Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5

Transcription

1 Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5 February 2002, SG 30/11 April 2006, effective 12 July 2006, SG 34/25 April 2006, effective 1 July (*) amended in regard to coming into force, SG 80/3 October 2006, effective 3 October Collection of Laws - APIS, book 5/2001, p. 239 Law Library - APIS, volume 12, р. 1, No 15 Chapter one GENERAL PROVISIONS Scope Article 1(1) This Act shall regulate electronic documents, electronic signatures, and the conditions and procedures for the provision of certification services. (2) This Act is not applicable to: 1. transactions for which the law requires the qualified written form; 2. cases where keeping a document or when a copy of it has a legal significance (securities, bills of lading, etc.). Chapter two ELECTRONIC DOCUMENTS AND ELECTRONIC SIGNATURES Electronic declaration Article 2(1) An electronic declaration is a verbal declaration in a digital form expressed via a commonly accepted standard of converting, deciphering, and visual presentation of data. (2) An electronic declaration may contain non-verbal information as well. Electronic document Article 3(1) An electronic document is an electronic declaration recorded on a magnetic, optical or other data carrier, which makes it possible to read the data stored on it. (2) When composing an electronic document, the written form shall be considered retained. Author and holder of an electronic declaration Article 4 The author of an electronic declaration shall be the natural person cited as such within the declaration. The holder of the electronic declaration shall be the person on whose behalf the electronic declaration has been made. Recipient of an electronic declaration Article 5 The recipient of an electronic declaration shall be a person who is by law required to receive electronic declarations or who, who, based on unequivocal circumstances, may be deemed as having given his consent to receive the electronic declaration. Electronic declaration intermediary Article 6(1) An electronic declaration intermediary is a person who is assigned by the holder to send, receive, register or keep electronic declarations or render other services related thereto. (2) Electronic declaration intermediaries shall: 1. have available technical and technological equipment capable of securing the reliability of the systems in use; 2. have personnel with relevant expertise, qualifications, and experience; 3. provide conditions allowing the time and the source of the electronic declarations to be precisely specified; 4. use reliable data storage systems pursuant to item 6(2)(3); 5. store the data referred to in 6(2)(3) for a period of six months. (3) The electronic declaration mediator shall be liable for any damage resulting from a

2 failure to meet his obligations pursuant to 6(2). Errors in electronic declaration transmission Article 7 The holder shall bear the risk of errors in transmitting electronic declarations unless the recipient failed to handle the matter with due care. Receiving electronic declarations Article 8(1) An electronic declaration shall be deemed received when the recipient confirms its receipt. (2) If no deadline for confirming receipt has been set, confirmation must be provided within a reasonable period. (3) Confirmation of receipt does not constitute approval of the contents of the electronic declaration. Time of sending an electronic declaration Article 9 An electronic declaration is sent when the latter arrives in the information system which is not under the control of the author. Time of receiving an electronic declaration Article 10(1) An electronic declaration is deemed received when the recipient sends a confirmation of receipt. (2) Provided that no confirmation is required, an electronic declaration is considered to be received when appears on the information system specified by the recipient. If the recipient has not specified an information system, the declaration shall be deemed received when appears in the information system of the recipient, and if the recipient does not have an information system - when the recipient downloads it from the information system where the declaration arrived. Time for acknowledging an electronic declaration Article 11 The recipient of the electronic declaration shall be deemed to have acknowledged its contents within a reasonable period of its receipt. Place of sending and receiving electronic declarations Article 12(1) An electronic declaration shall be regarded as sent from the place of activity of its holder. (2) An electronic declaration shall be deemed received at the place of activity of its recipient. (3) If both the holder and the recipient of the declaration have more than one place of activity, the place most closely linked to the declaration and its fulfilment shall be deemed the place of activity taking into account the circumstances, which were known to the holder and the recipient or circumstances which have been taken into consideration by the holder and the recipient at all times prior to or during the execution of the declaration. (4) Provided that both the holder and the recipient do not have a place of activity, their permanent place of residence shall be taken into consideration. Electronic signature Article 13(1) An electronic signature is: 1. any information related to the electronic declaration in a manner coordinated between the author and the recipient, which is secure enough for the purpose of the transaction and which: a) identifies the author; b) shows author s approval of the contents of the electronic declaration, and c) prevents the contents of the electronic declaration from being altered; 2. an advanced electronic signature; 3. a universal electronic signature. (2) Electronic signatures pursuant to 13(1) and (2) has the force of a manual signature,

