De-Mail Act

Original Language Title: De-Mail-Gesetz

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now

Read the untranslated law here: http://www.gesetze-im-internet.de/de-mail-g/BJNR066610011.html

De mail law en-mail-G copy date: 28.04.2011 full quotation: "de-mail Act of April 28, 2011 (BGBl. I S. 666), most recently by article 3 paragraph 8 of the law of 7 August 2013 (BGBl. I p. 3154) is changed" stand: last amended by article 3 paragraph 8 G v. 7.8.2013 3154 for details on the stand number you find in the menu see remarks footnote (+++ text detection from: 3.5.2011 +++) the G as article 1 of the G v. peroxid I 666 of the Bundestag decided. It entered into force article 6 of this G on the 3.5.2011 accordance with.
Section 1 General rules article 1 de-mail services (1) de mail services are services on an electronic communication platform, ensuring a secure, confidential and traceable business transactions for everyone on the Internet.
(2) a mail service to a secure login, use a mailbox and shipping service for secure electronic mail, as well as the use of a directory service and can provide also Identitätsbestätigungs and document storage services. A mail service is operated by a service provider accredited according to this law.
(3) electronic communication infrastructures and other applications that serve the secure transmission of messages and data, remain unaffected.

§ 2 competent authority competent authority under this Act is the Federal Office for security in information technology.
Section 2 compulsory and optional offers of the service provider § 3 opening a de-mail account (1) by an accredited service provider undertakes a mail account contract, to provide a user with an E-mail account. A mail account is an area in a de-mail service that is so associated with a user, it can be used only by him. The accredited service provider has through technical means to ensure that only the users associated with this E-mail account can gain access to the de E-mail account associated with it.
(2) the accredited service provider has the identity of the user and for legal persons, partnerships or public bodies in addition the identity of its legal representatives or members of governing bodies reliably to determine. It collects and stores the following information: 1. a natural person name, place of birth, date of birth and address.
2. If a legal person or company or public authority company, name or name, legal form, registration number, if any, address of the registered office or the main office and names of the members of the representative body or the legal representative; a member of the representative body or the legal representative is a legal entity, whose company, name or name, legal form, registration number, if any, and address of the seat or of the principal place of business will be charged.
(3) the accredited service provider has to verify the information under paragraph 2 prior to activation of the de-mail account of user: 1. natural persons a) on the basis of a valid official identification which contains a photograph of the holder and is satisfied with the passport and ID in the domestic, in particular on the basis of a domestic or after immigration provisions of recognised or approved passport, identity card or passport or identity card replacement , b) on the basis of documents which are equivalent to a document referred to in a with regard to their safety, c) on the basis of an electronic proof of identity according to § 18 of the identity card Act or section 78, paragraph 5 of the residence law, d) using a number 3 of the signature Act or e qualified electronic signature according to § 2) on the basis of any other appropriate technical procedures with equivalent security to an identification on the basis of the documents referred to in (a);
2. legal entities or partnerships or public authorities a) on the basis of an extract from the commercial or cooperative register or a comparable official registry or directory, b) on the basis of the founding documents, c) based on documents, which are equivalent to the documents after the letter a or b with regard to its authenticity, or d) through consultation of the registry or directory data.
The accredited service provider can create a copy of the official certificate. He has to destroy the copy immediately after finding the specifications required for the identity of the participant. The accredited service provider may process personal data for identification and verification with the consent of the user or use which he raised at an earlier stage if this data guarantee the reliable identification of the user.
(4) the use of mail services is possible only after the accredited service provider has unlocked the de-mail user's account. Will be activated, if 1 the accredited service provider has identified the user and the identity information of the user and in paragraph 2, number 2 is also the legal representative or the Board members raised successfully validated have been and, 2. the accredited service provider submits necessary credentials appropriate means the user for the initial registration, 3 the user made the confirmation pursuant to article 9, paragraph 2 , 4. the user has consented to the checking of his messages for malicious software through the accredited service provider and 5 the user within the framework of a first filing has shown that he could successfully use the credentials.
(5) the accredited service provider has to ensure the correctness of the identity data stored for the user after the activation of the de-mail account of a user. He has to check the identity data stored at appropriate intervals on their accuracy and correct if necessary.

