ELECTRONIC SIGNATURE ACT("Off. Herald of RS", No. 135/2004) |
Article 1
This Act governs the use of electronic signature in legal affairs and other legal actions, business, as well as the rights, commitments and responsibilities with respect to electronic certificates unless otherwise specified by separate acts.
The provisions of this Act apply to communication among authorities, communication between authorities and interested parties, the submission and drafting of a decision of an authority in electronic form in administrative, court and other types of proceedings before a state authority - if the law governing such proceedings provides for the use of electronic signature.
Article 2
Certain terms used in this Act have the following meaning:
1) "Electronic document" - a document in the electronic form used in legal affairs and other legal actions, including administrative, court and other types of proceedings before a state authority;
2) "Electronic signature" - a set of data in the electronic form which is enclosed or logically linked to an electronic document and which serves for identifying the signatory;
3) "Qualified electronic signature" - an electronic signature which reliably guarantees the identity of a signatory, the integrity of electronic documents, and which prevents any subsequent denying the liability for their content, and which meets the requirements laid down under this Act;
4) "Signatory" - a person who possesses tools for electronic signing and executes the electronic signing in his name or on behalf of a legal or natural person;
5) "Data for making of an electronic signature" - unique data, such as codes or private cryptographic keys, which is used by a signatory for the making of an electronic signature;
6) "Tools for making of an electronic signature" - appropriate technical tools (software and hardware) used for making of an electronic signature, with the use of data for making of an electronic signature;
7) "Tools for making of a qualified electronic signature" - tools for making of an electronic signature which meet the requirements specified under this Act;
8) "Data for verification of an electronic signature" - data, such as codes or public cryptographic keys, used to verify and certify an electronic signature;
9) "Tools for verification of an electronic signature" - appropriate technical tools (software and hardware) serving to verify an electronic signature, with the use of data for verification of an electronic signature;
10) "Tools for verification of a qualified electronic signature" - tools for verification of an electronic signature which meet the requirements set out under this Act;
11) "Electronic certificate" - an electronic document which certifies the link between data for verification of an electronic signature and the identity of a signatory;
12) "Qualified electronic certificate" - an electronic certificate issued by a certifying authority in charge of issuing qualified electronic certificates. Such certificate contains the data prescribed by this Act;
13) "User" - a legal person, a sole trader, a state authority, an authority of the territorial autonomy, a local government’s authority or a natural person to whom an electronic certificate is issued;
14) "Certifying Body" - a legal person that issues electronic certificates in conformity with the provisions of this Act.
Article 3
Validity of an electronic document or its power of evidence cannot be challenged only because it is in the electronic form.
Paragraph 1 of this Article is not applicable to:
1) Legal affairs which entail the transfer of ownership of immovable property or those which establish other real estate rights;
2) Statements of interested parties and other participants in inheritance proceedings, a bequest form, contracts on the conveyance and distribution of property during lifetime, personal care agreements, and agreements connected to the act of inheriting, as well as other contracts in the area of inheritance law;
3) Contracts on regulating property relations between spouses;
4) Contracts on disposal of property belonging to persons who have been deprived of their contractual capacity;
5) Contracts on gifts;
6) Other legal transactions or actions for which a separate statute or regulations passed under a statute expressly provide for usage of a handwritten signature on a paper document or certified handwritten signature.
Article 4
If a statute or other regulation specifies that a particular document should be stored, it may be stored also in the electronic form provided that the electronic document is:
1) Accessible and available for later use;
2) Saved in a shape in which it has been made or received;
3) Saved in a manner that allows the identification of time and place of make or receipt, and the maker;
4) Formed by application of a technology and procedures allowing that any change in such electronic document may be identified in a reliable manner.
The obligation to store documents referred to in paragraph 1 of this Article does not apply to data the only goal of which is to enable the receiving or the sending of an electronic document (communication data).
Article 5
Persons who store electronic documents signed electronically shall store the data and tools for verification of the electronic signature for as long as the documents themselves are stored.