3 unless the holder or the recipient of the electronic declaration is a central or local government agency. (3) Universal electronic signatures shall have the force of a personal signature in all circumstances. The Council of Ministers shall determine which state agencies shall have the right to use another type of electronic signature in their communications. Secrecy of electronic signature creation data Article 14 Only the author shall have access to electronic signature data. Disputing electronic signatures Article 15(1) The stated holder or the author of an electronic signature may not dispute the authorship in relation to the recipient when a declaration is electronically signed, when: 1. the declaration is sent via an information system, designed to operate in an automatic mode, or 2. the declaration is sent by a person who has been given access to the method of identification. (2) 15(1)(2) shall not be applicable as of the moment the recipient receives a notification, that its author has not made the electronic declaration and the recipient has enough time to act accordingly. (3) Paragraph 1 shall not be applicable where the recipient has not shown due care. Chapter three ADVANCED ELECTRONIC SIGNATURE Part I General provisions Definition Article 16(1) An advanced electronic signature is a modified electronic declaration which is included in, added to or logically linked with the same electronic declaration before its modification. (2) The modification pursuant to 16(1) shall be made through algorithms, which comprise the use of a private key of an asymmetric encryption system. (3) The requirements for algorithms shall be laid down by an ordinance of the Council of Ministers. Advanced electronic signature creation and verification devices Article 17(1) Persons who create advanced electronic signatures shall use devices which ensure that: 1. the data used to create the electronic signature can only be reproduced in the process of their creation and they are secure; 2. the data used to create an electronic signature are not accessible, cannot be stolen, and the signature is secured against forgery; 3. the data used to create an electronic signature can be protected by its author against unauthorised use by a third party; 4. the author has an access to the contents of the electronic declaration and the contents remain unchanged until the electronic signature is created. (2) Persons in charge of checking advanced electronic signatures shall use devices to ensure that: 1. the data for verifying the private key used correspond to the data given to the person who uses the public key; 2. the use of the private key is reliably checked and the results of the check have been delivered to the attention of the person who has used the public key.

4 Secrecy of the private key Article 18 Only the author shall have the right to access the private key. Part II Certification service providers Activity of certification service providers Article 19(1) Certification service providers shall be persons who: 1. issue certificates pursuant to Article 24 and keep a certification register; 2. give third parties an access to published certificates. (2) Certification service providers are entitled to provide private and public key creation services for advanced electronic signatures. Organisations for voluntary accreditation Article 20(1) Certification service providers are entitled to establish voluntary accreditation organisations in order to achieve a higher level of certification services. (2) Voluntary accreditation organisations shall assist in recognising the legal force of the certificates issued by Bulgarian providers abroad, as well as certificates issued by foreign providers in the Republic of Bulgaria. (3) The conditions for voluntary accreditation organisation membership shall provide equal opportunities to all providers of certification services. Requirements for the activities carried out by certification service providers Article 21(1) Certification service providers shall carry out their activities by: 1. maintaining available resources allowing them to carry out activities in compliance with the requirements of this Act; 2. obtaining insurance against the risk of liability for damages in their activities under the present Act for the duration of their activity; 3. having technical equipment and technologies which guarantee the reliability of the systems in use as well as the technical and cryptographic security of the operations performed by them; 4. employing staff with the necessary qualifications, expertise, and experience to carry out the activity, particularly in the field of the advanced electronic signature technology, and they must have an excellent knowledge of security procedures; 5. providing conditions to ensure that the time a certificate is issued, revoked, renewed or cancelled can be determined precisely; 6. taking measures against forgery of certificates and breach of confidentiality in the process of generating signature-creation data; 7. use reliable systems to store and manage certificates guaranteeing that: а) only duly authorised personnel can make amendments; b) the authenticity and validity of certificates can be determined; c) there is an option to restrict access to published certificates; d) any technical problem related to security is immediately reported to maintenance staff; e) when a certificate expires, the option for validating a private key is eliminated; 8. allowing certificates to be revoked immediately; 9. promptly notifying the Communications Regulation Commission when commencing pursuant to Article 19. (2) The Council of Ministers shall adopt an ordinance pursuant to Article 1(1), (2) and (3). (3) Certification service providers may not use the data stored by them for any purposes other than those related to their activities. They may only give third parties the information contained in the certificates.