§ 4 registration for a de-mail account (1) the accredited service provider must allow access the user to his email account and the individual services with a secure login or at the request of the user without such a secure login. The accredited service provider has to ensure that, to protect against the unauthorized use, access to the mail account is only possible if two appropriate and independent means are used for the secure login; as far as secrets used in the backup media, their uniqueness and confidentiality must be ensured. Access is carried out, if only a sealing agent, typically a user name and password, is used to the email account without a secure logon. The user may request that access to his E-mail account only with a secure login should be possible.
(2) the accredited service provider has to ensure that the user at least two procedures can choose between set 2 for secure registration referred to in paragraph 1. Secure login the electronic proof of identity can be used as a procedure by the user, unless he is a natural person, according to § 18 of the Passport Act.
(3) the accredited service provider shall ensure that the communication link between the user and their mail account is encrypted.

§ 5 mailbox and shipping service (1) providing a mail account includes the use of a secure electronic mailbox and shipping service for electronic messages. An E-mail address for electronic mail is assigned to the user, which must contain the following particulars: 1. in the domain part of the E-mail address marked; used only for mail services
2. in the case of natural persons in the local part of surnames and one or several given name or part of the given name (main address);
3. in the case of legal persons, partnerships or public bodies in the domain part of a label, which is directly related to your company, name or any other name.
(2) the accredited service provider also pseudonyms de E-mail addresses can be users on request available, as far as the user is a natural person. The use of a service by the user under the pseudonym must be marked visible for third parties.
(3) the mailbox and shipping service has the confidentiality, to ensure the integrity and authenticity of the messages. The accredited service provider ensures that 1 the communication by an accredited service provider to any other accredited service provider using an encrypted and mutually authenticated channel (transport encryption) and the content of a mail message from the accredited service provider of the transmitter to the accredited service provider of the recipient will be transferred encrypted 2..
The use of a consistent encryption between transmitter and receiver (end to-end encryption) remains unaffected.
(4) the sender can determine a secure logon according to § 4 for the retrieval of the message by the receiver.
(5) the accredited service provider must allow the user to that the genuineness of the confirmation is verifiable at any time within the meaning of paragraph 4 in the message to confirm its secure login. To indicate this the receiver of the message, the accredited service provider of the transmitter confirmed using the secure application according to § 4. To do this, he provides the message on behalf of the transmitter with a permanently verifiable qualified electronic signature; are the message one or more files attached, the qualified electronic signature also refers to this. The confirmation contains the name and the names, legal persons, partnerships or public authorities for natural persons the company, name, or the name of the sender in the form in which they are deposited pursuant to article 3, paragraph 2. The fact that the sender has used this shipping method, must arise from the message in the form as it arrives at the receiver. The confirmation pursuant to sentence 1 the accredited service provider except to the service provider pursuant to § 19 is not allowed when using a pseudonymous de address referred to in paragraph 2 (6) electronic messages according to the rules of procedure and the laws governing the delivery of management formally to deliver is obliged. In the scope of this obligation, the accredited service provider with jurisdiction (beliehener business) is equipped.
(7) the accredited service provider confirms sending a message at the request of the transmitter. The shipment confirmation must contain the following information: 1 the de E-mail address of the sender and the recipient.
2. the date and time of sending the message from the de - mailbox of the sender;
3. the name and first name or company of the accredited service provider of that generates the shipping confirmation and 4 the checksum of the message to reject.
The accredited service provider of the transmitter has the shipping confirmation with a qualified electronic signature according to the signature law to provide.
(8) at the request of the sender, the arrival of a message is confirmed in the de - mailbox of the recipient. Here, the accredited service provider of the transmitter and the accredited service provider of the recipient's work together. The accredited service provider of the recipient creates an acknowledgement of receipt. The receipt contains the following information: 1 the de E-mail address of the sender and the recipient.
2. the date and time of receipt of the message in the de - mailbox of the recipient;
3. the name and first name or company of the accredited service provider of that generates the acknowledgement of receipt and 4. the checksum of the message to reject.
The accredited service provider of the recipient has to provide the receipt with a qualified electronic signature according to the signature law. The accredited service provider of the recipient sends this also the receipt.
(9) a public authority which is entitled to the formal delivery according to the rules of procedure and the laws governing the delivery of management, may require a pickup confirmation. The pickup confirmation arises that the receiver sure has registered after the receipt of the message in the mailbox at his email account within the meaning of section 4. Here, the accredited service provider is the public as Senderin and the accredited service provider of the recipient's work together. The accredited service provider of the recipient generates the pickup confirmation. The pickup confirmation must contain the following information: 1 the de E-mail address of the sender and the recipient.
2. the date and time of receipt of the message in the de - mailbox of the recipient;
3. the date and time of the secure application the receiver to his email account within the meaning of section 4;
4. the name and given name or the company of the accredited service provider of that generates the pickup confirmation and 5 the checksum of the message to reject.
The accredited service provider of the recipient has the pickup confirmation with a qualified electronic signature according to the signature law to provide. The accredited service provider of the recipient sends this also the pickup confirmation. The data referred to in sentence 5 may be processed exclusively for the detection of the formal notification within the meaning of article 5, paragraph 6, and it can be used.
(10) the accredited service provider ensures that messages for which a receipt referred to in paragraph 8 or a pickup confirmation has been granted pursuant to paragraph 9, first 90 days can be deleted by the receiver without a secure login to his email account after receipt.
(11) the accredited service provider offers users who are natural persons, to forward a copy to a de-mail address specified by the user (forwarding address) of all messages addressed to your email address, without having the user must be logged on to his email account (automatic transmission). The user can exclude that messages are forwarded within the meaning of paragraph 4 in him. Users may at any time withdraw the service of auto-forwarding. To take advantage of the auto-forwarding service, users must be logged on securely to his email account.

