Advanced Search

De-Mail-Law

Original Language Title: De-Mail-Gesetz

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

De-Mail-Law

Unofficial table of contents

De-Mail-G

Date of completion: 28.04.2011

Full quote:

" De-Mail-Gesetz vom 28. April 2011 (BGBl. 666), as last amended by Article 3 (8) of the Law of 7 August 2013 (BGBl). I p. 3154).

Status: Last amended by Art. 3 sec. 8 G v. 7.8.2013 I 3154

For more details, please refer to the menu under Notes

Footnote 

(+ + + Text evidence from: 3.5.2011 + + +)
The G was decided by the Bundestag as Article 1 of the G v. 28.4.2011 I 666. It's gem. Article 6 of this G entered into force on 3 May 2011.

Section 1
General provisions

Unofficial table of contents

§ 1 De-Mail-Services

(1) De-mail services are services on an electronic communications platform designed to ensure secure, confidential and verifiable commercial transactions for everyone on the Internet. (2) A De-Mail service must provide a secure notification, which shall: Use of a mail box and mail order service for secure electronic mail as well as the use of a directory service and can also allow for identity confirmation and document delivery services. A De-Mail service is operated by a service provider accredited in accordance with this law. (3) The electronic communications infrastructure and other applications that serve for the secure transmission of messages and data remain unaffected. Unofficial table of contents

§ 2 Competent Authority

The competent authority under this law is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

Section 2
Mandatory offers and optional services offered by the service provider

Unofficial table of contents

§ 3 Opening of a De-Mail account

(1) By means of a De-Mail account contract, an accredited service provider undertakes to make a De-Mail account available to a user. A De-Mail account is an area in a De-Mail service that is assigned to a user in such a way that it can only be used by him. The accredited service provider has the technical means to ensure that only the user assigned to this De-Mail account can gain access to the De-Mail account assigned to him. (2) The accredited service provider has the identity of the user. In addition, the identity of their legal representatives or members of the public shall be reliably identified by the user and by legal persons, partnerships or public authorities. It shall collect and store the following information:
1.
in the case of a natural person, the name, place of birth, date of birth and address;
2.
in the case of a legal person or a private company or a public authority, the company, name or name, legal form, register number, where available, the address of the registered office or principal place of business and the name of the members of the representative body or the legal representative; if a member of the representative body or the legal representative is a legal person, their company, name or name, legal form, register number, where available, and address of the seat or of the legal representative shall be Principal place of business.
(3) The accredited service provider shall verify the information provided for in paragraph 2 before the user's De-Mail account has been released:
1.
for natural persons
a)
on the basis of a valid official identity card, which contains a photograph of the holder and with which the passport and identity of the holder is fulfilled, in particular on the basis of a domestic or a foreign-law-law or approved passport, identity card or passport or identity card,
b)
on the basis of documents which are equivalent to a document referred to in point (a) in terms of their security,
c)
on the basis of an electronic identity document in accordance with § 18 of the German Personnel Reference Act or in accordance with § 78 (5) of the Residence Act,
d)
on the basis of a qualified electronic signature in accordance with Section 2 (3) of the Signature Act or
e)
on the basis of other appropriate technical procedures with equivalent certainty for identification, on the basis of the documents referred to in point (a);
2.
in the case of legal persons or partnerships or in the case of public bodies
a)
on the basis of an extract from the trade or cooperative register or from a comparable official register or register,
b)
on the basis of the founding documents
c)
on the basis of documents which are equivalent to the documents referred to in points (a) or (b) in respect of their reference force, or
d)
by inspection of the register or directory data.
The accredited service provider may make a copy of the official identity card. He shall immediately destroy the copy after the identification of the identity of the participant required for the identity of the person. The accredited service provider may, with the consent of the user, also process or use personal data collected at an earlier date in order to establish and verify the identity of the service provider, provided that such data are reliable. (4) The use of the De-Mail services is only possible after the accredited service provider has enabled the user's De-Mail account to be activated. The activation takes place as soon as
1.
the accredited service provider has clearly identified the user and the identity data of the user and, in the case of paragraph 2, point 2, also its legal representative or members of the organ have been collected and successfully verified,
2.
the accredited service provider has provided the user with the registration data necessary for the initial notification by means of a suitable means,
3.
the user has confirmed in accordance with Article 9 (2),
4.
the user has consented to the examination of his messages for malicious software by the accredited service provider, and
5.
the user has shown that he has been able to use the login data successfully in the course of a first registration.
(5) The accredited service provider shall ensure the accuracy of the identity data stored on the user after the activation of the De-Mail account of a user. It shall verify the accuracy of the stored identity data at reasonable intervals and, if necessary, correct it. Unofficial table of contents