II ELECTRONIC SIGNATURE AND QUALIFIED ELECTRONIC SIGNATURE
Article 6
An electronic signature may have the legal force and may be used as evidence in a proceeding regulated by law, save where, in accordance with a separate statute, it is required that only a handwritten signature has the legal force and the power of evidence.
Article 7
A qualified electronic signature shall meet the following requirements:
1) It is exclusively associated with a signatory;
2) It identifies the signatory unequivocally;
3) It is made by use of tools that the signatory can manage independently and which are controlled exclusively by the signatory;
4) It is directly linked to data it refers to, in a manner which unequivocally allows inspection in any change to original data;
5) It is made by use of tools for forming of a qualified electronic signature;
6) It is verified on the basis of a signatory's qualified electronic certificate.
Article 8
Tools for forming of a qualified electronic signature are the tools which shall ensure:
1) That data for forming of a qualified electronic signature may appear only once and that their confidentiality is secured;
2) That data for forming of a qualified electronic signature cannot be obtained from data for verification of a qualified electronic signature at a reasonable time and by means of currently available tools;
3) That a qualified electronic signature is protected from forgery by use of currently available technology;
4) That data for forming of a qualified electronic signature is reliably protected from unauthorized use.
While forming a qualified electronic signature the tools for forming thereof shall not revise data being signed or prevent a signatory from inspecting such data before the process of formation of a qualified electronic signature.
Article 9
Tools for verification of a qualified electronic signature include tools which ensure:
1) Reliable establishing that data used for verification of an electronic signature corresponds to the data shown to the person that conducts verification;
2) Reliable verification of the signature and proper demonstration of verification results;
3) Allowing a reliable inspection of the content of signed data;
4) Reliable verification of authenticity and validity of the signatory's electronic certificate at the time of verification of the electronic signature;
5) Proper demonstration of the identity of the signatory;
6) That any changes in the signed data are reliably discovered.
Article 10
In relation to electronic data a qualified electronic signature has the same legal effect and the power of evidence as the handwritten signature, i.e. handwritten signature and stamp in relation to the data shown on paper.
Article 11
The Ministry competent for information society (hereinafter referred to as: the Competent Authority) prescribes technical and technological procedures for the forming of a qualified electronic signature and criteria that tools for forming of a qualified electronic signature should meet.
III ELECTRONIC CERTIFICATES AND CERTIFYING BODIES
Article 12
An electronic certificate, in terms of this Act, is an electronic confirmation which confirms a link between data for verification of an electronic signature and the identity of a signatory.
Electronic certificates are issued by a certifying body.
The certifying body, in terms of this Act, is a legal person that provides to other legal and natural persons, services of issuing of electronic certificates, as well as other services associated with this activity.
Article 13
Certifying bodies do not need a separate license to issue electronic certificates.
Article 14
The Competent Authority keeps the list of certifying bodies.
Article 15
A certifying body shall report to the Competent Authority the commencement of rendering services of issuing electronic certificates, at least 15 days before the commencement of work.
Article 16
The Competent Authority registers a certifying body immediately after the submission of the application whereby the Competent Authority is notified about the commencement of services.
The Competent Authority prescribes the content and manner of record keeping, application forms for registration, forms for registration of changes as well as the type, content and manner of the submission of documentation required for registration.
Article 17
A qualified electronic certificate, in terms of this Act, is an electronic certificate issued by a certifying body that issues qualified electronic certificates which shall contain the following:
1) Designation indicating that it is a qualified electronic certificate;
2) Set of data that uniquely identifies the legal person issuing a certificate;
3) Set of data that uniquely identifies the signatory;
4) Data for verification of electronic signature which corresponds to the data for making of a qualified electronic signature and which is under the signatory's control;
5) Data on the commencement and expiry of validity of an electronic certificate;
6) Identification mark of an issued electronic certificate;
7) Qualified electronic signature of a certifying body which has issued the qualified electronic certificate;
8) Restrictions relating to the use of a certificate, if any.