§ 6 identity confirmation service (1) which accredited service providers can provide an identity confirmation service. One is if the user of the identity data stored according to § 3 can operate, to make sure electronically confirm its identity to a third party, who is also a mail account user. The identity data is transmitted by means of a de-mail message that the accredited service provider on behalf of the user sends to third parties to which he would share with his identity data, compared to. The mail message is provided by the accredited service provider with a qualified electronic signature according to the signature law.
(2) the accredited service provider has to make, not forged or falsified identity data arrangements for it.
(3) the competent authority may order blocking an identity date, if the facts justify the adoption of identity date on the basis of false information has been issued or is not sufficiently safe from forgery.

§ 7 directory service (1) the accredited service provider has at the explicit request of the user the email addresses, to publish the identity data stored according to § 3 name and address, the information required for the encryption of messages to the user and the information about the possibility of the secure application according to § 4 of the user in a directory service. The accredited service provider may make opening a mail account for the user from the request by the user pursuant to sentence 1.
(2) the accredited service provider has a mail address, an identity date or information necessary for the encryption of messages to the user from the directory service to delete, if required by the user, the data on the basis of false statements have been issued, the service provider terminates its activity and not by another accredited service provider will continue or the competent authority arranges the deletion from the directory service without delay. More reasons for deletion can be contractually agreed.
(3) the publication of the E-mail address in the directory service on a request by the user as a consumer under paragraph 1 alone does not constitute opening of access within the meaning of Article 3a, paragraph 1, of the administrative procedures Act, § 36a para 1 of the first book of the social code or of Section 87a paragraph 1 sentence 1 of the tax code. Upon request of the user, the accredited service provider by a suitable amendment must publish the Declaration of the user in the directory service to provide access within the meaning of § 3a of the Administrative Procedure Act, § 36a para 1 of the first book of the social code and of Section 87a paragraph 1 sentence 1 of the tax code. Access opening is considered to be the publication of the de E-mail address of the user as a consumer with this addition to the directory service. Sentence 2 shall apply accordingly for the user's decision to withdraw the access opening.
(4) section 47 of the Telecommunications Act shall apply mutatis mutandis.

§ 8 document storage of accredited service providers can offer a document repository for the safe storage of documents to the user. He offered the document store, so he has to take care, that the documents be stored safely; To ensure confidentiality, integrity and availability of the stored documents. The accredited service provider is required to produce all documents encrypted. The user can set a secure login required for access for each file according to § 4. Upon request of the user, the accredited service provider has to provide a Protocol on the setting and removal of documents, which is secured with a qualified electronic signature according to the signature law.
Section 3 de-mail services use section 9 reconnaissance and information requirements
(1) the accredited service provider has the user prior to the first use of the E-mail account of the legal consequences and costs the use of mail services, in particular of the mailbox and shipping service pursuant to section 5, the directory service according to section 7, the use of document filing according to § 8, according to § 10, the cessation of activities pursuant to section 11, the termination of the contract after according to section 13, paragraph 3 as well as the measures to inform § 12 and inspection of blocking and resolution of the mail account , which are necessary to prevent unauthorized access to the email account. This includes the content and meaning of the transport encryption registration including information 1 about the possibility and a secure filing according to § 4, paragraph 1, sentence 2, as well as a note, that access to the email account without secure login offers not the same protection with a secure and 2. According to § 5, paragraph 3, sentence 2, as well as the encryption according to § 4 paragraph 3, as well as about the differences of these encodings to an end-to end encryption according to § 5, paragraph 3, sentence 3.
The accredited service provider must inform the users also as malicious software-based de-mail messages are handled.
(2) the accredited service provider may only allow the first-time use of the mail account if the user has received the required information in writing and confirmed in writing that he has received the information referred to in paragraph 1 and noted.
(3) information obligations in other laws remain unaffected.