§ 4 Registration to a De-Mail account

(1) The accredited service provider must enable the user to have access to his or her De-Mail account and to the individual services with a secure application or at the user's request, even without such a secure application. For the safe application, the accredited service provider shall ensure that access to the De-Mail account is only possible in order to protect against unauthorized use, if two suitable and mutually independent means of securing are used If secrets are used in the case of the security means, their single-mindedness and secrecy shall be ensured. Access to the De-Mail account is done without a secure login, if only a security, usually user name and password, is used. The user may require that access to his/her De-Mail account be possible only with a secure login. (2) The accredited service provider must ensure that the user is safe between at least two procedures for the safe use of the user's account. Declaration under the second sentence of paragraph 1 may be selected. As a procedure for secure registration, the user must be able to use the electronic proof of identity in accordance with § 18 of the German Personnel ID Act, insofar as he is a natural person. (3) The accredited service provider has to ensure that the communication link between the user and his or her De-Mail account is encrypted. Unofficial table of contents

§ 5 Postal and shipping service

(1) The provision of a De-Mail account shall include the use of a secure electronic mail box and mail order service for electronic messages. For this purpose, a De-Mail address for electronic mail is assigned to the user, which must include the following information:
1.
in the domain part of the De-Mail address, a marking which may be used exclusively for De-Mail services;
2.
in the case of natural persons in the local part, their surnames and one or more first names or a part of the first name (main address);
3.
in the case of legal persons, partnerships or public authorities in the domain part, a name which is directly related to their company, name or other name.
(2) The accredited service provider may, upon request, also provide users with pseudonymous De-Mail addresses to the extent that the user is a natural person. The use of a service by the user under a pseudonym is to be identified for third parties. (3) The mailbox and shipping service shall ensure the confidentiality, integrity and authenticity of the messages. To this end, the accredited service provider shall ensure that:
1.
communication from an accredited service provider to each other accredited service provider via an encrypted mutually authenticated channel (transport encryption) and
2.
the content of a De-Mail message is transmitted in encrypted form by the accredited service provider of the sender to the accredited service provider of the recipient.
The use of a continuous encryption between sender and receiver (end-to-end encryption) remains unaffected by this. (4) The sender can determine a secure login according to § 4 for the retrieval of the message by the recipient. (5) The Accredited service providers must make it possible for the user to confirm his secure application in the sense of § 4 in the message in such a way that the unfalsifiability of the confirmation can be checked at any time. In order to make this information recognizable to the recipient of the message, the accredited service provider of the sender confirms the use of the secure application in accordance with § 4. For this purpose, he shall, on behalf of the sender, provide the message with a permanently verifiable qualified electronic signature; if the message is accompanied by one or more files, the qualified electronic signature also refers to the same. In the case of natural persons, the certificate shall contain the name and first names, in the case of legal persons, partnerships or public authorities, the name or name of the sender in the form in which it is referred to in Article 3 (2). shall be deposited. The fact that the sender has used this shipping method must result from the message in the form that arrives at the recipient. The affirmation in accordance with the first sentence is not permitted when using a pseudonymous De-Mail address in accordance with paragraph 2. (6) The accredited service provider, with the exception of the service providers according to § 19, is obliged to send electronic messages according to the To formally apply the rules of the process regulations and the laws governing the administration of the administration. To the extent of this obligation, the accredited service provider is equipped with sovereign powers (beliehener entreprentier). (7) The accredited service provider confirms the sending of a message at the request of the sender. The shipping confirmation must contain the following information:
1.
the De-Mail address of the sender and the recipient;
2.
the date and time of the shipment of the message from the sender's mail box;
3.
the name and first name or the company of the accredited service provider who produces the shipment confirmation and
4.
the checksum of the message to be confirmed.
The accredited service provider of the sender has to provide the shipping confirmation with a qualified electronic signature according to the Signature Act. (8) At the request of the sender, the receipt of a message will be sent in the recipient's De-Mail mailbox confirmed. In doing so, the accredited service provider of the sender and the accredited service provider of the recipient are acting together. The accredited service provider of the recipient creates an acknowledgement of receipt. The confirmation of receipt shall contain the following information:
1.
the De-Mail address of the sender and the recipient;
2.
the date and time of receipt of the message in the recipient's mail box;
3.
the name and first name or the firm of the accredited service provider who produces the receipt and
4.
the checksum of the message to be confirmed.
The accredited service provider of the recipient has to provide the receipt confirmation with a qualified electronic signature according to the signature law. The accredited service provider of the consignee also sends this confirmation of receipt. (9) A public body, which is responsible for the formal service in accordance with the rules of the process regulations and the laws governing the administration of the service. shall be entitled, may require a letter of acceptance. From the acceptance confirmation, it follows that after receipt of the message, the recipient has registered in the mailbox at his De-Mail account securely in the sense of § 4. In doing so, the accredited service provider shall cooperate with the public authority as a broadcaster and the accredited service provider of the recipient. The accredited service provider of the recipient generates the pick-up confirmation. The removal confirmation must contain the following information:
1.
the De-Mail address of the sender and the recipient;
2.
the date and time of receipt of the message in the recipient's mail box;
3.
the date and time of the recipient's secure application to his or her De-Mail account within the meaning of § 4;
4.
the name and first name or the firm of the accredited service provider who produces the removal certificate and
5.
the checksum of the message to be confirmed.
The accredited service provider of the recipient has to provide the pick-up confirmation with a qualified electronic signature according to the signature law. The accredited service provider of the recipient also sends this confirmation to the recipient. The data referred to in sentence 5 may only be processed and used for the purpose of proof of formal delivery within the meaning of § 5 (6). (10) The accredited service provider shall ensure that messages for which an acknowledgement of receipt is received referred to in paragraph 8 or a confirmation of removal as referred to in paragraph 9, by which the addressee may not be able to delete his or her De-Mail account for 90 days after their receipt. (11) Users who are natural persons shall be entitled to: of the accredited service providers, addressed by all to their De-Mail address Send a copy of a copy to a De-Mail address previously specified by the user (forwarding address) without the user having to be logged in to his or her De-Mail account (automatic forwarding). The user may exclude that messages sent to him are forwarded to him within the meaning of paragraph 4. The user can take back the service of automatic forwarding at any time. In order to be able to use the service of automatic forwarding, the user must be securely logged in to his De-Mail account. Unofficial table of contents