5 Obligations of certification service providers Article 22 Certification service providers shall: 1. issue certificates to anybody requesting one by giving them prior notification of registration pursuant to chapter four and of their participation in a voluntary accreditation organisation; 2. inform the persons applying for certificates of conditions for issuing and using a certificate, including the limitations on its use, and the procedures for filing complaints and resolving disputes; 3. when issuing a certificate, use legal means to verify the identity of the author and the holder of the advanced electronic signature and, if necessary, other data concerning the persons mentioned in the certificate; 4. publish the issued certificate to allow third-party access to it according to the holder s instructions; 5. not store or copy data for creating private keys; 6. take immediate measures to revoke, and terminate a certificate should grounds for such actions arise; 7. promptly notify the author and the holder of any circumstances as may affect the validity and reliability of the issued certificate; 8. keep an advanced electronic signature to be used only in relation to their activity as providers of certification services. Relationship with the holder Article 23 Relations between a certification service provider are subject to a written contract. Part III Certificate Advanced electronic signature certificate Certificate Article 24(1) A certificate is an electronic document issued and signed by the certification service provider containing: 1. (amended SG 34/2006) the name, the address, the personal ID number or the unified identification code of the certification service provider as well as his nationality; 2. (amended SG 34/2006) the personal or trading name, address, and registration data of the holder of the advanced electronic signature; 3. the grounds for the authorisation, and the name and the address of the natural person (the author authorised to make electronic declarations on behalf of the advanced electronic signature holder; 4. the public key corresponding to the advanced electronic signature holder s private key; 5. the identifiers of algorithms by means of which public keys of the advanced electronic signature holder and the certification service provider are used; 6. the date and time of issue, revocation, renewal and termination; 7. the validity period; 8. the limitations on use of the signature; 9. the unique identification code of the certificate; 10. the liabilities and guarantees of the certification service provider; 11. a reference to the advanced electronic signature certificate pursuant to Article 22(8) of the certification service provider as well as to the provider s registration with the Communications Regulation Commission. (2) When the author s authorisation arises from other authorised persons, the certificate shall

6 contain data referring to those persons pursuant to 24(1)(2). (3) Unless otherwise agreed, a certificate shall be valid for three years. (4) The holder and the author shall promptly notify the certification service provider of any amendments to the contents of the certificate. (5) Amendments to the circumstances stated in the certificate shall not come into conflict with bona fide third parties. Issuing certificates Article 25(1) A certification service provider shall issue a certificate at the holder s written request. (2) A request pursuant to 25(1) shall be satisfied, provided that: 1. it has been made by the holder or by a person duly authorised to act on his behalf; 2. the information about the holder which is to be included in the certificate is complete and correct, and 3. the private key: a) is held by the holder; b) is technically suitable for creating an advanced electronic signature, and c) it corresponds to the pubic key in such a way as to verify that a particular advanced electronic signature has been created by the private key. (3) If the required certificate refers to an advanced electronic signature having an author different from the holder, the request shall be satisfied by meeting the requirements as set forth in par. 2, provided that: 1. the author s data to be included in the certificate is also complete and correct, and 2. the private key is held by the author. (4) When fulfilling a request, the certification service provider must require that the holder or the author accept the contents of the required certificate. The provider shall amend the contents of the certificate if the holder or the author finds it to be incomplete or incorrect. (5) The certification service provider shall promptly issue a certificate accepted pursuant to 25(4) by publishing it in the register of certificates. Revoking and renewing a certificate Article 26(1) Unless otherwise agreed, a certification service provider may suspend a certificate issued by him for as long as the circumstances may require, but for no longer than 48 hours, provided that there is are reasonable grounds to believe that the validity of a certificate must be withdrawn. (2) Unless otherwise agreed, the certification service provider shall suspend a certificate issued by him for as long it as the circumstances may require, but for no longer than 48 hours: 1. at the request of the holder or the author, without having to verify their identity or representative power; 2. at request of a representative, an associate, a member or the staff or family member, etc., who has grounds to believe that a security violation may be taking place; 3. at the request of the Communications Regulation Commission. (3) In the event of a direct threat to the interests of a third party or if there is adequate information to indicate a breach of the law the chairman of the Communications Regulation Commission may ask the respective certification service provider to suspend a certificate issued by the latter for as long as it may be required by the circumstances, but for no longer than 48 hours. (4) The certification service provider shall immediately notify the holder and the author of the suspension of their certificate.