§ 10 allow blocking and resolution of de email account (1) which has accredited service providers to block access to an email account, if it requires 1 user, 2. facts adopting justify, that to uniquely identify of the user at the accredited service provider are not sufficiently forgery-proof stored data or that the secure registration pursuant to section 4 has defects, the unnoticed fake without delay or compromise the sign-up process , 3 the competent authority arranges the suspension referred to in paragraph 2 or 4 there are the prerequisites of a revocation reason agreed contractually between the accredited service provider and the user.
1 number 4 in the case of the theorem has the accredited service provider to perform the blocking, that the retrieval of messages remains possible; This does not apply as far as the contractually agreed-upon revocation reason excludes the retrieval of messages. The accredited service provider has announced a telephone number to block legitimate users to give under the this can immediately cause a blocking of access.
(2) the competent authority may order the blocking of a mail account, if the facts justify the assumption that opened the mail account on the basis of false statements or stored data are not sufficiently safe from forgery to uniquely identify of the user at the accredited service provider or the secure log in accordance with paragraph 4(1) has shortcomings, which allow an unnoticed fake or compromised the logon process.
(3) the accredited service provider has the user after removal of the block reason to grant access to the email account again.
(4) the accredited service provider has immediately resolve an E-mail account, if the user requires it or the competent authority arranges the resolution. The competent authority may order the dissolution, if the requirements of paragraph 2 are met and a lockout is not sufficient. An agreement on a further resolution reasons is invalid.
(5) the accredited service provider has before a lockout pursuant to paragraph 1 or a resolution after paragraph 4 appropriately by the identity of the user entitled to revocation or dissolution to convince.
(6) in the case of a revocation referred to in paragraph 1 sentence 1 number 1-3 or paragraph 1 set 1 number 4 in conjunction with paragraph 1 sentence 2 second half-sentence as well as a resolution after paragraph 4 has the accredited service provider to prevent the entrance of messages in the mailbox of a suspended or dissolved de E-mail account and notify the sender immediately.
(7) if the revocation or resolution of the E-mail account at the instigation of the accredited service provider or the competent authority, is to inform the user about the blocking or resolution. The accredited service provider is obliged to inform that he can receive messages and retrieve despite blocking the user in cases of paragraph 1 sentence 2 first half-sentence.

§ 11 cessation of activities (1) the accredited service provider has immediately show the cessation of its activities to the competent authority. He has to make sure that the mail account can be transferred from another accredited service provider. He has to inform the affected users immediately about the cessation of its activities and to obtain their consent to the acquisition of the E-mail account through another accredited service provider.
(2) assumes no other accredited service provider to the mail account, the accredited service provider must ensure that the data stored in the mailbox and the document storage for at least three months from the date of notification of the user are available.
(3) the accredited service provider has the documentation according to § 13 of the accredited service provider that accepts the mail account referred to in paragraph 1, to pass. Assumes no other accredited service provider to the mail account, the competent authority takes over the documentation. In this case, the competent authority if there is granted a legitimate interest information from it as far as this is possible without disproportionate effort.
(4) the accredited service provider has to show an application for opening of insolvency proceedings on the competent authority without delay.

Article 12 termination of contract the accredited service provider is obliged to provide access to the data stored in the mailbox and the document store the user for a period of three months after the end of the contract and its deletion to indicate him at least one month prior to this in writing.

§ 13 documentation (1) the accredited service provider has to document that the data and their genuineness verifiable at any time any measures to ensure the requirements of accreditation and to fulfil the obligations referred to in articles 3 to 12. The documentation duty comprises the process of opening a mail account, any modification of data, which are relevant with regard to the leadership of a Gmail account, as well as any modification with regard to the status of a Gmail account. § 3 paragraph 3 sentence 3 (2) which has accredited service providers referred to in paragraph 1 during the duration of the contractual relationship existing between him and the user, as well as ten more years from the end of the year to keep the documentation, in which the contractual relationship ends applies to made copies of official identification.
(3) the user is insight on demand in the data relating to him to grant.