§ 6 Identity confirmation service

(1) The accredited service provider may offer an identity confirmation service. Such is the case if the user is able to use the identity data stored in accordance with § 3 in order to have his identity confirmed electronically with respect to a third party, who is also a user of a De-Mail account. The transmission of the identity data takes place by means of a De-Mail message, which the accredited service provider sends on behalf of the user to the third party, to whom he wishes to communicate his identity data. The De-Mail-message is provided by the accredited service provider with a qualified electronic signature according to the signature law. (2) The accredited service provider has to make arrangements to ensure that identity data is not shall be falsified or falsified. (3) The competent authority may order the blocking of an identity date when facts justify the assumption that the date of identity has been issued on the basis of false information or not is sufficiently forgery-proof. Unofficial table of contents

§ 7 Directory Service

(1) The accredited service provider has, at the express request of the user, the De-Mail addresses, the identity data stored in accordance with § 3, the name and address, the information necessary for the encryption of messages to the user and to publish the information on the possibility of safe registration in accordance with § 4 of the user in a directory service. The accredited service provider may not make the opening of a De-Mail account for the user dependent on the user's request for sentence 1. (2) The accredited service provider shall have a De-Mail address, an identity date or the Encryption of messages to the user necessary information from the directory service to be deleted immediately if the user requests this, the data was issued on the basis of false information, the service provider ends his activity and this is not continued by another accredited service provider , or the competent authority shall order the deletion from the directory service. Further reasons for a deletion may be contractually agreed. (3) The publication of the De-Mail address in the directory service to a request of the user as a consumer in accordance with paragraph 1 shall not be deemed to be the opening of access in the sense of § § § § § § 1. 3a (1) of the Administrative Procedure Law, Section 36a (1) of the First Book of the Social Code or Section 87a (1) sentence 1 of the Tax Code. At the request of the user, the accredited service provider must, by means of a suitable addition, publish the user's statement in the directory service, the access within the meaning of Section 3a of the Administrative Procedure Act, Section 36a (1) of the First To open the Book of Social Code and the first sentence of § 87a (1) of the Tax Code. The publication of the user's De-Mail address as a consumer with this addition in the directory service is considered to be an access opening. Sentence 2 shall apply in accordance with the decision of the user to withdraw the access opening. (4) § 47 of the Telecommunications Act shall apply accordingly. Unofficial table of contents