7 (5) A certificate will be suspended by blocking access to it. (6) The validity of a certificate shall be renewed: 1. when the maximum suspension time has expired; 2. by the certification service provider where the grounds for the suspension no longer exist at the request of the holder, after the certification service provider or the Communications Regulation Commission ensures that the holder has been notified of the reasons for the suspension and that the request for renewal has been made as a result of the notification. Terminating a certificate Article 27(1) A certificate shall terminate: 1. upon expiry; 2. if a certification service provider who is a natural person dies or is subject to a prohibition order; 3. if a certification service provider which is a legal entity ceases to trade without transferring its activities to another certification service provider. (2) A certification service provider shall revoke a certificate at the request of the holder or the author after verifying the identity and representative power of the holder or the author. (3) A certification service provider shall revoke a certificate when: 1. the holder or the author dies or is subject to a prohibition order; 2. the legal entity of the holder is terminated; 3. the representative power of the author concerning the holder is revoked; 4. the certificate is found to have been issued on the basis of false information. Register of certificates Article 28(1) The certification service provider shall keep an electronic register where the certification of its electronic signature and the certificates issued are published pursuant to Article 22(8). (2) The certification service provider may not restrict the access to the register. Only the author has the right to restrict access to the certificate of his signature. (3) The certification service provider pursuant to 28(1) above, shall also publish in the register information about: 1. the conditions and procedures for issuing certificates, including the rules for determining the advanced electronic signature holder s identity; 2. the certification service provider s security procedures; 3. the method of using the advanced electronic signature; 4. the conditions and procedures for using the advanced electronic signature, including the requirements for storing the private key; 5. the conditions and procedures for accessing the certificate and the means of verifying the advanced electronic signature; 6. the cost of obtaining and using a certificate as well as the cost of other services provided by the certification service provider; 7. the obligations of the certification service provider and the holder of the advanced electronic signature; 8. the conditions and procedures for applying for the revocation of the advanced electronic signature on the part of the holder. (4) The register pursuant to 28(1) shall be kept in accordance with an ordinance issued by the Council of Ministers. Part IV Liability

8 Liability of service providers Article 29(1) A certification service provider shall be liable to the holder of the advanced electronic signature and any other third party for damages due to: 1. failure to comply with the requirements laid down in Article 21 and with the obligations pursuant to Articles 22 and 25; 2. false or incomplete data in the certificate at the time it is issued; 3. the fact that the person who is stated to be the author did not have the private key corresponding to the public key at the time the certificate was issued; 4. lack of conformity between the data necessary to determine the use of the private key and the data submitted to the person using the public key. (2) Any agreement limiting or excluding liability for negligence by the certification service provider shall be deemed null and void. (3) The certification service provider shall not be liable for damages resulting from the use of the certificate outside the scope of limitation of its validity as provided for in its contents. Liability of the holder and the author to third parties Article 30(1) The holder shall be liable to bona fide third parties where he creates a publicprivate key pair using an algorithm which does not conform with the requirements of the ordinance referred to in Article 16(3). (2) The holder shall be liable to bona fide third parties where the author: 1. fails to precisely observe the certification service provider s security requirements; 2. fails to require that the certification service provider suspend the certificate when he is made aware that the private key has been used illegally or there is a possibility of its illegal use. (3) A holder who accepts the certificate when it is issued shall be liable to bona fide third parties: 1. if the author is not authorised to hold the private key which corresponds to the public key stated in the certificate; 2. for false statements made before the certification service provider and related to the contents of the certificate. (4) An author who accepts a certificate at the time of issue shall be liable to bona fide third parties if he has not been duly authorised to apply for the issue of a certificate. Liability of the holder and the author to the certification service provider Article 31 The holder or author shall be liable to the certification service provider where he has accepted the certificate issued by the certification service provider on the basis of false or concealed data. Part V Regulation and control Power of the Communications Regulation Commission Article 32(1) The Communications Regulation Commission shall have the following authority: 1. to check certification service providers for the reliability and security of certification services; 2. to approve user manuals and security procedures; 3. to draft, coordinate, and propose the drafts of ordinances based on this Act for approval by the Council of Ministers. (2) In carrying out its activities, the Communications Regulation Commission shall be entitled to: 1. free access to the premises being checked;

9 2. check the qualifications of certification service provider staff; 3. request of data and documents for the purposes of the control; 4. appoint inspectors to check whether the activities of the certification service providers comply with the requirements of Article 17 and Article 21(1). (3) The Communications Regulation Commission shall maintain and publish a list of the persons referred to in 32(2)(4). (4) The activities of certification service providers, the conditions and procedures for terminating these activities, the requirements as to the form of certificates issued by certification service providers, requirements as to the storage of data connected with services rendered by certification service providers, requirements regarding the contents, form, and sources in regard to the information to be disclosed by the certification service providers, the requirements for persons referred to in 32(2)(4), as well as the conditions and procedures for their inclusion on the list referred to in 32(2)(3) shall be regulated by an ordinance of the Council of Ministers. Chapter four UNIVERSAL ELECTRONIC SIGNATURE Definition Article 33(1) A universal electronic signature is an advanced electronic signature whose certificate has been issued by a certification service providers registered pursuant to Article 34. (2) The following electronic signatures are also defined as universal: 1. the electronic signature of the Communications Regulation Commission, which it uses in signing documents issued on the grounds of its power, delegated to it by law; 2. electronic signatures registered certification service providers pursuant to Article 22(8). Registering body Article 34(1) The Communications Regulation Commission shall register certification service providers and shall keep a register their advanced electronic signature certificates pursuant to Article 22(8). (2) the Communications Regulation Commission shall publish its universal electronic signature certificate in the register referred to in 34(1) and pursuant to Article 33(2)(1). Power of the Communications Regulation Commission concerning registered providers Article 35(1) The Communications Regulation Commission shall have the following powers: 1. to register certification service providers; 2. to decline to register a certification service provider where the latter does not meet the necessary requirements; 3. to strike certification service providers off the register. (2) The Communications Regulation Commission shall issue information related to the public keys of registered certification service providers. This information shall be in an electronic form; it shall contain the certificates, and must be signed by the universal electronic signature of the Communications Regulation Commission. Registration of certification service providers Article 36(1) Applications for registering as a certification service provider shall contain the following: 1. (Amended SG 34/2006) an up-to-date certificate of registration in the commercial register; 2. an insurance policy pursuant to Article 21(1)(2); 3. the rules for issuing certificates including the rules for verifying the identity of the holder of the universal electronic signature;

10 4. the security procedures to be applied to the process of issuing and using universal electronic signatures; 5. the conditions and procedures for using universal electronic signatures including the requirements for storing private keys; 6. the cost of obtaining and using a certificate and the cost of other services rendered by the certification service provider; 7. a declaration of compliance with the requirements of Article 21(1)(1),(3) and (4); 8. documents proving compliance with the requirements of Article 17 and Article 21(1)(5) - 21(1)(8). (2) Applications for registration shall be considered within one month. Registration may be rejected only if the applicant fails to submit the necessary documents, does not meet the requirements as laid down in Article 21(1) and Article 17 or the state fee due has not been paid. (3) A notification of rejection must state all the shortcomings in the application. (4) (Amended SG 30/2006) Rejected applications can be appealed according to the Code of Administrative Procedure. (5) Applicants shall be given the opportunity to correct applications and submit new ones. (6) Registration procedures shall be determined by an ordinance of the Council of Ministers. Striking off a registration Article 37(1) A registration shall be struck off: 1. if the applicant submits false information; 2. in the event of gross or systematic violations of this Act and its by-laws. (2) The activity of registered certification service providers shall be terminated by striking them of the register, unless their activity is transferred to another registered certification service provider. (3) The termination of the activity of a registered certification service provider concerning universal electronic signature certificates shall be regulated by the ordinance referred to in Article 32(4). Register of certification service providers Article 38(1) The register of certification service providers shall be public. Any person may request information about registered certification service providers. (2) Any person may request information about the terms and conditions for registering certification service providers. State fees Article 39(1) State fees shall be collected for registering certification service providers and for providing the information pursuant to Article 35(2). (2) The sate fee shall be based on a tariff approved by the Council of Ministers. Activity of the registered certification service providers Article 40 Registered certification service providers who issue universal electronic signature certificates shall verify the date and time an electronic document signed by the universal electronic signature has been submitted. Chapter five APPLICATION OF ELECTRONIC DOCUMENTS AND UNIVERSAL ELECTRONIC SIGNATURES BY THE STATE AND MUNICIPALITIES Obligation for accepting and issuing electronic documents Article 41(1) The Council of Ministers shall determine which of its subordinated bodies: 1. are not entitled to refuse to accept electronic documents signed by a universal electronic signature;

11 2. are not entitled to refuse to issue permits, licences, approvals, and other administrative documents in a form of an electronic document signed by universal electronic signature. (2) The acceptance and issue of electronic documents signed by a universal electronic signature in the court system shall be regulated by law. (3) The acceptance and issue of electronic documents signed by the universal electronic signatures of state bodies other than those pursuant to 41(1) and (2), as well as those of local government bodies shall be subject to their own separate acts. The rules and the form of creating and storing electronic documents shall be subject to internal rules and procedures. Storing electronic documents Article 42 State bodies and the local government bodies are responsible for storing electronic documents for the storage periods required by the law. Chapter six PERSONAL DATA PROTECTION Personal data protection obligations Article 43(1) The protection of personal data collected by certification service providers for the purpose of carrying out their activities and protecting of registers shall be regulated by a law. (2) The provisions of 43(1) above shall also apply to personal data made available to the Communications Regulation Commission, which shall monitor the activities of the certification service providers in the course of its duties. (3) Certification service providers shall collect personal data of authors and holders of signatures to the extent required for the purpose of issuing and using certificates. (4) Third-party data may be collected only with the explicit consent of the person they refer to. (5) Data collected shall not be used for purposes other than those set out in 43(3), unless the persons they refer to have given their explicit consent or unless it is provided for in law. Chapter seven RECOGNITION OF CERTIFICATES ISSUED BY CERTIFICATION SERVICE PROVIDERS HAVING A DOMICILE ABROAD Authority and rules Article 44(1) Certificates issued by certification service providers located abroad in compliance with the local legislation shall be recognised as equal to certificates issued by Bulgarian certification service providers provided they meet one or more of the following conditions: 1. the obligations of the certification service providers issuing the certificates and the requirements for their activities correspond to the requirements set out in the present Act, and the certification service providers are recognised in the state they are established; 2. they are Bulgarian certification service providers accredited by an organisation pursuant to Article 20 or registered pursuant to Article 34 and have assumed liability for the action or failure to act of the certification service providers located abroad pursuant to Article 29, or 3. the certificates or the certification service providers issuing them are recognised under a valid international treaty. (2) The provisions of 44(1)(1) and (2) above established by the Communications Regulation Commission and published in the electronic register of: 1. public key certificates of foreign certification service providers whose conformity pursuant to 44(1)(1) has been recognised; 2. electronic signature certificates of foreign certification service providers with liability pursuant to 44(1)(2), and electronic signature certificates of the Bulgarian certification service