Article 18
The certifying body that issues qualified electronic certificates shall meet the following requirements:
1) Ability to reliably provide services relating to the issuing of electronic certificates;
2) Safely and efficient management of the user register as well as carrying out of safe and immediate cancellation of an electronic certificate;
3) Ensuring accurate identification of the date and time when an electronic certificate was issued or cancelled;
4) To verify identity, and, when needed, other additional features at the request of the person who is issued with the certificate, in a reliable manner and in conformity with regulations;
5) To have employees with specialist skills, experience and professional qualifications required for rendering the service of issuing the electronic certificates, and in particular relative to: management skills, expertise in the application of technologies of electronic signature and appropriate security procedures, and safe implementation of appropriate administrative and managerial procedures that are in compliance with recognized standards;
6) To use reliable systems and products which are protected from unauthorized changes and which ensure a technical and cryptographic security of the process;
7) To undertake measures against forgery of electronic certificates, and in cases where it generates data for forming of an electronic signature to guarantee the secrecy of the process of forming such data;
8) To secure financial resources for insurance against risk and liability for possible damage resulting from the provision of service of issuing electronic certificates;
9) To ensure that all relevant information relating to electronic certificates is stored for a prescribed period of time and in the original form;
10) Not to save and not to copy data for forming of an electronic signature for persons on whose behalf such service is provided;
11) To secure systems for the physical protection of devices, equipment and data, and security solutions for the protection from unauthorized access;
12) To inform the persons seeking issuance of a qualified electronic certificate on exact conditions for issuing and use of such certificate, including any restrictions in usage, as well as on procedures for dispute resolution. Such information that may be submitted electronically shall be written and prepared in a comprehensible form in Serbian language. Certain pieces of such information shall be available upon request to third parties who use an electronic certificate;
13) To use a reliable system for managing electronic certificates in a shape that allows their verification so that:
(a) The input and changes could be performed only by authorized persons;
(b) The authenticity of the information contained in the certificate could be verified;
(c) Electronic certificates could be publicly available for searching only in those cases approved by the owner of the certificate;
(d) Any technical change that could violate security requirements could be known to the certifying body.
The Competent Authority specifies the detailed terms and manner of verification of fulfillment of the conditions referred to in paragraph 1 of this Article.
Article 19
The Competent Authority keeps the Register of Certifying Bodies responsible for the issuing of qualified electronic certificates in the Republic of Serbia (hereinafter referred to as: the Register).
The Competent Authority specifies the content and the manner the Register is kept, the manner of the submission of requests for entry in the Register, required documentation attached to the request, request form, as well as the manner of publishing the data from the Register.
Article 20
If the certifying body meets the conditions from Article 18 of this Act, the Competent Authority issues a decree to register it in the Register.
The decree is issued at the request of the certifying body within a term of 30 days from the day of submission of the proper request.
The decree shall include a registration number assigned to the Certifying Body when entered into the Register, as well as the registration date.
The certifying body may begin to provide services of issuing of qualified electronic certificates as of the day of its entry in the Register.
Certifying Bodies entered into the Register may indicate such fact in the issued qualified certificates.
Article 21
A public administration authority may also issue qualified electronic certificates, in accordance with separate regulations.
Article 22
The Register and list of certifying bodies are available to public.
IV RIGHTS, COMMITMENTS AND RESPONSIBILITIES OF USERS AND CERTIFYING BODIES
Article 23
An electronic certificate may be issued to a user at his request whereof a separate contract is concluded.
A user is free to choose a certifying body, save in cases provided for under separate regulations.
A user may use certification services of one or more certifying bodies.
Article 24
A qualified electronic certificate may be issued to any person at his request, subject to undoubtedly established identity and other data on the person having submitted the request.
Article 25
A user shall protect tools and data for formation of an electronic signature from unauthorized access and use, and utilize them in compliance with the provisions of this Act.
Article 26
A user shall submit to the certifying body all necessary data and information on revisions that affect or may affect the accuracy in establishing the identity of a signatory instantaneously, or no later than the period of seven from the day the revision occurred.
A user shall immediately request the revocation of his certificate in all cases of loss or damage of tools or data for formation of an electronic signature.
Article 27
A user is liable for any irregularities arising from failure to fulfill the commitments specified under provisions of Articles 25 and 26 of this Act.
A user may be released from liability in cases where it is possible to prove that the injured party has not undertaken or has undertaken incorrectly actions for verification of an electronic signature and electronic certificate.
Article 28
The certifying body responsible for issuing of qualified electronic certificates shall:
1) Ensure that each issued qualified electronic certificate contains all necessary data in compliance with Article 17 of this Act;
2) Conduct a complete verification of the identity of the user for whom it provides the certification services;
3) Ensure accuracy and comprehensiveness of data entered into records of issued certificates;
4) Enter into each certificate basic data on its own identity;
5) Enable each interested party to inspect the identity data of the certifying body, and to inspect the decree on the issuing of qualified electronic certificates;
6) Keep updated and accurate records of issued electronic certificates, protected by secure measures, which shall be available to public, save in cases where the owner of the certificate expressly requests that his data should not be available to public;
7) Keep accurate and protected by secure measures records of invalid electronic certificates;
8) Ensure visible data on the exact date and time (hour and minute) of the issuing i.e. cancellation of electronic certificates in the records of issued electronic certificates;
9) Act in accordance with the provisions of a statute or other regulations governing the personal data protection.
Article 29
The certifying body responsible for the issuing of qualified electronic certificates shall, before the conclusion of the contract referred to in Article 23, paragraph 1 of this Act, notify the person who has submitted the request for the issuing of a qualified electronic certificate on all significant circumstances regarding its use.
The notification from paragraph 1 of this Article contains:
1) Extract from the content of current regulations, internal rules and other conditions relating to the use of an electronic certificate;
2) Data on possible restrictions of use of an electronic certificate;
3) Data on appropriate legal remedies in the event of a dispute;
4) Data on measures that should be undertaken by certificate users and on the required technology for the safe electronic signing and verification of electronic signatures.
Article 30
The certifying body shall terminate the service of certification, i.e. revoke the issued qualified electronic certificates, in cases where:
1) The revocation of a certificate is demanded by the certificate owner or his proxy;
2) The certificate owner has lost his contractual capacity, or it has ceased to exist, or the circumstances which have a significant impact on the validity of the certificate have changed;
3) It has established that some data in the certificate is incorrect or the certificate has been issued on the basis of incorrect data;
4) It has established that the data for verification of an electronic signature or the information system of the certifying body is jeopardized in a manner that affects the safety and reliability of the certificate;
5) It has established that the data for electronic signing or the information system of the certificate owner is jeopardized in a manner that affects the reliability and the safety of the formation of an electronic signature;
6) It closes its operations or is forbidden continue operation, and the issued certificates are valid.
The certifying body shall keep up to date records of all revoked electronic certificates.
The certifying body shall inform the user on the revocation of the electronic certificate within 24 hours from receiving the notification, i.e. from the arising of circumstances leading to the revocation of the electronic certificate.
Article 31
The certifying body issuing qualified electronic certificates shall keep the complete documentation on issued and revoked electronic certificates as evidence and verification means in administrative, court and other proceedings for a minimum of ten years following the expiry of the validity of qualified electronic certificates.
The data from paragraph 1 of this Article may be stored in electronic form.
Article 32
The certifying body shall notify each user and the Competent Authority on the contract termination resulting from the need, i.e. intention to discontinue operations, at the minimum of three months before such circumstances arise.
The certifying body shall ensure with another certifying body the continuation of performing the services of certification to the users issued with certificates, and if such possibility is non-existent, it shall revoke all issued certificates and immediately notify the Competent Authority about that.
The certifying body which closes its certification activities shall submit complete documentation relating to the certification service to another certifying body to which it transfers its commitments relating to the certification service, i.e. to the Competent Authority if there is no other certifying body.
The Competent Authority shall immediately, at the expense of the certifying body, revoke all certificates issued by the certifying body which has terminated the certification activities for any reason and failed to ensure continued certification with another certifying body and failed to revoke the issued certificates.
Article 33
The Competent Authority shall specify the lowest insurance amount for the protection against the risk and liability for possible damage resulting from the service of the issuing of electronic certificates.
Article 34
The certifying body which issues qualified electronic certificates or guarantees for qualified electronic certificates of another certifying body, shall be accountable for any damage incurred by a person who has relied on such certificate, if:
1) The information contained in a qualified electronic certificate is not accurate at the moment of its issuance;
2) The certificate does not contain all elements prescribed for a qualified electronic certificate;
3) It has not verified whether at the time of issuing of the certificate the signatory possessed the data for the making of the electronic signature which correspond to the data for verification of the electronic signature which has been provided, i.e. identified in the certificate;
4) It does not ensure that the data for the formation and the data for verification of the electronic signature may be used complementarily, in case where such data is generated by the certifying body;
5) It fails to revoke the certificate in line with the provisions of Article 30 of this Act;
6) The certificate does not contain the information on restrictions relating to the use of the certificate which are contained in the contract concluded with the user.
The certifying body is not accountable for the damage from paragraph 1 of this Article if it proves that it has proceeded in conformity with the law and its general and internal rules of operation.
The certifying body is not accountable for the damage resulting from the use of a certificate beyond imposed restrictions, if such restrictions have been clearly indicated in the certificate.
Article 35
Electronic certificates issued by a foreign certifying body are equal to domestic electronic certificates.
Qualified electronic certificates issued by foreign certifying bodies are equal to the domestic ones:
1) If the foreign certifying body has received a decree from the Competent Authority, in accordance with the provisions of Art. 18 and 20 of this Act; or
2) If they originate from a country with which a bilateral agreement on mutual recognition of qualified electronic certificates has been signed.
Article 36
The Competent Authority conducts inspection control of the application of this Act and the operation of certifying bodies.
Supervision of the operation of certifying bodies in the activities of collecting, use and protection of users' personal data is performed by authorities defined by law and other regulations governing the protection of personal data.
Article 37
Within the scope of inspection of registered and listed certifying bodies, the Competent Authority:
1) Determines whether the conditions set by this Act and regulations passed for the implementation of this Act have been fulfilled;
2) Controls the proper implementation of prescribed procedures and organizational and technical measures, implementation of internal rules that are related to the conditions set by this Act and regulations passed for the implementation of this Act;
3) Controls the procedure of the issuing, storing and revocation of electronic certificates;
4) Controls the legality of other services provided by certifying bodies.
Article 38
While conducting inspection of the operation of certifying bodies, authorized persons of the Competent Authority are entitled to and have a duty to:
1) Inspect the records and all documentation related to those operations;
2) Check their business premises, information system, computer network, other equipment, technical documentation, as well as security measures that are undertaken;
3) Inspect the complete documentation in order to secure evidence or exact determination of possible irregularities.
An authorized person of the Competent Authority shall keep as official secret all data on certificates and personal data of a certificate user.
Article 39
An authorized person of the Competent Authority issues a decree to:
1) Ban the use of inadequate procedures and infrastructure, and gives a deadline to the certifying body within which it shall ensure adequate procedures and infrastructure;
2) Provisionally ban operations of a certifying body until it remedies inadequacy of procedures and infrastructure;
3) Orders provisional revocation of a particular or all certificates issued by a certifying body, if there is a reasonable doubt of an inadequate procedure or forgery.
In the event of provisional ban of operations, the certificates issued until the day of occurrence of reasons due to which the ban was ordered, remain valid.
Article 40
If a certifying body for issuing of qualified electronic certificates ceases to meet the conditions prescribed by this Act, the Competent Authority issues a decree on its deletion from the register of certifying bodies for issuing of qualified electronic certificates.
The decree referred to in paragraph 1 of this Article is final and subject to judicial review.
Article 41
A certifying body shall allow authorized persons of the Competent Authority, for the purposes of supervision, to access its business premises and inspect data on operations, to inspect business documentation, to access the users’ register and installed computer equipment and devices.
Article 42
The fine ranging from 100.000 to 400.000 dinars shall be imposed for a misdemeanor on the user - a legal person which:
1) Fails to protect tools and data for forming of an electronic signature from unauthorized access and use and if it does not use them in line with the provisions of this Act (Article 25);
2) Within a prescribed deadline, fails to deliver to a certifying body the required data and information on changes that affect or may affect the accuracy in establishing identity of the signatory (Article 26, paragraph 1);
3) Fails to submit forthwith to the certifying body a request for the revocation of the electronic certificate (Article 26, paragraph 2).
A user - sole trader shall be imposed with a fine ranging from 100.000 dinars to 200.000 dinars for the misdemeanors referred to in paragraph 1 of this Article.
An official of a legal person, state authority, authority of a territorial autonomy and body of a local government authority shall be imposed with a fine ranging from 12.000 to 20.000 dinars for the misdemeanors from paragraph 1 of this Article.
A user - natural person shall be fined for the misdemeanors from paragraph 1 of this Article from 12.000 to 20.000 dinars.
Article 43
The fine ranging from 200.000 to 400.000 dinars shall be imposed for a misdemeanor on a certifying body if:
1) It fails to report to the Competent Authority the commencement of rendering services of issuing electronic certificates (Article 15);
2) It issues a qualified electronic certificate that does not contain all necessary data (Article 17);
3) Stores and copies data for forming of an electronic signature for persons on whose behalf it provides that service (Article 18, paragraph 1, item 10);
4) Fails to inform the user to whom it issues the electronic certificate about all exact conditions for the issuing and use of an electronic certificate (Article 18, paragraph 1, item 12);
5) Fails to meet the commitments set out by Article 28 of this Act;
6) Fails to terminate the service of certification i.e. fails to revoke the issued qualified electronic certificates in specified cases (Article 30, paragraph 1);
7) Fails to keep updated records of all revoked electronic certificates (Article 30, paragraph 2);
8) Fails to notify the user about the revocation of the electronic certificate within the prescribed deadline (Article 30, paragraph 3);
9) Fails to keep complete documentation on issued and revoked qualified electronic certificates within the prescribed deadline (Article 31, paragraph 1);
10) Fails to notify in due time the users to whom it has issued electronic certificates and the Competent Authority on the circumstances that may lead to the termination of certification services (Article 32, paragraph 1);
11) Fails to allow authorized persons of the Competent Authority to access its business premises and to inspect data on operations, to inspect business documentation, to access the Users’ Register, computer equipment and devices (Article 38).
An official of a certifying body shall be imposed for the misdemeanor referred to in paragraph 1 of this Article with a fine ranging from 15.000 to 20.000 dinars.
Article 44
A fine ranging from 200.000 to 400.000 dinars shall be imposed for a misdemeanor - on a legal person if it fails to store data and tools for verification of an electronic signature for as long as the electronic documents themselves are stored (Article 5).
A sole trader shall be imposed with a fine for the misdemeanor referred to in paragraph 1 of this Article ranging from 100.000 to 200.000 dinars.
An official of a legal person, state authority, authority of a territorial autonomy and local government body shall be imposed with a fine for the misdemeanor from paragraph 1 of this Article ranging from 12.000 to 20.000 dinars.
VII TRANSITIONAL AND FINAL PROVISIONS
Article 45
The Competent Authority adopts secondary legislation for the implementation of this Act within a period of three months from the day this Act enters into force.
Article 46
This Act enters into force on the eighth day from the day of its publication in the "Official Herald of the Republic of Serbia".