§ 8 Document levy

The accredited service provider can offer the user a document repository for the secure filing of documents. If he offers the document file, he shall ensure that the documents are stored securely; confidentiality, integrity and constant availability of the filed documents must be guaranteed. The accredited service provider is obliged to deposit all documents in encrypted form. For each individual file, the user can set up a secure login required for access in accordance with § 4. At the request of the user, the accredited service provider shall provide a protocol on the setting and removal of documents, which is secured with a qualified electronic signature according to the signature law.

Section 3
De-Mail Services-Use

Unofficial table of contents

Section 9 Enlightenment and information obligations

(1) The accredited service provider shall have the user prior to the first use of the De-Mail account regarding the legal consequences and costs of the use of De-Mail services, in particular the postal service and transit service according to § 5, of the directory service according to § § 5. 7, the use of the document file according to § 8, the blocking and dissolution of the De-Mail account in accordance with § 10, the cessation of the activity pursuant to § 11, the termination of the contract in accordance with § 12 and the inspection pursuant to § 13 paragraph 3 as well as the measures to be taken , which are necessary to prevent unauthorised access to the De-Mail account. This shall include, in particular, information
1.
on the possibility and importance of a secure application in accordance with § 4 (1) sentence 2 as well as an indication that access to the De-Mail account without a secure application does not offer the same protection as with a secure application and
2.
on the content and importance of transport encryption in accordance with § 5 (3) sentence 2 as well as the encryption in accordance with § 4 (3) as well as on the differences between these encryptions to end-to-end encryption in accordance with § 5 paragraph 3 sentence 3.
The accredited service provider must also inform the user about how to deal with malicious De-Mail messages. (2) The accredited service provider may only allow the first use of the De-Mail account if the The user has received the necessary information in text form and confirmed in writing that he has received and noted the information referred to in paragraph 1. (3) Information obligations according to other laws remain unaffected. Unofficial table of contents

§ 10 Locking and dissolution of the De-Mail account

(1) The accredited service provider shall immediately block access to a De-Mail account if:
1.
the user requires it,
2.
Justifies the assumption that the data stored in the accredited service provider for the clear identification of the user is not sufficiently forgery-proof or that the secure application according to § 4 has defects, which include a permit unmarked falsification or compromise of the registration process,
3.
the competent authority shall arrange for the closure referred to in paragraph 2, or
4.
the conditions for a contractual agreement between the accredited service provider and the user are met.
In the case of point 4 of sentence 1, the accredited service provider shall carry out the blocking in such a way that the retrieval of messages shall remain possible; this shall not apply insofar as the contractually agreed blocking reason excludes the retrieval of messages. The accredited service provider shall disclose to the users authorized users a telephone number under which they can immediately initiate a blocking of access. (2) The competent authority may block a De-Mail account if the facts justify the assumption that the De-Mail account was opened on the basis of false information or that the data provided for the unequivocal identification of the user with the accredited service provider were not sufficient be forgery-proof, or the safe application in accordance with § 4 (1) has defects, which have a (3) The accredited service provider has to re-grant the user access to the De-Mail account after the end of the blocking reason. (4) The accredited service provider has a De-Mail-Account to be resolved immediately if the user requests it or the competent authority orders the resolution. The competent authority may order the dissolution if the conditions set out in paragraph 2 are met and a blocking is not sufficient. An agreement on further grounds of resolution shall be ineffective. (5) The accredited service provider shall, before a blocking pursuant to paragraph 1 or a resolution as referred to in paragraph 4, be in a suitable way from the identity of the to the blocking or dissolution. (6) In the event of a blocking pursuant to the first sentence of the first sentence of paragraph 1, point 1 to 3 or the first sentence of the first sentence of paragraph 1 in conjunction with the second sentence of the second sentence of paragraph 1, and the resolution referred to in paragraph 4, the accredited service provider shall: The receipt of messages to the mailbox of a blocked or resolved De-Mail account to (7) If the blocking or dissolution of the De-Mail account takes place at the instigation of the accredited service provider or the competent authority, the user shall be informed of the blocking or Resolution to be informed. In the cases referred to in the first sentence of the first subparagraph of paragraph 1, the accredited service provider shall be obliged to inform the user that he/she is able to receive and retrieve messages in spite of a blocking action. Unofficial table of contents