12 provider who has assumed liability as well as the terms and conditions for assuming liability. Chapter eight ADMINISTRATIVE SANCTIONS Sanctions Article 45(1) A person who commits or allows the commission of a breach of Articles 17, 18, Article 19(1), Article 21(1) and 3, Article 22, Article 24(1) and 2, Article 25(2), 3 and 5, Article 26(2), (3), (4), (5) and (6), Article 27(2) and 3, Article 28(1), (2) and (3), Article 29(1), Article 30(1) shall be subject to a fine of 100 to BGN provided that the act does not constitute a criminal offence. (2) Where the breaches pursuant to 45(1) have been committed by legal entities or sole traders, they shall be subject to a penalty of 500 to BGN. Establishing violations, issuing notices, and issuing penalty notices Article 46(1) Notices of established breaches are drawn up by persons authorised by the Chairman of the Communications Regulation Commission, whereas penalty notices shall be issued by the Chairman or persons duly authorised to act on his behalf. (2) When a violation is established, the persons responsible for issuing notices may keep material evidences related to the established violation pursuant to Article 41 of the Administrative Violations and Sanctions Act. (3) Issuing notices and issuing, appealing, and enforcing penalty notices shall be subject to the Administrative Violations and Sanctions Act. SUPPLEMENTARY PROVISIONS 1. In the meaning of this Act: 1. "qualified written form" is a form showing the validity or proving the declaration, where the law provides for additional requirements to the written form such as notarised signature, notary deed, hand written statement, witnesses or officers witnessing the declaration, etc. 2. "asymmetric encryption system" is a data encryption system which allows a pair of encryption keys to be created and used, and which includes a private key and a public key associated with it by means of an algorithm whereby: a) the contents of a particular electronic declaration can be encrypted by one key, and decrypted by the other key; b) the use of public key makes it possible to determine without doubt whether the initial electronic declaration has been transformed by using the respective private key and whether the electronic declaration has been amended after its transformation; c) if only one of the keys is known, it is practically impossible to find out what the other key is. 3. "an encryption key" is a series of symbols used in an algorithm to transform certain data from a readable form to an encrypted form (encryption) or from an encrypted form to a readable form (decryption). 4. "a public key" is one of the keys in a key pair used in an asymmetric encryption system which is accessible and may be used by any person in order to verify an electronic signature. 5. "a private key" is one of the keys in a key pair used in an asymmetric encryption system to create an electronic signature. 6. "signature creation device" is a configured software or hardware used to implement signature-creation data. 7. "signature data" are unique data such as codes or encryption keys used by the signing person in order to create an electronic signature. FINAL PROVISIONS

13 2. In the Telecommunications Act (published SG 93/1998; amended 26/1999, 10 and 64/2000) Article 22 shall be supplemented by (4): "(4) The State Telecommunications Commission shall register and control activities related to the provision of certification services which include electronic signatures according to the procedures set out in the law." 3. This Act shall become effective 6 months after its publication in the State Gazette. 4. The Council of Ministers shall draft ordinances required by this Act within five months of its publication and adopt them within one month of the Act becoming effective. 5. The Council of Ministers and the State Telecommunications Commission shall be in charge of implementing the present Act. TRANSITIONAL AND FINAL PROVISIONS to the Act Amending the Telecommunications Act (SG 112/2001, effective 5 February 2002) (1) In the Electronic Document and Electronic Signature Act (SG 34/2001) the wording "State Telecommunications Commission" shall be replaced with "Communications Regulation Commission" (*)ACT amending the Commercial Register Act (SG 80/2006, effective 3 October 2006) 1. In 56 of the transitional and concluding provisions the wording "1 October 2006" shall be replaced with "1 July 2007"....