine of up to fifty thousand euros.(3) The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) is the managing authority within the meaning of Section 36 (1) (1) of the Code of Administrative Offences. Non-official table of contents

§ 24 Fees and expenses

(1) Charges and expenses to cover the administrative burden
1.
the competent authority for individually attributable public services in accordance with § § 17, 19, paragraph 2 and § 20 (3) as well as
2.
the Federal Commissioner for Data Protection and the Freedom of Information for issuing the certificate in accordance with § 18 paragraph 3 number 4.
(2) The Federal Ministry of the Interior is authorized to determine, by means of a regulation without the consent of the Federal Council, the chargeable facts referred to in paragraph 1 and the rates of fees in more detail, and in so doing, fixed or time fees. . By way of derogation from Section 23 (6) of the Federal Law on Fees, the legal regulation may regulate the reimbursement of expenses. Reductions and exemptions from fees and charges may be allowed. Non-official table of contents

§ 25 Procedure on a single site

Administrative procedures under this Act can be replaced by a single entity The following: