Decree No. 26/2007/ND-CP detailing the implementation of the law on e-transactio đã được thay thế bởi Decree 130/2018/ND-CP on guidelines for of the Law on E-Transactions of digital signatures và được áp dụng kể từ ngày 15/11/2018.
Nội dung toàn văn Decree No. 26/2007/ND-CP detailing the implementation of the law on e-transactio
THE GOVERNMENT | SOCIALIST REPUBLIC OF VIET NAM |
No.: 26/2007/ND-CP | Hanoi, February 15, 2007 |
DECREE
DETAILING THE IMPLEMENTATION OF THE LAW ON E-TRANSACTIONS OF DIGITAL SIGNATURES AND DIGITAL SIGNATURE CERTIFICATION SERVICE
THE GOVERNMENT
Pursuant to the December 25, 2001 Law on Organization of the Government;
Pursuant to the Electronic Transactions Law dated November 29, 2005;
Pursuant to the Ordinance on Handling of Administrative Violations July 02, 2002;
At the proposal of the Minister of Post and Telecommunications,
DECREES:
Chapter 1:
GENERAL PROVISIONS
Article 1. Scope of governing
This Decree details on digital signatures and digital certification, the management, provision, and use of digital signatures certification service.
Article 2. Subjects of application
This Decree shall apply to agencies, organizations, and providers of digital signature certification service and agencies, organizations, individuals choosing to use digital signatures and certification services of digital signatures in electronic transactions.
Article 3. Interpretation of terms
In this Decree, the following terms shall be construed as follows:
1. "Digital certificate" means a form of electronic certificate granted by organizations providing certification services for digital signatures.
2. "Foreign digital certificates" mean digital certificates granted by foreign organizations providing certification services for digital signatures.
3. "Valid certificate" means digital certificate not yet expired; not be suspended or revoked.
4. "Digital signature" means a form of electronic signature created by the transformation of a data message using an asymmetric cryptosystem in which those who have initial data messages and the public keys of the signers can be determined exactly:
a) The above transformation is created by the correct private key corresponding to public key in the same key pair;
b) The integrity of the content of data messages since the implementation of the mentioned above transformation.
5. "Foreign digital signatures" mean digital certificates created by the subscribers using foreign digital certificates.
6. "Certification service of digital signatures" means a service type of electronic signature certification granted by organizations providing certification services for digital signatures. Digital signature certification service includes:
a) Creation of a key pair including public key and private key for subscribers;
b) Issuance, renewal, suspension, restoration and withdrawal of the subscribers’ digital certificates;
c) Online maintenance of database of digital certificates;
d) The other related services as prescribed.
7. "Asymmetric cryptography system" means the cryptographic system which is capable of creating key pair, including the private key and public key.
8. "Key" means a string of binary digits (0 and 1) used in the encryption system.
9. "Private Key" means a key in the key pair of the system of asymmetric cryptography, used to create digital signatures.
10. "Public key" means a key in the key pair of the system of asymmetric cryptography, used to verify digital signatures created by the private key corresponding to the key pair.
11. "Digital signing" means the putting the private key into a software program to automatically generate and add digital signatures to data messages.
12. "Signers" mean the subscribers using their correct private keys to sign into a data message under theirs names.
13. "Recipient" means an organization or individual receiving the data messages digitally signed by the signer, using the signer's digital certificate to verify the digital signature in the data message received and conduct concerned activities or transactions.
14. "Subscriber" means an organization or individual granted digital certificate, accepting digital certificate and holding the private key corresponding to public key recorded on digital certificate granted.
15. "Suspension of digital certificate" means the temporary void of a digital certificate from a specified time.
16. "Revocation of digital certificate" means the permanent void of a digital certificate from a specified time.
17. "The organization providing certification service of digital signatures" means an organization providing certification service of electronic signature implementing activities to provide digital signatures certification service.
Article 4. Organizations providing certification service of digital signatures
Organizations providing certification service of digital signatures include:
1. Organizations providing certification service of public digital signatures mean the organizations providing certification service of digital signatures for agencies, organizations, and individuals to use in the public activities. Activities of organizations providing certification service of public digital signatures are the activities aimed at business.
2. Organizations providing specialized certification service of digital signatures are the organizations providing digital signature certification service for agencies, organizations, and individuals of the same nature of activities or purpose of the work and associated together through the operation charter or legal documents defining the common organizational structure or form of association, collective activities. Activities of organizations providing specialized certification service of digital signatures are the activities aimed to serve the internal transaction needs and not intended for trading.
3. Organization providing national certification service of digital signatures (Root Certification Authority) is the organization providing certification service of digital signatures for organizations providing the public digital signature service. Organization providing national certification service of digital signatures is unique.
Article 5. Policy of development of digital signature certification service
1. The State encourages the use of digital signatures and digital signature certification services in the areas of economy, politic, society to promote the exchange of information and transactions online to improve labour productivity; expand the commercial activities; support administrative reform, increase social utility, improve the quality of life of people and the assurance of security and defense.
2. The State promotes the application of digital signatures and development of digital signature certification service through the key projects aimed at raising awareness; disseminating law; developing application; organizing training of human resources; conducting research, collaboration and transfer of technology related to digital signatures and certification service of digital signatures.
3. The State support activities of organizations providing public certification service of digital signatures through policies of incentives on tax, land, and other incentives.
Article 6. Responsibilities of state management on certification service of digital signatures
1. Ministry of Post and Telecommunications is responsible before the Government in the implementation of state management on certification service of digital signatures, including:
a) Submission to the Government for issuing or promulgation under the authority of the policies, strategy, planning, development plans, and management of digital signature certification service;
b) Issuance under the authority of legal documents on digital signatures and certification service of digital signatures;
c) Presiding over and coordination with the Ministry of Science and Technology, Ministry of Public Security, Government Committee for Cipher to set up and promulgate technical regulations and mandatory standards to apply for digital signatures and certification service of digital signatures;
d) Presiding over and coordination with the Ministry of Public Security, Government Committee for Cipher in the management of organizations providing certification services of digital signatures, including the grant of licenses, certificates of sufficient conditions to ensure safety for digital signatures, certificates of recognition of foreign digital signatures and digital certificates; inspection, examination and handling of violations, and other necessary activities;
đ) Presiding over and coordination with the Ministry of Science and Technology, Ministry of Public Security, Government Committee for Cipher to perform international cooperation on certification service of digital signatures;
e) Establishment and maintenance of operations of the organizations providing the national digital signature certification service.
2. Ministry of Science and Technology, Ministry of Public Security, Government Committee for Cipher, the ministries and other concerned branches, the People's Committees of provinces and cities under central authority within its rights and responsibilities coordinate with the Ministry of Post and Telecommunications to implement the provisions of clause 1 of this Article.
3. Ministry of Public Security is responsible for presiding over the fight and combat against high-tech crime to use digital signatures and certification service of digital signatures.
4. Government Committee for Cipher establishs and maintains the operations of organizations providing specialized certification service of digital signatures for the agencies of the political system.
Article 7. Prohibited acts
1. Provision for certification service of digital signatures and use of digital signatures aimed to fighting against the Socialist Republic of Vietnam, disturbing security and order, social safety, smuggling activities, or conducting other activities contrary to law and social morality.
2. Direct or indirect destruction of the system providing digital signature certification service of organizations providing digital signature certification service; impeding the provision and use of certification service of digital signatures; forging or guiding others to forge digital certificates.
3. Theft; fraud; falsifies; appropriation or illegal use of another person's private key.
4. Buying, selling or transfer of licenses providing public certification service of digital signatures.
Chapter 2:
DIGITAL SIGNATURES AND DIGITAL CERTIFICATES
Article 8. Legal validity of digital signatures
1. Where the law defines that a document required to be signed, the requirement for a data message is considered as met if the data message is signed with digital signature.
2. Where the law defines that a document required to be stamped by the agency, organization, such requirement for a data message is considered as met if the data message is signed by digital signature of the competent person under the provisions of law on the management and use of the seal and such digital signature is ensured safely as stipulated in Article 9 of this Decree.
3. Foreign digital signatures and digital certificates recognized as prescribed in Chapter VII of this Decree are legally valid and effective as digital signatures and digital certificates granted by organizations providing public certification services of digital signatures of Vietnam.
Article 9. Conditions to ensure safety for digital signatures
The digital signatures are considered as safe electronic signatures if they meet the following conditions:
1. The digital signatures are created during the valid period of digital certificates and inspected by the public key recorded on such valid digital certificates.
2. The digital signatures are created by using the private key corresponding to public key recorded on digital certificates granted by the organizations providing national certification service of digital signatures, the organizations providing public certification service of digital signatures, the organizations providing specialized certification service of digital signatures that are granted certificates of sufficient conditions to ensure safety for digital signatures or foreign organizations providing certification service of digital signatures recognized in Vietnam.
3. Private Key is only under the control of the signer at the time of signing.
4. Private Key and content of data message are attached only to the signer as such person signs the data message.
Article 10. The contents of digital certificates
Digital certificates granted by the organizations providing national certification service of digital signatures, the organizations providing public certification service of digital signatures, the organizations providing specialized certification service of digital signatures that are granted certificates of sufficient conditions to ensure safety for digital signatures must include the following contents:
1. Name of the organization providing certification service of digital signatures.
2. Name of subscriber.
3. Sign number of digital certificate.
4. The duration of validity of digital certificate.
5. The subscriber's public key.
6. Digital signature of organization providing certification service of digital signatures.
7. The restrictions on the purpose and scope of use of digital certificate.
8. The restrictions on liability of organization providing certification service of digital signatures.
9. Other necessary contents as prescribed by the Ministry of Post and Telecommunications.
Article 11. Digital certificates of agencies and organizations
1. All state titles, the competent persons of agencies, organizations under the provisions of law on the management and use of seals are entitled to grant digital certificates of value as defined in clause 2 of Article 8 this Decree.
2. Digital certificate granted for the State title, the competent persons of agencies, organizations must be clearly stated the title of that person.
3. The issuance of digital certificates for state titles, the competent persons of agencies, organizations must be based on the following documents:
a) Written request of the agency or organization for grant of digital signature for the competent person or State title;
b) Valid copy of certificate registered seal sample of agency, organization, or State title that has been issued under the provisions of law on the management and use of seals;
c) Valid copy of document certifying the title of the competent person of agency, organization or such State title.
Article 12. Use of digital signatures and digital certificates of agencies and organizations
1. The digital signature of the person who is granted digital certificate under the provisions of Article 11 of this Decree is only used to make transactions according to the person's proper title.
2. The signing by proxy, signing per procuration as prescribed by law made by competent person using its digital signature, is understood based on the title of the signer stated in digital certificate.
Chapter 3:
LICENSING OF PROVISION FOR PUBLIC CERTIFICATION SERVICE OF DIGITAL SIGNATURES
Article 13. Operating conditions
Organizations providing certification service of digital signatures are entitled to provide for public service if they meet the following conditions:
1. Having the licenses to provide for public certification service of digital signatures granted by the Ministry of Post and Telecommunications.
2. Having digital certificates granted by the organizations providing national certification service of digital signatures.
Article 14. The valid time limit of licenses
Licenses granted to organizations providing public certification service of digital signatures are valid not exceeding 10 years.
Article 15. Licensing conditions
1. Condition on subjects:
Being enterprises established under the laws of Vietnam.
2. Financial Condition:
a) Have sufficient financial capacity to establish a system of technical equipment, organization, and maintenance of activities in accordance with the scale of service provision;
b) Depositing at a commercial bank operating in Vietnam or having a guarantee of a commercial bank operating in Vietnam of not less than 5 (five) billion VND, or insurance buying commitments to solve risks and the compensation that may occur during the course of service provision and make payment for expenses receiving and maintaining database of enterprises in the event of withdrawal of licenses.
3. Condition of personnel:
a) Have team of technical staffs, managers, administration staffs, security managers and customer service personnel meeting professional requirements and scale of services deployment of having no criminal records;
b) The legal representative having knowledge of law on digital signatures and certification service of digital signatures.
4. Technical condition:
a) Formulation of technical equipment system must ensure the following requirements:
- Storing fully, accurately and updating information of subscribers for the issuance of the digital certificates during the valid duration of digital certificates;
- Making sure that the creation of the key pair only allows each key pair to be generated randomly and a unique time; ensures private key not be detected when having the respective public key;
- Storing fully, accurately and updating list of digital certificates which are valid and invalid and allowing Internet users to access online 24 hours per day and seven days per week;
- Having ability to detect, alert and prevent any illegal access, forms of attacks in the network environment and comply with the standards of information security;
- Designed by the trend of minimize reduction of the direct contact with the Internet environment;
- Key distribution system for subscribers must ensure the integrity and security of the key pair. In the case of key distribution through a computer network environment, the key distribution system must be used the security protocols to ensure the confidentiality of information on the transmission line.
b) Having feasible technical plans and business plans, consistent with the technical regulations and mandatory standards to apply;
c) Having plans to control the entrance and exit of head offices, the right to access the system, right to enter, exit the place where the equipment is located for providing for certification service of digital signatures;
d) Having contingency plans to maintain the continuous, safe operation, and overcome when the problem occurs;
đ) The entire system of equipment used to service providers is located in Vietnam.
5. Other conditions:
a) Construction of offices, places where the machinery and equipment is located in accordance with the requirements of the law on prevention and combat of fire and explosion; having ability of fighting against floods, earthquakes, electromagnetic interference, illegal intrusion of man;
b) Having public certification regulations in the form of the Ministry of Post, Telecommunications, and contents in accordance with the provisions of this Decree.
Article 16. Dossier of application for license
Dossier requesting for grant of license providing public certification service of digital signature shall be made in 06 sets, each one comprises:
1. A written request for grant of license providing public certification service of digital signature of enterprise.
2. Certificate of business registration or certificate of investment of enterprise in which is stated clearly business line of providing certification service of electric signatures.
3. Charter of the organization and operation of the enterprise.
4. Document evidencing that it meets the financial condition specified in clause 2 of Article 15 of this Decree.
5. Project to provide services include the following main contents:
- The business plan includes scope, objects of service provision, service quality standards; financial plans and other necessary information;
- Technical plan aimed to ensure provisions in clause 4 of Article 15;
- Regulation on certification;
- Detailed information on the person, educational level, and qualifications of personnel will be directly involved in the provision of certification service of digital signatures of the enterprise.
Article 17. Verification and licensing
Within 60 working days from the date of receipt of valid dossier requesting for grant of license, the Ministry of Post and Telecommunications shall preside over and coordinate with the Ministry of Public Security, Government Committee for Cipher and the concerned ministries, branches to verify dossier. Where enterprise meets fully the licensing conditions in Article 15, the Ministry of Post and Telecommunications will issue license for enterprise. In case of refusal, the Ministry of Post and Telecommunications shall send written notice and stating clearly the reasons.
Article 18. Change of the contents of the licenses and license reissuance
1. When wishing to change the contents of licenses, organization providing public certification service of digital signature must send dossier requesting for change of content of license providing public certification service of digital signature to the Ministry of Post and Telecommunications.
2. Dossiers of application for the license change is made in 06 sets, each set comprises: a written request to change the contents of the license; a copy of the valid license; report on operation situation and reasons for changing license’s content; detailed content of the proposal to modify and other necessary documents.
3. Within 60 working days from the date of receipt of dossier requesting for change of content of the valid license, the Ministry of Post and Telecommunications shall preside over and coordinate with the concerned ministries, branches to verify the dossier and inspect the reality if needed. Where proposal for change of content of the license still meets fully the licensing conditions stipulated in Article 15, the Ministry of Post and Telecommunications will issue new license for the enterprise. Where proposal for change of content of the license does not meet fully the licensing conditions, the Ministry of Post and Telecommunications shall send written notice and stating clearly the reasons.
4. In case of reorganization, organizations providing public certification service of the digital signatures must report to the Ministry of Post and Telecommunications for consideration of change of license’s content; the procedures to change shall comply with provisions in clause 2, clause 3 of this Article.
5. Where the licenses are lost, torn, burnt, or destroyed in other forms, organizations providing public certification service of digital signatures shall be regranted licenses. For being regranted licenses, organizations providing public certification service of digital signatures must send a written request stating the reasons for requesting regrant of the licenses to the Ministry of Post and Telecommunications and pay fees.
Article 19. Renewal of license
1. When wishing for renewal of the license, organization providing public certification service of digital signature granted license must submit an application for license renewal 60 days before the license expires.
2. Dossier requesting for license renewal shall be made in 02 sets, each set comprises: a written request for license renewal, a copy of the valid license, report on operation situation and results of examination and inspection of service providing operation in the latest three years.
3. Within 60 days from the date of receiving the valid dossier, the Ministry of Post and Telecommunications verifies and considers the renewal of license. Where agreed, the Ministry of Post and Telecommunications will extend the license for the enterprise. In case of refusal, the Ministry of Post and Telecommunications shall send written notice stating the reasons.
4. License is extended only one time and the time for extension does not exceed one year.
Article 20. Suspension or revocation of licenses
1. Organizations providing public certification service of digital signatures shall be suspended their licenses upon the occurrence of one of the following cases:
a) Provision of false service with content stated in the license;
b) Failure to meet one of the licensing conditions in the process of service provision;
c) Other conditions as prescribed by law.
2. Organizations providing public certification service of digital signatures shall be revoked their licenses upon the occurrence of one of the following cases:
a) Failure to provide for service within 12 months from the date granted license without any legitimate reason;
b) Being dissolved or declared bankrupt in accordance with provisions of relevant laws;
c) The license to provide the public certification service of digital signatures has expired;
d) Failure to overcome the temporary suspension conditions specified in clause 1 of this Article after the period of temporary suspension fixed by the state agencies.
3. Organization providing public certification service of digital signatures revoked its license is responsible for agreement to hand over the database relating to the provision of its service to another organization providing public certification service of digital signatures that is operating within a period of not exceeding 90 days from the date of revocation of license. In the absence of agreement, it shall be reported to the Ministry of Post and Telecommunications for consideration and settlement.
4. The costs of receiving and maintaining databases of organization providing public certification service of digital signatures revoked its license shall be taken from deposit or guarantee or insurance of such organization providing certification service of digital signatures.
Chapter 4:
OPERATIONS OF THE ORGANIZATIONS PROVIDING PUBLIC CERTIFICATION SERVICE OF DIGITAL SIGNATURES
Article 21. Dossier requesting for issuance of digital certificates
Dossier requesting for issuance of digital certificates includes:
1. The application for grant of digital certificates in the form of organizations providing public certification service of digital signatures.
2. The attached papers include:
a) For individual: a valid copy of identity card, passport, or other lawful personal identification;
b) For the organization: a valid copy of the establishment decision or certificate of business registration or other equivalent documents of the organization; the letter of authorization and a valid copy of identity card, passport or other lawful personal identification of authorized representative of the organization;
c) Other documents as prescribed in the Regulations of certification of the organization providing public certification service of digital signatures.
Article 22. Creation of the key and key distribution
1. A pair of key of organizations and individuals applying for digital certificates can be created by:
a) Organizations and individuals applying for digital certificates;
b) Organizations providing public certification services of digital signatures based on the written request of organizations or individuals applying for digital certificates.
2. Where individual applying for digital certificate creates key pair, organization providing public certification services of digital signatures needs to make sure that such person has used equipment according to prescribed standards to create and store the key pair.
3. Where organization providing public certification service of digital signatures creates key pair, such organization must use safe methods to transfer the private key to the organization or individual applying for digital certificate and is only saved a copy of the private key when organization or individual applying for digital certificate requests in writing.
Article 23. Issuance of digital certificates
1. Organizations providing public certification service of digital signatures issue digital certificates as being inspected the following contents:
a) Information declared in dossier is correct;
b) Public key on the digital certificate will be issued as a unique and the same pair with private key of organization, individual applying for digital certificate.
2. Digital certificates are only issued to the applicants and must contain all the information prescribed in Article 10 of this Decree.
3. Organizations providing public certification service of digital signatures are only publicized the digital certificates issued to subscribers on the basis of data on their digital certificates after having confirmation of the subscription for the accuracy of the information on the digital certificates; time to announce is no later than 24 hours after the confirmation of subscription, unless otherwise agreed.
4. Organizations providing public certification service of digital signatures are not refused to issue digital certificates to organizations or individuals applying for digital certificates without legitimate reason.
Article 24. Renewal of digital certificates
1. At least 30 days prior to the expiration of the digital certificates, if wishing for extension of their subscriptions, it must have written requests for renewal of digital certificates.
2. In case of changing the public key on the digital certificates extended, the subscribers must indicate clearly in the written requests; the creation of key, key distribution and publication of digital certificates may be extended to implement according to the provisions in Article 22, Article 23 of this Decree.
Article 25. Change of the key pair
In the case of subscribers’ wishing for changing the key pair, subscribers must apply to change the key pair. The key creation, key distribution, and publication of digital certificates with the new public key comply with the provisions in Article 22, Article 23 of this Decree.
Article 26. Suspension of digital certificates
1. Digital certificates are suspended upon the occurrence of one of the following cases:
a) When the subscribers request in writing and these requests were verified as accurate by organizations providing public certification service of digital signatures;
b) When the organizations providing public certification service of digital signatures have grounds to assert that digital certificates issued not in compliance with the provisions of Article 22, Article 23 of this Decree or detecting any errors that affect the interests of subscribers and the recipients;
c) Upon request of the agencies proceeding procedures, security agencies or the Ministry of Post and Telecommunications;
d) As the condition of suspension of digital certificates have been provided in the contracts between the subscribers and service providing organizations.
2. When there are grounds to suspend digital certificates, organizations providing public certification service of digital signatures must conduct the temporary suspension, and immediately notify the subscribers and publish in the database of certificates on the suspension, the starting and ending time of the suspension.
3. Organizations providing public certification service of digital signatures shall restore digital certificates when having no longer grounds for suspension of certificates or the period of suspension upon request has expired.
Article 27. Revocation of digital certificates
1. Digital certificates are revoked in the following cases:
a) When the subscribers request in writing and these requests were verified as accurate by organizations providing public certification service of digital signatures;
b) When subscriber as individual was dead or was declared missing by the declaration of court or the subscriber as an organization was dissolved or declared bankrupt according to law regulations;
c) Upon request of the agencies proceeding procedures, security agencies or the Ministry of Post and Telecommunications;
d) As a condition to revoke digital certificate as stipulated in the contract between the subscriber and organization providing public certification service of digital signatures.
2. When there are grounds to revoke digital certificates, organizations providing public certification service of digital signatures must conduct the revocation of digital certificates, and immediately notify the subscribers and publish in the database of certificates on the revocation.
Article 28. Issuance of timestamp
1. Issuance of timestamp is the attachment of information on the date and month, year and time in the data message.
2. Organizations providing public certification service of digital signatures have the rights to provide the service of timestamp issuance. The supply of service of timestamp issuance must comply with technical regulations and mandatory standards to apply to the service of timestamp issuance.
3. Date, month, year and time is attached to the data message is the date, month, year and time that organizations providing public certification service of digital signatures receive such data messages. Date, month, year and time is attached to a data message must be digitally signed by organizations providing public certification service of digital signatures.
4. Date, month, year and time attached to the data messages complying with the provisions of clauses 1, 2, 3 of this Article are recognized by law.
Chapter 5:
RIGHTS AND OBLIGATIONS OF THE PARTIES TO PROVIDE AND USE PUBLIC CERTIFICATION SERVICES OF DIGITAL SIGNATURES
ITEM 1: RIGHTS AND OBLIGATIONS OF ORGANIZATIONS PROVIDING THE PUBLIC CERTIFICATION SERVICES OF DIGITAL SIGNATURES
Article 29. Obligations in the storage and use of information of organizations, individuals applying for digital certificates
1. Organizations providing public certification service of digital signatures are obliged to store information concerning the persons of organizations and individuals applying for digital certificates confidentially, safely, and only used this information for the purposes related to digital certificates, unless otherwise agreed or otherwise provided by law.
2. Compensation for the subscribers and the recipients in the following cases:
a) The damage occurs as a result of exposing information of the subscriber that the organization is obliged to store confidentially;
b) The damage occurs as a result of the recording on the digital certificates the inaccurate information compared with the information supplied by subscribers.
Article 30. Obligations related to issuance of digital certificates
To ensure legal rights for subscribers, organizations providing public certification service of digital signatures are obliged as follows:
1. Instruct in writing to organizations and individuals applying for digital certificaties before signing the digital certificate contracts the following information:
a) Scope and limitations of use, confidentiality levels, fees and charges for the provision and use of the type of digital certificate that the person applying and other information likely to affect the interests of the organizations and individuals applying for digital certificates;
b) Requirements to ensure safety in storage and use of the private key;
c) Procedures for complaints and resolution of disputes;
d) Other contents decided by organizations providing public certification service of digital signatures.
2. Formulate model contracts used for the operation of issuance of digital certificates.
3. Ensure safety during the creation and transfer of digital certificates to subscribers.
4. Take responsibility before the subscribers and the recipients of the accuracy of the information on digital certificates.
5. Compensate for the subscriber and the recipient when damage occurs as a result of the digital certificate which has been issued contrary to the provisions of this Decree.
Article 31. Obligations related to renewal of digital certificates
1. Upon receiving a request for renewal of subscription according to provisions in Article 24 of this Decree, organization providing public certification service of digital signatures is obliged to complete the procedures for renewal of digital certificate before subscriber’s digital certificate expires.
2. Organizations providing public certification service of digital signatures are liable for paying compensation to subscribers and recipients if there is any damage caused by violation of clause 1 of this Article.
Article 32. Rights and obligations relating to the suspension and recovery of digital certificates
Organizations providing public certification service of digital signatures are obliged to:
1. Ensure information channel to receive request for suspension of digital certificates to operate 24 hours per day and seven days per week.
2. Store all information relating to the suspension of digital certificates in a period of at least five years, since digital certificates have been suspended.
3. During the suspension of digital certificates, organizations providing certification service of digital signatures must fulfill the obligations related to the confidential storage of personal information and private key of the subscribers under provisions of this Decree.
4. Pay compensation for damage to the concerned parties in case damages occur as a result of the failure to comply with the provisions of clauses 2, 3, Article 26 of this Decree.
Article 33. Obligations related to revocation of digital certificates
Organizations providing public certification service of digital signatures have obligations as follows:
1. Ensure information channel to receive request for revocation of digital certificates to operate 24 hours per day and seven days per week.
2. Store all information relating to the revocation of digital certificates, and the digital certificates revoked in a period of at least five years, since digital certificates have been revoked.
3. Keep secret the private key of the subscriber in the case subscriber authorizes and store information related to the subscriber's digital certificate for a period of at least five years, since digital certificate has been revoked.
4. Pay compensation for damage to the concerned parties in case damages occur as a result of the failure to comply with the provisions of Article 27 of this Decree.
Article 34. Obligations related to key management activities
Organizations providing public certification service of digital signatures have obligations as follows:
1. Ensure to keep secret the entire process of creation of the key pair in the case of key pair creation for organizations and individuals applying for digital certificates.
2. Make use of all the facilities and with the best efforts to notify subscribers and adopt measures to prevent and correct promptly in case of detecting exposure signals of the subscribers’ private keys, not longer be the integrity or any other error that adversely affects the interests of subscribers.
3. Recommend the subscribers on the change of key pairs as needed to ensure reliability and high security for the key pairs.
4. Pay compensation for damage to the subscribers and the recipients if damage occurs as a result of the exposure of process of the key pairs creation, the subscribers' private keys in the transfer process, or store the subscribers’ private keys in case organizations providing certification service of digital signatures keep the subscribers' private keys.
Article 35. The obligations to suspend of issuance of new digital certificates
1. Organizations providing public certification service of digital signatures must suspend of issuance of new digital certificates in the following cases:
a) Upon detecting the errors in the system providing its services that may affect the interests of subscribers and the recipients;
b) Upon request from the competent State agencies.
2. Upon suspending the issuance of new digital certificates, the organizations providing public certification service of digital signatures must announce publicly the suspension on their websites and report to the competent State agencies.
3. During the suspension of the issuance of new digital certificates, the organizations providing public certification service of digital signatures are responsible for maintaining the database system related to digital certificates issued.
Article 36. The obligations to announce information
Organizations providing public certification service of digital signatures must announce and maintain information 24 hours per day and seven days per week on their websites the following information:
1. Their certification Regulation and digital certificates.
2. List of valid, suspended, revoked digital certificates of the subscribers.
3. Other necessary information.
Article 37. Obligations of risk insurance purchase
In the absence of deposit or guarantee of the bank under the provisions of clause 2 of Article 15 of this Decree, organizations providing public certification service of digital signatures must buy insurance to solve the risks and the compensation that can occur for the subscribers and the recipients in case of damage caused by the fault of the organizations providing public certification service of digital signatures and pay costs for other organizations providing public certification service of digital signatures to receive and maintain database when such organizations’ licenses are revoked.
Article 38. Obligations relating to the request for licenses and deployment of licenses
Organizations providing public certification service of digital signatures have the following obligations:
1. Take full responsibility before law for the accuracy of dossiers applying for licenses.
2. Implement and maintain operations in accordance with the contents of the licenses and the commitments made in dossiers applying for licenses.
3. Pay fees and charges of license issuance as prescribed.
Article 39. Rights and obligations as being revoked the licenses providing public certification service of digital signatures
1. Organizations providing public certification service of digital signatures revoked licenses are obliged to hand over documents and databases related to digital certificates and the issuance of digital certificates for the receiving organizations under clause 3 of Article 20 of this Decree.
2. Organizations providing public certification service of digital signatures revoked licenses are obliged to inform subscribers on the status to be revoked their licenses and information on the receiving organizations of their database. Where the revocation of licenses is from the cause enterprises do not want to continue to provide service, the notification must be made at least 3 months before the enterprises stop providing services.
3. Organizations receiving database of organizations providing public certification service of digital signatures revoked licenses must exercise the rights and perform obligations for the subscribers and the recipients of the organizations providing public certification service of digital signatures revoked licenses.
4. After a period of 03 years from the date of revocation of license, the organizations providing public certification service of digital signatures revoked licenses may apply for license reissuance. Conditions and procedures for reissuance are conducted according to the regulations as for the cases of applying for new issuance.
Article 40. Other rights and obligations
1. Report regularly and irregularly at the request of the competent State agencies.
2. Submit to the examination, inspection, and handling of violations of the competent State agencies.
3. Provide for the agency proceeding procedures or security agency the necessary information to serve the assurance of information security, crime prevention investigation according to proper order, procedures of procedural law.
4. In case of emergency provided for by the law on emergency status or to ensure national security, organizations providing public certification service of digital signatures have the obligations to implement all the necessary supports upon request of the competent State agencies.
ITEM 2: RIGHTS AND OBLIGATIONS OF THE SUBSCRIBERS OF ORGANIZATIONS PROVIDING PUBLIC CERTIFICATION SERVICE OF DIGITAL SIGNATURES
Article 41. Rights and obligations of subscribers in the provision of information
Subscribers of the organizations providing public certification service of digital signatures have the following rights and obligations:
1. Having the obligations to provide its personal information honestly, accurately, and present the documents for the issuance of digital certificates to organizations providing public certification service of digital signatures; take responsibility before the law and damages occur if violating this provision.
2. Having the right to request the organizations providing public certification service of digital signatures to provide for in writing the information specified in clause 1 of Article 30 of this Decree.
3. To provide private key and the necessary information for the agency proceeding procedures, security agencies to serve the national security assurance or criminal investigation under the provisions of law.
Article 42. Creation, use, and management of key
Subscribers of the organizations providing public certification service of digital signatures have the following rights and obligations:
1. In case of self-creating key pairs by their own, subscribers must ensure that devices to create key pairs must be used according to the correct technical regulations and applicable mandatory standards. This provision does not apply to cases where the subscribers lease equipment to create key pairs of organizations providing public certification service of digital signatures.
2. Store and use their private keys safely, secretly during the valid and suspended period of their digital certificates.
3. Promptly notify their organizations providing public certification service of digital signatures, if detecting signs that their private keys are exposed, stolen, or used illegally to take measures to handle.
4. Take responsibility before law for all damages caused by violations the provisions in clauses 1, 2 and 3 of this Article.
Article 43. Liability
1. Upon agreeing to let the organizations providing public certification service of digital signatures disclose their digital certificates as prescribed in clause 3 of Article 23 of this Decree or upon provided the digital certificates to other persons with the purpose for the transaction, the subscribers are deemed to have committed with recipients that subscribers are the one who hold lawfully private keys corresponding public keys on such digital certificates and the information on the digital certificates related to subscribers are true, and must comply with the obligations derived from such digital certificates.
2. Having the right to request their organizations providing public certification service of digital signatures to suspend; revoke digital certificates issued and take responsibility for that requirement.
ITEM3: OBLIGATIONS OF THE RECIPIENTS
Article 44. The obligation to verify information
1. Before accepting the signer's digital signature, the recipient must check the following information:
a) The validity and scope of use, limitation of liability and other information related to the signer's digital certificate;
b) The digital signature must be created by the private key corresponding to public key on the signer's digital certificate.
2. The recipient must pay for all damages caused in the following cases:
a) Failure to comply with the provisions of clause 1 of this Article;
b) Knew or informed of the unreliability of digital certificate and the signer's private key.
Chapter 6:
ORGANIZATIONS PROVIDING SPECIALIZED CERTIFICATION SERVICE OF DIGITAL SIGNATURES
ITEM 1: CONDITIONS AND PROCEDURES FOR REGISTRATION OF ORGANIZATIONS PROVIDING SPECIALIZED CERTIFICATION SERVICE OF DIGITAL SIGNATURES
Article 45. Operating conditions of organizations providing specialized certification service of digital signatures
Organizations providing specialized certification service of digital signatures must meet the following conditions:
1. Having sufficient professional technical staffs and managers in accordance with the provision of digital signatures certification service.
2. System of equipment to provide service must be in accordance with standards of security and national safety.
Article 46. Process and procedures for registration of operations of organizations providing specialized certification service of digital signatures
Before the operation, organizations providing specialized certification service of digital signatures must register with the Ministry of Post and Telecommunications by the following contents:
1. Name and address of the organization's headquarter.
2. Detailed information on the head and the person who is in charge of administration of equipment system for providing service.
3. Scope, object of service provision.
4. The technical regulations and standards will be applied.
Article 47. Rights and obligations of organizations providing specialized certification service of digital signatures
Organizations providing specialized certification service of digital signatures have the rights and obligations:
1. Define the operations to provide for service.
2. Define the rights and obligations of the concerned parties on the basis of not contrary to the provisions of relevant laws and principles of the legal system of Vietnam.
3. Submit to the examination, inspection, and handling of violations of the competent State agencies.
4. Provide for the agency proceeding procedures or security agency the necessary information to ensure information security, crime prevention investigation according to the right order, procedures of the procedural law.
5. In case of emergency provided for by the law on emergency status or to ensure national security, organizations providing specialized certification service of digital signatures have the obligations to implement all the necessary supports upon request of the competent State agencies.
6. Organizations providing specialized certification service of digital signatures may request the Ministry of Post and Telecommunications to issue the certificates of sufficient conditions to ensure security for digital signatures to ensure the safety of digital signatures in accordance with provisions in Article 9 of this Decree. Conditions and procedures for issuance of the certificates of sufficient conditions to ensure security for digital signatures comply with the provisions of Article 48, Article 49, and Article 50 of this Decree.
ITEM 2: CONDITIONS AND PROCEDURES FOR ISSUANCE OF THE CERTIFICATES OF SUFFICIENT CONDITIONS TO ENSURE SECURITY FOR DIGITAL SIGNATURES
Article 48. Conditions for issuance of the certificates of sufficient conditions to ensure security for digital signatures
Organizations providing specialized certification service of digital signatures are only issued the certificates of sufficient conditions to ensure security for digital signatures as satisfying the conditions for the personnel, technical and other conditions as specified in clauses 3, 4, 5, Article 15 of this Decree.
Article 49. Dossiers of application for issuance of certificates of sufficient conditions to ensure security for digital signatures
Dossiers of application for issuance of certificates of sufficient conditions to ensure security for digital signatures shall be made in 06 sets, each set comprises:
1. A written request for issuance of certificate of sufficient conditions to ensure security for digital signature.
2. Decision on the establishment and operation charter of the organization.
3. Project to provide for service includes:
a) Scope, object of service provision, other necessary information;
b) Technical plans to ensure the provisions of Article 48 of this Decree;
c) Regulation of certification;
d) Detailed information on the person and levels, qualifications of personnel will directly participate in the provision of digital signature certification services of the organization.
Article 50. Verification of dossiers and issuance of certificates of sufficient conditions to ensure security for digital signatures
Within 60 working days from the date of receipt of dossier applying for certificate of sufficient conditions to ensure security for digital signature, the Ministry of Post and Telecommunications shall preside over and coordinate with the Ministry of Public Security, the Government Committee for Cipher and the concerned ministries, branches to appraise the dossier and actual inspection. In case of meeting sufficient conditions to provide for service specified in Article 48, the Ministry of Post and Telecommunications will issue certificate of sufficient conditions to ensure security for digital signature for the organization. If the organization fails to meet the conditions as prescribed, the Ministry of Post and Telecommunications shall send written notice stating the reasons.
Article 51. Rights and obligations of organizations providing specialized certification service of digital signatures granted certificates of sufficient conditions to ensure security for digital signatures
Organizations providing specialized certification service of digital signatures granted certificates of sufficient conditions to ensure security for digital signatures have the following rights and obligations:
1. Prescribe operations, rights and obligations of the concerned parties on the basis of not contrary to the provisions of relevant laws and principles of the legal system in Vietnam.
2. Report regularly and irregularly at the request of the competent State agencies.
3. Submit to the examination, inspection, and handling of violations of the competent State agencies.
4. Provide for the agency proceeding procedures or security agency the necessary information to ensure the information security, crime prevention investigation according to the right order, procedures of the procedural law.
5. In case of emergency provided for by the law on emergency status or to ensure national security, organizations providing specialized certification service of digital signatures granted certificates of sufficient conditions to ensure security for digital signatures have the obligations to implement all the necessary supports upon request of the competent State agencies.
Chapter 7:
RECOGNITION OF DIGITAL SIGNATURES, DIGITAL CERTIFICATES, AND OPERATION OF THE SERVICE PROVISION OF FOREIGN ORGANIZATIONS PROVIDING CERTIFICATION SERVICE OF DIGITAL SIGNATURES
Article 52. Recognition of foreign digital signatures and digital certificates
1. Foreign digital signatures and digital certificates are recognized as foreign organizations providing certification service of digital signatures issuing such digital certificates granted certificates of recognition of foreign digital signatures and digital certificates by the Ministry of Post and Telecommunications.
2. Foreign organizations providing certification service of digital signatures are granted certificates of recognition of foreign digital signatures and digital certificates as meeting the following conditions:
a) The country that the organization providing certification service of digital signatures registering for operation has signed or acceded to international agreements containing provisions on the recognition of foreign digital signatures and digital certificates that Vietnam participates in.
b) Being granted license by the competent authorities of its country or being certified sufficient conditions to operate in the field of certification service provision of digital signatures and operating.
c) The reliability of digital signatures and digital certificates granted by the organization providing certification service of digital signatures is not lower than the reliability of digital signatures and digital certificates issued by organization providing public certification service of digital signatures of Vietnam.
d) Having representative offices in Vietnam to solve the relevant issues.
Article 53. Dossiers for issuance of certificates of recognition of foreign digital signatures and digital certificates
A dossier of application for issuance of certificate of recognition of foreign digital signature and digital certificate is made in 06 sets, each set comprises:
1. Written request for recognition of foreign digital signatures and digital certificates of foreign organization providing certification service of digital signatures.
2. The documents prove to meet fully the provisions of clauses 1, 2, 3, 4, Article 52 of this Decree.
3. Receipt of verification fees.
4. Other contents as required by the Ministry of Post and Telecommunications.
Article 54. Verification of dossiers and issuance of certificates of recognition of foreign digital signatures and digital certificates
Within 60 working days from the date of receipt of dossier requesting for grant of certificate of recognition of foreign digital signatures and digital certificates, the Ministry of Post and Telecommunications shall preside over and coordinate with the Ministry of Public Security, Government Committee for Cipher and the concerned ministries, branches to verify dossier. Where meeting fully the conditions prescribed in Article 52, the Ministry of Post and Telecommunications will issue certificate of recognition of foreign digital signature and digital certificate for the foreign organization providing certification service of digital signatures. In case of failing to meet fully the conditions as prescribed, the Ministry of Post and Telecommunications shall send written notice and stating clearly the reasons.
Article 55. Operations of service provision of the foreign organizations providing certification service of digital signatures
1. The investment in the service provision of the foreign organizations providing certification service of digital signatures in Vietnam shall comply with the provisions of law on investment, the international treaty on certification service of digital signatures that Vietnam has signed or acceded to.
2. Operations of foreign organizations providing certification services of digital signatures in Vietnam comply with the regulations on operation conditions, activities, rights, and obligations as for organizations providing public certification services of digital signatures.
Chapter 8:
PROVISION ORGANIZATIONS OF CERTIFICATION SERVICE OF DIGITAL SIGNATURES
Article 56. Establishment of national organizations providing certification services of the digital signatures
1. The establishment of national organizations providing certification services of the digital signatures must comply with the provisions of clauses 3, 4, 5, Article 15 of this Decree.
2. National organizations providing certification services of the digital signatures self-issue their digital certificates.
Article 57. Operation of service provision, rights and obligations of national organizations providing certification services of the digital signatures
The operation of issuance and management of digital certificates of the national organizations providing certification services of the digital signatures, rights and obligations of the concerned parties must comply with the provisions of Chapter IV and Chapter V of this Decree, therefore, the national organizations providing certification services of the digital signatures play a role as the organizations providing public certification services of the digital signatures, the organizations providing public certification services of the digital signatures play a role as the subscribers, with some modified, additional provisions as follows:
1. Dossiers applying for issuance of digital certificates provided for in Article 21 of this Decree supplement licenses of organizations providing public certification service of digital signatures issued by the Ministry of Post and Telecommunications.
2. Key pair specified in Article 22 of this Decree is self-created by organizations providing public certification service of digital signatures on their own systems.
3. Contents should be checked before issuance of digital certificates provided for in clause 1 of Article 23 of this Decree are supplemented the inspection of compliance with the operating conditions specified in clause 4, clause 5 of Article 15 of this Decree.
4. Public information specified in Article 36 of this Decree is published on websites of organizations providing national certification service of digital signatures or organizations providing public certification service of digital signatures.
Chapter 9:
DISPUTES, COMPLAINTS, DENUNCIATION AND COMPENSATION
Article 58. Settlement of disputes
Disputes between the parties in the provision and use of public certification service of digital signatures are settled on the basis of the contracts between the parties and the provisions of relevant laws.
Article 59. Complaints and Denunciations
The complaints against administrative decisions and administrative acts of digital signatures and certification service of digital signatures; the denounciation to the competent State agencies for the violations related to the digital signatures and certification service of digital signatures are implemented in accordance with the law provisions on complaints and denunciations.
Article 60. Compensation for damages
1 Organizations and individuals causing damages to other organizations and individuals in the provision, use of digital signature certification service shall be compensated in accordance with the law regulations.
2. Ministry of Post and Telecommunications shall specify the principles and the compensation rate in the provision and use of digital signature certification service.
Chapter 10:
INSPECTION, EXAMINATION AND HANDLING OF VIOLATIONS
Article 61. Inspection and examination
1. Organizations providing public certification service of digital signatures and organizations providing specialized certification service of digital signatures are granted certificates of sufficient conditions to ensure security for digital signatures are subject to the annually periodic inspection of the Ministry of Post and Telecommunications on the compliance with the provisions of this Decree. Inspection results must be publicly available on the website of the Ministry of Post and Telecommunications.
2. The providing organizations and organizations, individuals using the certification services of digital signatures are subject to the inspection or examination by the competent state agencies under the provisions of law.
3. The inspection of the organizations and individuals involved in the management, provision and use of digital signature certification service is conducted under the provisions of law on inspection.
Article 62. Violation of the rules of operating conditions
1. A fine of between VND 1,000,000 and 2,000,000 shall be imposed for the act of failing to conduct the procedures for reissuance when being lost or damaged to the extent that its content is no longer clear for one of the following papers:
a) License providing for public certification service of digital signatures;
b) Certificate of sufficient conditions to ensure security for digital signatures;
c) Writen recognition of foreign digital signatures and digital certificates.
2. A fine of between VND 4,000,000 and 10,000,000 shall be imposed for one of the following acts:
a) Applying for extension of license providing for public certification service of digital signatures fails to ensure the period as stipulated in clause 1 of Article 19 of this Decree;
b) Submitting dossier for extension of license providing for public certification service of digital signatures after receiving notification of the Ministry of Post and Telecommunications for the failure to guarantee the period as stipulated in clause 1 of Article 19 of this Decree;
c) Provision of specialized certification service of digital signatures fails to meet the conditions specified in clause 1 of Article 45 of this Decree.
3. A fine of between VND 10,000,000 and 20,000,000 shall be imposed for one of the following acts:
a) Erasing, modifying contents of the certificates of sufficient conditions to ensure security for digital signatures;
b) Purchasing, selling, transferring, leasing, lending or renting, borrowing certificates of sufficient conditions to ensure security for digital signatures;
c) Providing information, documentation falsely aimed at the operation registration or applying for issuance of certificates of sufficient conditions to ensure security for digital signatures.
4. A fine of between VND 20,000,000 and 40,000,000 VND shall be imposed for one of the following acts:
a) Erasing, modifying contents stated in the certificates providing for public certification service of digital signatures;
b) Erasing, modifying contents stated in the certificate of recognition of foreign digital signatures and digital certificates;
c) Purchasing, selling, transferring, leasing, lending or renting, borrowing papers prescribed at points a, b, clause 1 of this Article;
d) Providing information, documentation falsely aimed at the application for issuance, content change, extension of the licenses providing for public certification service of digital signatures;
đ) Providing information, documentation falsely aimed at the application for issuance of certificate of recognition of foreign digital signatures and digital certificates;
e) During the provision of digital signature certification service, it does not meet the conditions for the personnel as specified in clause 3 of Article 15 of this Decree;
g) Saving the copy of the private key without the written request of organization or individual applying for digital certificate.
5. A fine of between VND 50,000,000 and 70,000,000 shall be imposed for one of the following acts:
a) Providing digital signature certification service to the public without license providing the public digital signature certification service issued by the Ministry of Post and Telecommunications or digital certificates issued by organization providing national digital signature certification service;
b) Providing public digital signature certification service when the digital certificate granted by organization providing national digital signature certification service is invalid or license providing the public digital signature certification service has expired.
6. A fine of between 70,000,000 VND and 100,000,000 VND shall be imposed for one of the following acts:
a) Failing to buy insurance in the absence of deposit or guarantee as stipulated in Article 37 of this Decree;
b) During the provision of certification service of public digital signature, it fails to meet the financial conditions specified in clause 2 of Article 15 of this Decree;
c) Failing to save fully, accurately and update information of subscribers for the issuance of digital certificates during the valid period of digital certificates.
Article 63. Violation of the regulations on safety and security
1. A fine of between VND 5,000,000 and 10,000,000 shall be imposed for one of the following acts:
a) Unauthorized prevention of use of digital certificates;
b) Unauthorized storage of another’s private key;
c) Information storage related to organizations and individuals applying for digital certificates fails to be guarantee the confidentiality and safety;
d) Use of information relating to organizations and individuals applying for digital certificates is not in accordance with the law regulations;
đ) Failure to ensure safety in the creation or transfer of digital certificates to subscribers.
2. A fine of between VND 10,000,000 and 30,000,000 shall be imposed for the following acts:
a) Committing theft, forging, falsely assuming, appropriating another person's private key;
b) Copying, disclosing, or providing the subscribers' private keys unlawfully;
c) Accessing, disclosing, using unlawfully subscribers’ information and of organizations providing certification service of digital signatures;
d) Failing to keep secret the entire process of creating the key pairs;
đ) Using equipment not in compliance with technical regulations and applicable mandatory standards to create the key pairs;
e) Using the method not ensuring safe to transfer the private key to the organizations or individuals applying for digital certificates;
g) Creating the key pairs in contravention of law;
h) Failing to store confidentially information on the subscribers and the subscribers’ private keys during the suspension of digital certificates;
i) Modifying unlawfully subscribers’ information and of organizations providing certification service of digital signatures;
k) Failing to ensure the secrecy of the subscribers’ private keys in case of authorized subscribers.
3. A fine of between VND 30,000,000 and 50,000,000 shall be imposed for one of the following acts:
a) Using computer software, technical equipment to access illegally into the equipment system or database of organizations providing certification service of digital signatures but it is not serious enough for criminal prosecution;
b) Disclosing or supplying illegally private keys of organizations providing specialized certification service of digital signatures;
c) Using unlawfully another person's private key;
d) Faking or guiding the others to forge digital certificates;
đ) Creating digital signatures not ensuring one of the conditions specified in Article 9 of this Decree;
e) Using technical equipment system without function of detection, warning of the illegal access and other forms of attack in the network environment;
g) Using key distribution system for the subscribers not ensuring the integrity and confidentiality of the key pairs;
h) Failing to implement a plan to control the entrance or exit of office or the place where the equipment is located to provide certification service of digital signatures;
i) Failing to implement a plan to control access right into the system providing certification service of digital signatures;
k) Using unlawfully the private keys of organizations providing specialized certification service of digital signatures;
l) Stealing the private keys of organizations providing specialized certification service of digital signatures;
m) Violating regulations on other safety and security as prescribed by law.
4. A fine of between VND 50,000,000 and 70,000,000 shall be imposed for one of the following acts:
a) Preventing illegally operation of organizations providing certification service of digital signatures;
b) Using unlawfully the private keys of organizations providing public certification service of digital signatures;
c) Disclosing or providing illegally the private keys of organizations providing public certification service of digital signatures;
d) Stealing the private keys of organizations providing public certification service of digital signatures.
5. A fine of between 70,000,000 VND and 100,000,000 VND shall be imposed for one of the following acts:
a) Failing to implement or implementing inadequate contingency plans to maintain operation safely, continuously and overcome when the problem occurs;
b) Stealing the private keys of national organizations providing certification service of digital signatures;
c) Disclosing or providing the private keys of national organizations providing certification service of digital signatures illegally;
d) Using unlawfully the private keys of national organizations providing certification service of digital signatures;
đ) Destroying equipment, databases of organizations providing certification service of digital signatures that it is not serious enough for criminal prosecution;
e) Failing to implement or implementing improperly requirements of the competent State agencies in case of emergency in accordance with the law regulations on the state of emergency or to ensure national security.
Article 64. Violation of provisions on technical regulations and applicable mandatory standards
1. A fine of between VND 10,000,000 and 30,000,000 shall be imposed for the act of providing certification service of digital signatures of organizations providing specialized certification service of digital signatures not in compliance with the registered standards.
2. A fine of between VND 30,000,000 and 50,000,000 shall be imposed for the act of providing certification service of digital signatures of organizations providing public certification service of digital signatures not ensuring the registered standards.
3. A fine of between VND 50,000,000 and 70,000,000 shall be imposed for one of the following acts:
a) The technical plans do not comply with technical standards in the operation;
b) Provision of certification service of digital signatures does not conform to technical regulations, and applicable mandatory standards.
Article 65. Violation of regulations on rates, fees, and charges
1. For the violations of service rates in the provision of certification service of digital signatures, it shall comply with provisions in Decree No.169/2004/ND-CP of September 22, 2004 of the Government on sanction against administrative violations in the price sector.
2. For the violations of fees, charges in the provision of certification service of digital signatures, it shall comply with provisions in Decree No.106/2003/ND-CP of September 23, 2003 of the Government defining the sanction of administrative violations in the area of fees, charges.
Article 66. Violation of the regulations on service provision
1. A fine of between 1,000,000 VND and 5,000,000 VND shall be imposed for one of the following acts:
a) Guiding incorrect or incomplete information specified in clause 1 of Article 30 of this Decree;
b) Failing to instruct in writing for the organizations and individuals applying for digital certificates before signing the contracts of provision of digital certificates;
c) Failing to extend digital certificates of the subscribers when they request in accordance with provisions;
d) Failing to meet the communication channel 24 hours per day and seven days per week to receive the request of withdrawal and suspension of digital certificates;
đ) Failing to store information related to digital certificates for a period of at least 5 years from the date that digital certificates are revoked;
e) Failing to provide in writing for information specified in clause 1 of Article 30 at the request of the subscribers.
2. A fine of between VND 5,000,000 and 10,000,000 VND shall be imposed for one of the following acts:
a) Failing to notify the subscribers in the case found the private keys’ exposed signs of the subscribers, not remaining intact or any other errors that may affect adversely the interests of the subscribers;
b) Failing to notify the subscribers on the status of being revoked their licenses providing public certification service of digital signatures and information on the organizations receiving their database;
c) Failing to notify subscribers before terminating the service provision within the time specified in clause 2 of Article 39 of this Decree;
d) Failing to notify the subscribers on the suspension, the starting and ending time of the suspension when there are grounds to suspend the subscribers’ digital certificates;
đ) Faling to publicly announce the suspension of issuance of the new digital certificates on their website;
e) Refusing to issue digital certificates without legitimate reason;
g) The public certification Regulation does not follow the form of the Ministry of Post and Telecommunications or has content not conforming to the provisions of this Decree;
h) Failing to publicize the certification Regulation in the form of the Ministry of Post and Telecommunications;
i) Failing to notify the subscribers the withdrawal of digital certificates of such subscribers;
k) Failing to register with the Ministry of Post and Telecommunications as stipulated in Article 46 of this Decree;
l) Failing to formulate the model contract for the provision of digital certificates;
m) Provision of the timestamp issuing service does not conform to technical regulations and applicable mandatory standards;
n) Failing to report to the competent State agencies the suspension of issuing the new digital certificates.
3. A fine of between VND 10,000,000 and 20,000,000 for shall be imposed for one of the following acts:
a) Disclosing digital certificates issued to subscribers on the basis of database without the subscribers’ confirmation of the accuracy of information on the digital certificates;
b) Failing to publicize on the website the digital certificates of being newly granted, suspended, revoked, the starting and ending time of the suspension of digital certificates;
c) Failing to recover digital certificates when their suspension has expired;
d) Failing to store all the information related to the suspension or revocation of digital certificates for a period of at least 5 years;
đ) Failing to negotiate to hand over the database relating to the provision of public digital signature certification service while being revoked licenses providing public digital signature certification service;
e) Failing to report to the Ministry of Post and Telecommunications in the absence of agreement of the handover of database related to the provision of public digital signature certification service as being revoked licenses providing public digital signature certification service;
g) Changing key pair without the subscriber's request;
h) Failing to store information related to organizations and individuals applying for digital certificates.
4. A fine of between VND 20,000,000 and 40,000,000 VND shall be imposed for one of the following acts:
a) Failing to suspend digital certificates at the request of the subscribers or of the competent State agencies;
b) Failing to revoke digital certificates at the request of the subscribers or of the competent State agencies;
c) Publicizing falsely the contents of digital certificates on the basis of their data;
d) Certificates of incomplete contents as prescribed in Article 10 of this Decree;
đ) Issuing digital certificates inconsistent with titles of the State agencies, organizations in accordance with Article 11 of this Decree or not in compliance with the law regulations;
e) Faling to allow Internet users to access the list of valid digital certificates and the expired one;
g) Failing to comply with the suspension or revocation of licenses as prescribed in clause 1, 2, Article 20 of this Decree;
h) Publicizing digital certificates issued to subscribers on the basis of the database not ensuring the time limit specified in clause 3 of Article 23 of this Decree;
i) Issuing the timestamp inconsistent with the provisions of clause 3 of Article 28 of this Decree;
k) Failing to suspend the issuance of new digital certificates when errors are detected in the system providing certification service of digital signatures.
5. A fine of between VND 40,000,000 and 70,000,000 shall be imposed for the following acts:
a) Failing to hand over documents and databases as stipulated in clause 1 of Article 39 of this Decree;
b) Failing to report to the Ministry of Post and Telecommunications for considering the content changes, withdrawal or renewal of licenses in accordance with the objects to be licensed when the organizations providing public certification service of digital signatures implement the merger, joint ventures, parnership and other activities of organizational change;
c) Implementing or providing the certification service of digital signatures not in compliance with the content stated in the licenses providing the public certification service of digital signatures;
d) Failing to suspend the issuance of new digital certificates at the request of the competent State agencies;
đ) Failing to maintain database systems related to digital certificates issued in the suspension of issuance for new digital certificates.
6. A fine of between 70,000,000 VND and 100,000,000 VND shall be imposed for one of the following acts:
a) Failing to maintain online 24 hours per day and seven days per week the list of valid digital certificates and the expired one;
b) Failing to store fully, accurately, to update the list of valid digital certificates and the expired one for a period of at least 5 years;
c) Equipment system providing the digital signature certification service of the organizations providing the digital signature certification service granted by the Ministry of Post and Telecommunications the licenses providing the digital signature certification service or certificates of sufficient conditions to ensure security for digital signatures is not located in Vietnam;
d) Failing to maintain on the website 24 hours per day and seven days per week the information specified in Article 36 of this Decree.
Article 67. Violation of the regulations on use of service
1. A fine of between VND 10,000,000 and 20,000,000 shall be imposed for act of failing to provide the private key or the necessary information to the agency proceeding procedures, security agencies.
2. A fine of between VND 20,000,000 and 30,000,000 shall be imposed for one of the following acts:
a) Providing false information to apply for digital certificates;
b) Using digital signatures corresponding to the digital certificates of the agencies and organizations specified in Article 12 of this Decree as they are no longer to hold the titles corresponding to such digital certificates.
Article 68. Violation of the regulations on regime of report, information supply and inspection and examination
A fine of between VND 5,000,000 and 15,000,000 shall be imposed for one of the following acts:
Violation of the report regimes as prescribed.
1. Providing incomplete or false information for the competent state agencies as required under the provisions of law.
2. Failing to comply with the inspection or examination of the competent State agencies.
Article 69. Additional sanctions, remedies
In addition to the main sanctions, depending on the nature and seriousness of violations, organizations and individuals may be subject to one or more additional sanctions or remedies as follows:
1. To suspend or discontinue the issuance of new digital certificate for one of the acts of violation specified at point c, clause 2 of Article 62, point d, clause 2 of Article 63, Article 64, clause 2, points a, c, d, clause 3 of Article 66 of this Decree.
2. To revoke license providing public digital signature certification service or certificate of sufficient conditions to ensure security for digital signatures or the certificate of recognition of foreign digital signatures and digital certificates for one of the acts of violation specified at point b, c, clause 2 of Article 62, point d, clause 2 of Article 63, Article 64, point b, clause 2, point a, c, d, clause 3 of Article 66 of this Decree.
3. Confiscating material evidences and means used for administrative violations one of the violations provided for in point b clause 2 of Article 62, clause 1, points a, b, c, d, clause 2, points a , b, c, d, clause 3 and point a, clause 4, Article 63, point c, clause 2 of Article 66 of this Decree.
4. Forced to restore the original state which has already been caused by the administrative violations for one of the violations as specified at point b, clause 1; point b, clause 3 of Article 63 of this Decree.
5. Forced to comply with the provisions of the State for violations of clause 1, points a, c, clause 2, clause 3, Article 62, point d, clause 2, point d, clause 3, Article 63, Article 64, clause 1, point a, b, clause 2, clause 3, Article 66, Article 68 of this Decree.
Article 70. Competence to sanction
1. Specialized inspectors of post, telecommunications, and information technology who are on duty have the rights:
a) To impose a fine of up to VND 200,000;
b) To confiscate material evidences and means used for administrative violations valued at up to VND 2,000,000;
c) To apply the remedies as specified in clause 4 and clause 5 of Article 69 of this Decree;
d) To exercise the rights specified in clause 2 of Article 46 and clause 2 of Article 48 of the Ordinance on Handling of Administrative Violations.
2. Chief Inspector of the Department of Post and Telecommunications has the rights:
a) To impose a fine of VND 20,000,000;
b) To apply the additional sanctions and remedies as specified in Article 69 of this Decree;
c) To exercise the rights specified in clause 1 of Article 46 of the Ordinance on Handling of Administrative Violations.
3. Chief Inspector of the Ministry of Post and Telecommunications has the rights:
a) To impose a fines of up to VND 100,000,000;
b) To apply the additional sanctions and remedies as specified in Article 69 of this Decree;
c) To exercise the rights specified in clause 1 of Article 46 of the Ordinance on Handling of Administrative Violations.
4. Inspectors and chief inspectors of other specialized inspection agencies are competent to sanction administrative violations in the field of digital signatures and certification service of digital signatures like specialized inspectors of post and telecommunications and information technology within the state management defined by the Government.
People's Public Security, customs, tax offices, market management agencies are competent to sanction as prescribed in Articles 31, 34, 36 and 37 of the Ordinance on Handling of Administrative Violations for the administrative violations on digital signatures and certification service of digital signatures directly related to their management areas specified in this Decree.
5. The sanctioning competence of the People's Committees at all levels
Chairmen of People's Committees at all levels are competent to sanction under their authorities as stipulated in Articles 28, 29 and 30 of the Ordinance on Handling of Administrative Violations in the localities under their management for the administrative violations on digital signatures and certification service of digital signatures as prescribed in this Decree.
Article 71. Principles, the prescription and procedures for handling of administrative violations, aggravating, extenuating circumstances
The principles for sanctioning, the prescription for sanctioning, procedures for sanctioning administrative violations, aggravating, extenuating circumstances, the time limit considered as not yet sanctioned for administrative violations on digital signatures and certification service of digital signatures shall comply with the provisions of the Ordinance on Handling of Administrative Violations.
Article 72. Prosecution for criminal liability
Acts of taking advantage of digital signatures and digital signature certification service to conduct against the State of the Socialist Republic of Vietnam and disrupt security and order, social security; the other serious violations related to digital signatures and certification service of digital signatures having the signs of crimes will be prosecuted for criminal liability according to the law provisions.
Chapter 11:
IMPLEMENTATION PROVISIONS
Article 73. Implementation Provisions
This Decree takes effect 15 days after its publication in the Official Gazette.
The ministers, heads of ministerial-level agencies, heads of governmental agencies, presidents of People's Committees of provinces and cities under central authority shall implement this Decree.
| FOR THE GOVERNMENT |