§ 14 youth and consumer protection the accredited service provider has in design and operation of the mail services to observe the requirements of the protection of minors and consumer protection.

§ 15 personal data when the user of a mail account only collect data protection which may accredited service providers, process and use, as far as this is necessary for the provision of mail services and their implementation; In addition, the rules of the Telemedia Act, the Telecommunications Act and the Federal Data Protection Act apply.

Section 16 (1) an accredited service provider granted right to information to need information on name and address of a user, if the third party makes believable 1, the information third parties a legal claim against the user, 2 refers to the information a legal relationship between the third party and the user, which is established with the use of de-mail, the third party the information needed for identification purposes within the meaning of article 3, paragraph 2 is 3. , 4. the accredited service provider has verified the accuracy of the information according to § 3 paragraph 3, 5 the desire is not quite abusive, serves the purpose, in particular not only to uncover a pseudonym, and the legitimate interests of the user in a particular case does not weigh over 6.
(2) the third party has the accredited service provider to the Glaubhaftmachung pursuant to paragraph 1 No. 1 documents or electronic messages to convey, from which the legal relationship to the user results, provided that they are incurred. The accredited service provider has to inform the user of the requests for information without delay and with naming of the third party and to grant him opportunity to comment on the requests for information, as far as this endangers the pursuit of the legal right of the third party in the case.
(3) the accredited service provider may require the replacement of the expenses necessary for providing information.
(4) section 7 of the Federal Data Protection Act shall apply mutatis mutandis.
(5) the data gained from the information may be used only for the purpose specified in the request.
(6) the accredited service provider has to document providing information referred to in paragraph 1 and inform the user of the supply of the information. The documentation obligation pursuant to sentence 1 includes the request to exchange the information together with the information of the third party referred to in paragraph 1, the decision of the accredited service provider, the identification data of the processed employee of the accredited service provider, the communication of the results to third parties requesting information, the notification on the information of the user and the corresponding legal time in individual processes within the information. The documentation is to be kept three years.
(7) § § 13 and 13a of the Act through injunctions in consumer law and other violations remain unaffected.
(8) the rules under other legislation to information from public authorities remain unaffected.
Section 4 accreditation 17 § accreditation of service providers (1) service providers who want to offer mail services, accreditation upon written request by the competent authority have. The accreditation is granted if the service provider can prove that it meets the requirements under section 18 and if the exercise of supervision over the service provider by the competent authority is guaranteed. Accredited service providers receive a seal of the competent authority. The label serves as proof for the fully tested technical and administrative security of mail services. You may designate as an accredited service provider. Only accredited service provider may rely on the proven security in business transactions and run the label. Additional flags can be reserved for accredited service providers.
(2) on the request according to article 17, paragraph 1, sentence 1 is within a period of three months to decide; section 42a paragraph 2 sentence 2 to 4 of the Administrative Procedure Act applies.
(3) the accreditation is after significant changes to renew after three years at the latest.

§ 18 conditions of accreditation; Evidence (1) service provider can be accredited only, who owns the reliability required for the operation of mail services and expertise 1., 2. meets an appropriate financial security to comply with its legal obligations to the compensation for damage, 3. the technical and organisational requirements for the duties fulfilled according to the articles 3 to 13, as well as according to section 16 in the way, that he provides the services reliably and securely , he interacts with the other accredited service providers and for the provision of the services used exclusively technical devices which are in the territory of the Member States of the European Union or another Contracting State to the agreement on the European economic area, 4 in the design and operation of the mail services meets the data protection requirements.
(2) the service provider have the technical and organisational requirements according to sections 3 to 13, as well as according to § 16 State of the art to meet. Complying with the State of the art is suspected, if the technical guideline 01201 de-mail of the Federal Office for security in information technology by March 23, 2011 (eBAnz AT40 2011 B1) is kept in the version published in the Federal Gazette. Before the Federal Office for security in information technology makes significant changes to the technical guideline, it sounds like the Committee de mail standardisation within the meaning of section 22, and opportunity to comment is here given the Federal Commissioner for data protection and freedom of information, provided that privacy issues are touched.
(3) the conditions referred to in paragraph 1 are as follows shown: 1 the required reliability and expertise by evidence about the personal characteristics, behavior, and the appropriate skills make his or in its operation persons; as proof of the necessary expertise, it is usually sufficient for the task certificates corresponding to the operating or proof of the necessary knowledge, experience and skills presented;
2. damage a sufficient financial security by concluding the waivers, insurance or warranty obligation of credit business with a minimum coverage of EUR 250 000 for a. The financial security can be provided by a) a liability insurance for one within the Member States of the European Union or in another Contracting State to the agreement on the European economic area to conduct business insurance or b authorised) any waivers or warranty obligation one in one of the Member States of the European Union or credit institution authorized in another Contracting State to the agreement on the European economic area to conduct business , if it is guaranteed that it offers comparable safety a liability insurance.
As far as the financial security provided by an insurance policy, the following applies: a) article 113, paragraph 2 and 3 and paragraphs 114 to 124 of the German insurance contract law do apply to this insurance.
(b) the minimum insurance cover must be 2.5 million euro for the single insurance case. Insurance case is every breach of the duty of the service provider, regardless of the number of claims resulting. Is an annual maximum for all damage caused in one insurance year agreed, it must be at least four times the minimum insurance sum.
(c) of the insurance, the performance can only be excluded for claims from intentionally committed breach of duty of the accredited service provider or any person for which he is responsible.
(d) the agreement of a deductible up to 1 per cent of the minimum sum insured is permitted;
3. the fulfilment of the technical and organisational requirements for the duties referred to in paragraph 1 issued number 3 by IT security service providers certified by the Federal Office for security in information technology according to § 9 paragraph 2 sentence 1 of the law on the Federal Office for security in information technology tested; the interaction can be confirmed only after sufficient checks with other accredited service providers; the security of the services can be confirmed only after a comprehensive which takes place in the context of the award of the attestations examination of the security concept and the deployed infrastructure; Certificates issued at the time of entry into force of the law can be taken into account;
4. compliance with the data protection requirements for the data protection concept for the procedures used and the used information technology facilities by submitting appropriate documentation; the proof is supplied as a result that the applicant service provider shall submit a certificate of the Federal Commissioner for data protection and freedom of information; the Federal Commissioner for data protection and freedom of information a certificate granted on written request of the service provider, if the data protection criteria are met; Compliance with the data protection criteria is identified by an opinion, which was created by a recognised by the Federal Government or a land or chartered or Nr.1B,c expert authority for data protection; the Federal Commissioner for data protection and freedom of information can be requested supplementary information; the data protection criteria are is defines a set of criteria, which is the responsibility of the Federal Commissioner for data protection and freedom of information and published by him in the Federal Gazette and also in the Internet or in any other appropriate way; Opportunity to comment is given the Federal Office for security in information technology, IT security issues are touched.
(4) the service provider may, Commission third parties involving in his concepts for implementing the requirements of paragraph 1, for the performance of duties under this Act.

§ 19 comparable services from another Member State of the European Union or another Contracting State to the agreement on the European economic area are the services of an accredited service provider gender foreign services (1), are assimilated if their provider requirements equivalent to article 18, with the exception of such services that are connected with the exercise of public authority activity this authority to one and ensures the continued existence of these requirements control existing in the Member States or Contracting State.
(2) the verification of the equivalence of the foreign service provider is the competent authority referred to in paragraph 1. The equivalence of foreign service providers is given if the competent authority has determined that in the country of origin of the respective service provider 1 the security requirements for service providers, 2. the modules for service providers, as well as the requirements to competent authorities for the inspection of services, and 3. the control system offer an equivalent security.
Section 5 supervision section 20 supervisory measures
(1) supervision over compliance with this Act is the competent authority. With the accreditation is subject to service provider of the supervision of the competent authority.
(2) the competent authority may take measures to service providers to ensure compliance with this law.
(3) Notwithstanding the existence of contractors in the meaning of § 18 paragraph 3 number 3 may the competent authority an accredited service provider is temporarily operating wholly or partially prohibit if facts justify the assumption that 1 a requirement for the accreditation according to § 17 para 1 has been removed, 2 used invalid references to offer mail services or be confirmed, 3. sustained, significantly or permanently against obligations is violated or 4. other requirements for accreditation or recognition after this Law are not met.
(4) the validity of receipts issued by an accredited service provider in the context of the mailbox and shipping service and pickup confirmations is not affected by the prohibition of the operation of the cessation of activities, the withdrawal or revocation of accreditation.
(5) as far as is required to fulfil the tasks entrusted to the competent supervisory authority, the accredited service provider and for these persons according to § 18 paragraph 4 acting active third party of the competent authority and in their behalf have to enter the business premises during normal operating hours the eligible books allow records, documents, upon request, documents and other records in an appropriate manner to the insight to present , even if they electronically appear to provide information and to provide the necessary support. Access de E-mail messages from users by the competent authority as the supervisory authority does not take place. The obligated party for issuing a report may refuse information if the § 383 paragraph 1 number 1 to 3 of the code of civil procedure referred to in itself thus or any members of the risk of prosecution for a criminal offence or proceedings according to the law of administrative offences would expose. He is pointing to this right.

§ Has 21 information obligation for the competent authority to keep available the names of accredited service providers, as well as the foreign service provider according to § 19 each under provision of markings used exclusively for the mail services in accordance with article 5, paragraph 1, sentence 2 number 1 for each of publicly accessible communications.
Section 6 final provisions article 22 Committee de mail standardisation which are technical and organisational requirements for the duties according to the § § 3-13, as well as according to § 16 developed with the participation of accredited service providers; This does not apply to requirements relating to the interaction between the accredited service providers as such or the security. For this purpose a mail Standardization Committee is established, the include at least all accredited service provider, each a representative of two existing federal Gesamtverbänden, whose Belange are touched, the Federal Office for security in information technology, the Federal Commissioner for data protection and freedom of information, a representative of the countries by the IT Planning Council representative and a representative of the Council of the Federal Government's IT Commissioner. The decision, which both associations should belong to the Committee, is at the discretion of the competent authority. Resolves of Council of the Federal Government's IT Commissioner the successor organization by the Federal Government takes its place. The Committee meets at least once a year.

§ 23 is penalty provisions (1) any person who intentionally or negligently 1 contrary to section 3, paragraph 1, sentence 3 does not ensure that only the user can gain access, 2. contrary to article 3, paragraph 3, sentence 1 number not or not timely checks a there called specification 1, first half-sentence, or paragraph 2, 3. contrary to article 4, paragraph 1, sentence 2 does not ensure that a secure logon only in the cases is done , 4. contrary to § 4 paragraph 3 does not ensure that a communication link is encrypted, 5. contrary to section 7 paragraph 2 sentence 1 there not or not timely deletes called data, 6 contrary to article 10, paragraph 1, sentence 1 or paragraph 4 sentence 1 not or not timely locks access to an email account or the email account not or not timely resolve, 7 contrary to section 11, subsection 1, sentence 1 a screen does not , incorrectly or not timely paid, 8 contrary to section 11, paragraph 1, sentence 3 a user not notified properly or in a timely manner, 9 contrary to section 11, subsection 2 does not ensure that the referred data remain available, 10 contrary to § 12 does not allow accessing there called data or gives an indication of not, not properly or in a timely manner, 11 contrary to article 13, paragraph 1 a documentary not or not correctly created , kept 12 violates article 13 paragraph 2 not a documentary or not at least ten years, 13 contrary to § 15 collects the data therein for any other purpose or processes, 14 violates article 16 paragraph 5 used there called data for any other purpose or 15 contrary to article 17, paragraph 1, sentence 6 relies on the proven security or leads the quality mark.
(2) the offence can number 5, 6, 13 and 14 with a fine in the cases of paragraph 1 up to three hundred thousand euro and in other cases a fine punishable up to fifty thousand euro.
(3) number 1 of the code of administrative offences is the Federal Office for security in information technology in the sense of article 36, paragraph 1 the administration.

§ 24 fees and expenses (1) fees and expenses charge to cover administrative overhead 1 responsible for individually attributable public benefits under sections 17, 19 paragraph 2 and article 20, paragraph 3, and 2. the Federal Commissioner for data protection and freedom of information for the issuance of the certificate according to § 18 paragraph 3 number 4 is (2) the Federal Ministry of the Interior authorized by Decree without the consent of the Federal Council to determine the chargeable offences referred to in paragraph 1 and the fees and Fixed or time fees to be provided. Under the Ordinance, the refund can be regulated by way of derogation of expenses § 23 paragraph 6 of the German fees Act. Discounts and exemptions from fees and expenses can be approved.

§ 25 procedures through a single point of management procedures under this Act can be handled via a single point.