Section 11 Cessation of activity

(1) The accredited service provider shall immediately notify the competent authority of the termination of its activity. He has to ensure that the De-Mail account can be taken over by another accredited service provider. He shall immediately inform the users concerned of the cessation of his activity and obtain their consent to the transfer of the De-Mail account by another accredited service provider. (2) No other person will be required to do so. accredited service provider, the De-Mail account, the accredited service provider must ensure that the data stored in the mailbox and in the document repository for at least three months from the date of notification of the user (3) The accredited service provider has the documentation according to § 13 The accredited service provider who takes over the De-Mail account referred to in paragraph 1. If no other accredited service provider takes over the De-Mail account, the competent authority shall take over the documentation. In such a case, the competent authority shall, in the event of a legitimate interest, provide information as far as this is possible without disproportionate effort. (4) The accredited service provider has submitted a request for the opening of a Insolvency proceedings shall be notified without delay to the competent authority. Unofficial table of contents

§ 12 Contract Termination

The accredited service provider is obliged to provide the user with access to the data stored in the mailbox and in the document collection for a period of three months after the end of the contract and to delete at least one of the data stored in the document repository. The month before this is to be mentioned in text form. Unofficial table of contents

§ 13 Documentation

(1) The accredited service provider shall document all measures taken to ensure the conditions of accreditation and for the performance of the obligations referred to in § § 3 to 12 in such a way that the data and its unadulterated nature at any time shall be verifiable. The documentation requirement includes the process of opening a De-Mail account, any change in data relevant to the management of a De-Mail account, as well as any change in the status of a De-Mail account. § 3 (3) sentence 3. (2) The accredited service provider shall have the documentation referred to in paragraph 1 for the duration of the contractual relationship between the accredited service provider and the user, as well as ten additional documents. years from the end of the year in which the contractual relationship ends. (3) At the request of the user, the user shall be granted access to the data relating to him. Unofficial table of contents

Section 14 Youth and Consumer Protection

The accredited service provider has to comply with the concerns of the protection of minors and consumer protection in the design and operation of the De-Mail services. Unofficial table of contents

§ 15 Data Protection

The accredited service provider may only collect, process and use personal data in the user of a De-Mail account, insofar as this is necessary for the provision of the De-Mail services and their implementation; moreover, the following shall apply: Regulations of the Telemedia Act, the Telecommunications Act and the Federal Data Protection Act. Unofficial table of contents

Section 16 Claim for information

(1) An accredited service provider shall provide third parties with information on the name and address of a user, if:
1.
the third party makes it credible to provide information on the prosecution of a legal claim against the user,
2.
the information relating to a legal relationship between the third party and the user, which has been brought about by using De-Mail,
3.
the third party makes the information necessary for the determination of his identity within the meaning of Article 3 (2),
4.
the accredited service provider has verified the accuracy of the information provided for in Article 3 (3),
5.
the request is not legally abusive, in particular not solely for the purpose of uncovering a pseudonym; and
6.
the interests of the user do not outweigh the legitimate interests of the individual.
(2) The third party shall submit to the accredited service provider, in accordance with paragraph 1 (1), electronic messages or documents from which the legal relationship with the user arises, provided that the user is a member of the service provider. The accredited service provider shall inform the user of the request for information without delay and under the name of the third party, and shall give him the opportunity to comment on the request for information, insofar as this is the pursuit of the right to the right to request information. (3) The accredited service provider may require the replacement of the expenses required for the exchange of information. (4) § 7 of the Federal Data Protection Act shall apply accordingly. (5) The Information obtained may only be used for the purpose specified in the request. (6) The accredited service provider shall document the information provided in accordance with paragraph 1 and inform the user of the information provided. The documentation requirements referred to in the first sentence shall include the request for the exchange of information, including the third party referred to in paragraph 1, the decision of the accredited service provider, the identification data of the accredited staff member of the accredited staff. Service provider, the communication of the result to the third party requesting information, the communication on the exchange of information to the user and the respective legal time for individual processes within the exchange of information. The documentation is to be kept for three years. (7) § § 13 and 13a of the Act on injunctions in the case of consumer rights and other infringements shall remain unaffected. (8) The provisions of other legislation regarding information in the case of public authorities.

Section 4
Accreditation

Unofficial table of contents

§ 17 Accreditation of service providers

(1) Service providers who wish to offer De-Mail services must be accredited by the competent authority upon written request. Accreditation shall be granted if the service provider proves that it meets the conditions laid down in § 18 and if the competent authority ensures the exercise of the supervision of the service provider. Accredited service providers shall receive a quality mark from the competent authority. The quality mark serves as proof of the comprehensively tested technical and administrative security of the De-Mail services. You may refer to yourself as an accredited service provider. Only accredited service providers are allowed to rely on proven security in commercial transactions and lead to the quality mark. Additional markings may be reserved for accredited service providers. (2) The application pursuant to § 17 (1) sentence 1 shall be decided within a period of three months; Section 42a, paragraph 2, sentence 2 to 4 of the Administrative Procedure Act shall be found Application. (3) The accreditation is to be renewed after substantial changes, but at the latest after three years. Unofficial table of contents

§ 18 Conditions of accreditation; proof

(1) The service provider can only be accredited as a service provider.
1.
the reliability and technical expertise required for the operation of De-Mail services;
2.
meets appropriate financial provisions in order to comply with its legal obligations to compensate for damage;
3.
the technical and organisational requirements for the obligations laid down in § § 3 to 13 as well as in accordance with § 16 are fulfilled in such a way that it provides the services reliably and safely, it cooperates with the other accredited service providers and for the provision of services exclusively uses technical equipment situated in the territory of the Member States of the European Union or of any other Contracting State of the Agreement on the European Economic Area,
4.
In the design and operation of the De-Mail services, the data protection requirements are met.
(2) The service providers shall comply with the technical and organisational requirements in accordance with § § 3 to 13 as well as in accordance with § 16 according to the state of the art. Compliance with the state of the art is presumed if the Technical Directive 01201 De-Mail of the Federal Office for Information Security of 23 March 2011 (eBAnz AT40 2011 B1) is published in the version published in the Federal Gazette is complied with. Before the Federal Office for Security in Information Technology makes substantial changes to the Technical Directive, it shall consult the De-Mail-Standardization Committee within the meaning of § 22, and the Federal Commissioner for Data Protection and the Federal Data Protection Agency. Freedom of information shall be given the opportunity to give an opinion, provided that questions of data protection are affected. (3) The conditions laid down in paragraph 1 shall be established as follows:
1.
the required reliability and expertise by means of proof of the personal characteristics, the behaviour and the corresponding abilities of the persons involved in his or her holding; as proof of the required technical knowledge, it shall be the rule is sufficient if appropriate certificates or evidence of the necessary knowledge, experience and skills are presented for the respective task in the holding;
2.
a sufficient financial guarantee by the conclusion of insurance or the exemption or guarantee obligation of a credit undertaking with a minimum coverage of EUR 250 000 each for a damage caused. The provision of cover can be provided by:
a)
civil liability insurance for insurance undertakings authorised to operate within the Member States of the European Union or in another State Party to the Agreement on the European Economic Area; or
b)
an exemption or guarantee undertaking of a credit institution authorised to operate in one of the Member States of the European Union or in another State Party to the Agreement on the European Economic Area, if: is guaranteed to provide comparable security to civil liability insurance.
To the extent that the financial security is provided by insurance, the following shall apply:
a)
§ 113 (2) and (3) and § § 114 to 124 of the Insurance Contract Act apply to this insurance.
b)
The minimum amount of insurance must be 2.5 million euros for the individual insurance case. The insurance case is any breach of duty of the service provider, regardless of the number of claims that have been triggered. Where an annual maximum amount is agreed for all damage caused in an insurance year, it shall be at least four times the minimum amount of insurance.
c)
The insurance can only be excluded from the insurance for compensation claims arising from intentionally committed breach of duty of the accredited service provider or the persons for which he or she is to be registered.
d)
The agreement of a deductity of up to 1 per cent of the minimum insurance sum is permissible;
3.
the fulfilment of the technical and organisational requirements for the obligations within the meaning of paragraph 1 (3) by the Federal Office for Information Security in accordance with § 9 (2) sentence 1 of the Act on the Federal Office for Security in information technology certified IT security service providers; the interaction with the other accredited service providers can only be confirmed after sufficient checks; the security of the services can only be carried out after a comprehensive review of the test of the the security concept and the IT infrastructure used; certificates issued at the time of entry into force of the law may be taken into account;
4.
the fulfilment of the data protection requirements for the data protection concept for the procedures used and the information technology facilities used by the submission of appropriate proof; the proof is provided by the fact that the to submit a certificate from the Federal Commissioner for Data Protection and Freedom of Information; the Federal Commissioner for Data Protection and the Freedom of Information shall be issued upon written request from the Service Provider a certificate, if the data protection criteria are met , the fulfilment of the data protection criteria shall be demonstrated by an expert opinion drawn up by a competent authority recognised or publicly appointed or publicly appointed by the Federal Government or by a country or by a competent authority for data protection; the The Federal Commissioner for Data Protection and Freedom of Information can request additional information; the data protection criteria are defined in a criteria catalogue, which is the responsibility of the Federal Commissioner for Data Protection and Data Protection the freedom of information lies and through it in the Federal Gazette, and be published on the Internet or in any other appropriate manner; the Federal Office for Information Security will be given the opportunity to comment on matters relating to IT security.
(4) The service provider may, by including in its concepts for the implementation of the requirements of paragraph 1, commission third parties for the performance of obligations under this law. Unofficial table of contents

Section 19 Equality of foreign services

(1) Comparable services from another Member State of the European Union or from another State Party to the Agreement on the European Economic Area shall be the services of an accredited service provider, with the exception of such services. Services connected with the exercise of public service shall be treated as such, if their providers comply with § 18 of the same conditions as equivalent to a competent authority, and the continued existence of the fulfilment of these conditions shall be equivalent to that of the competent authority. Conditions established by an existing Member State or State Party (2) The examination of the equivalence of the foreign service provider referred to in paragraph 1 shall be the responsibility of the competent authority. The equivalence of foreign service providers shall be provided where the competent authority has established that in the country of origin of the service provider concerned,
1.
the security requirements for service providers,
2.
the procedures for the examination of service providers and the requirements for the bodies responsible for the audit of the services, and
3.
the control system
provide an equivalent level of security.

Section 5
Supervision

Unofficial table of contents

Section 20 Supervisory measures

(1) The competent authority shall be responsible for the supervision of compliance with this law. With the accreditation service providers are subject to the supervision of the competent authority. (2) The competent authority may take measures with regard to service providers to ensure compliance with this law. (3) For the purposes of Article 18 (3) (3), the competent authority may temporarily prohibit, in whole or in part, an accredited service provider to the establishment if the facts justify the assumption that:
1.
a condition for accreditation pursuant to Article 17 (1) has been omitted,
2.
Invalid solitary records for the offer of De-Mail services are used or confirmed,
3.
shall be permanently, substantially or permanently infringed against obligations, or
4.
other requirements for accreditation or for recognition under this Act are not fulfilled.
(4) The validity of the confirmations and confirmations issued by an accredited service provider within the scope of the postal service and dispatch service shall remain valid from the insignation of the establishment, the cessation of the activity, the withdrawal or the revocation of an accreditation. (5) As far as it is necessary to fulfil the tasks assigned to the competent authority as a supervisory authority, the accredited service providers and those operating pursuant to Section 18 (4) shall have Third party to the competent authority and to the persons acting on its behalf To allow access to the premises during normal operating hours, at the request of the books, records, supporting documents, documents and other documents, to be considered in an appropriate manner, including where they are intended to be used. , to provide information and to provide the necessary assistance. Access to De-Mail messages from users by the competent authority as a supervisory authority does not take place. The person responsible for providing information may refuse to provide information if he or she himself or one of the members of the civil procedure referred to in Article 383 (1) (1) (1) to (3) of the Code of Civil Procedure is liable to prosecution for a criminal offence or of a procedure under the Law on Administrative Offences. He must be informed of this right. Unofficial table of contents

Section 21 Information on information

The competent authority shall have the names of the accredited service providers and of the foreign service providers in accordance with § 19, in each case specifying the markings used exclusively for the De-Mail services in accordance with the second sentence of Article 5 (1) (1) of the to be called up via publicly accessible communication links.

Section 6
Final provisions

Unofficial table of contents

§ 22 Committee De-Mail-Standardization

The technical and organisational requirements for the obligations laid down in § § 3 to 13 as well as in accordance with § 16 shall be further developed with the participation of the accredited service providers; this does not apply to requirements which the interaction between the accredited service providers as such or relating to security. To this end, a committee of De-Mail-Standardization will be established, to which at least all accredited service providers, one representative each of two general associations on the federal level, whose interests are affected, the Federal Office for Security in information technology, the Federal Commissioner for Data Protection and Freedom of Information, a representative of the federal states, who is appointed by the IT Planning Council, and a representative of the Council of the Federal Government's IT officers. The decision on which two associations are to belong to the committee is at the discretion of the competent authority. If the Council of the Federal Government of the Federal Government is dissolved, the successor organisation determined by the Federal Government shall be replaced by the Federal Government. The Committee shall meet at least once a year. Unofficial table of contents

Section 23 Penal rules

(1) Contrary to the law, those who intentionally or negligently act
1.
does not ensure that only the user is able to obtain access,
2.
the first half sentence or the second subparagraph of point 1 of the first subparagraph of Article 3 (3) shall not, or shall not be subject to a timely review of, an indication
3.
does not ensure that a safe declaration is made only in the cases referred to in paragraph 4 (1), second sentence,
4.
Contrary to § 4 paragraph 3, it does not ensure that a communication connection is encrypted,
5.
the data referred to in the first sentence of Article 7 (2) shall not be deleted or not deleted in time,
6.
Contrary to § 10 (1) sentence 1 or paragraph 4, sentence 1, access to a De-Mail account is not blocked or does not block in time or the De-Mail account does not resolve or dissolve in time,
7.
Contrary to the first sentence of Article 11 (1), an indication shall not be reimbursed, not correct or not timely,
8.
Contrary to § 11, paragraph 1, sentence 3, a user shall not be notified, not correct or not in good time,
9.
Contrary to Article 11 (2), it does not ensure that the data referred to therein remain accessible,
10.
Contrary to § 12, access to data referred to therein is not made possible or if there is no indication, not correct or not in good time,
11.
, contrary to § 13 (1), a documentary is not or not correctly produced,
12.
shall not, contrary to § 13 (2), retain documentation, or not at least 10 years,
13.
Contrary to § 15, the data referred to therein is collected or processed for a different purpose,
14.
the data referred to in paragraph 16 (5) shall be used for a different purpose; or
15.
Contrary to Article 17 (1) sentence 6, the security shall be based on proven security or lead to the quality mark.
(2) In the cases referred to in paragraph 1 (5), (6), (13) and (14), the administrative offence may be punishable by a fine of up to three hundred thousand euros and, in the other cases, with a fine of up to EUR 50 000. (3) Administrative authority in the sense of Section 36 (1) (1) of the Code of Administrative Offences is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik). Unofficial table of contents

§ 24 Fees and charges

(1) Fees and expenses levied to cover administrative burdens
1.
the competent authority for individually attributable public services in accordance with § § 17, 19 (2) and § 20 (3) and
2.
the Federal Commissioner for Data Protection and the Freedom of Information for the issuing of the certificate in accordance with § 18 (3) (4).
(2) The Federal Ministry of the Interior is authorized to determine, by means of a regulation without the consent of the Federal Council, the chargeable facts referred to in paragraph 1 and the fee rates, and to provide fixed or time fees. By way of derogation from Section 23 (6) of the Federal Law on Fees, the legal regulation may regulate the reimbursement of expenses. Reductions and exemptions from fees and charges may be allowed. Unofficial table of contents

Section 25 Procedure on a single body

Administrative procedures under this Act can be carried out through a single entity.