General Terms and Conditions for mySaveID
of msg mySaveID GmbH (Version 06/2024)
1 Scope of application
1.1 These General Terms and Conditions ("GTC") apply to all contracts between msg mySaveID GmbH ("mySaveID") and Client in connection with the offer of trust and certification services as well as related additional services (together "Certification And Trust Services"), in particular Certification And Trust Services in accordance with Regulation (EU) No. 2024/1183 of 20 May 2024 and the (EU) No. 910/2014 of 23 July 2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC ("eIDAS Regulation"). The offer of mySaveID is directed at Clients who are entrepreneurs within the meaning of Section 14 of the German Civil Code (BGB).
1.2 1.2 These GTC apply not only to the Client (“legal entity”) but also to any User (“natural person”) who has been invited by the Client (e.g., employer who invites its employees) to use the Certification And Trust Services and has accepted this invitation by registering an account. References to the Client in these GTC are therefore at the same time to be understood as references to the User unless an explicit distinction is made between Users and Clients. The Users may be consumers or entrepreneurs within the meaning of §§ 13, 14 BGB.
2 Subject matter of contract
2.1 In addition to the service components selected by the Client, the scope of the Certification And Trust Services are set forth in the provisions of these GTC, the service description, the Certificate Practice Statement ("CPS") of mySaveID, each of which can be accessed at the following link: www.mySaveID.de/en_GB/repository and www.mysaveid.de/en_GB/leistungsbeschreibung.
2.2 The offered Certification and Trust Services are comprising:
- the issuance of public key qualified certificates for electronic signatures and seals, including registration of subscribers and subjects, certification of public keys;
- the revocation of certificates and online status information via Certificate Revocation Lists (“CRLs”) and Online responders with Online Certificate Status Protocol (“OCSP”);
- generating and managing electronic signature creation data on behalf of the Subject (signatory);
- processing certificate subjects' data for certificate issuance, other trust services, and provision of eID means.
2.3 Depending on their features, the certificates generated by mySaveID can be assigned to the requirements of the different policies (certification level) within EN 319 411-2:
- QCP-n-qscd – EU qualified certificates issued to a natural person with private key related to the certified public key in a qualified electronic signature/seal creation device.
- QCP-l-qscd – EU Qualified certificates issued to legal person with private key related to the certified public key in a qualified electronic signature/seal creation device.
- Also all obligations specified for NCP in ETSI EN 319 411-1 apply. Lifetime of certificates is limited to three years.
2.4 To the extent that the Certification And Trust Services are services pursuant to the eIDAS-Regulation, the following order of precedence shall apply, with priority being given to documents mentioned first: (i) CPS, (ii) GTC, (iii) service description. To the extent that the Certification And Trust Services are related additional services, the following order of precedence shall apply: (i) GTC, (ii) service description, (iii) CPS, to the extent that CPS is applicable to these additional services accordingly.
2.5 The scope of services for the User is based on the scope of services ordered by the Client under the contract between the Client and mySaveID.
3 Registration and conclusion of contract
3.1 The use of the Certification And Trust Services provided by mySaveID requires the creation of an account. In doing so, Client or User must register and provide the required information. Since mySaveID manages digital identities, only one account registration is permitted for each natural and legal person.
Successful registration requires the express consent to the registration and the explicit acceptance of the contractual terms and conditions (including these GTC) of the Client (“legal entity”) and also the respective User (“natural person”).
Such registration is subject to the double opt-in procedure. After the registration there is the additional option of initializing the account. The prerequisite for initializing the account is the successful identification of the Client or user by msg mySaveID GmbH or one of our external partners using an authentication service provided by our partner. For the use of further Certification And Trust Services, it may be necessary to obtain further information from the Client or User during registration or at a later stage.
3.2 The contract between mySaveID and the Client/User is concluded by two concurrent declarations of intent. The declaration of intent on the part of the Client/User results from (1) the creation of an account for mySaveID or the use of the order form provided for this purpose and completed in full by the Client, and (2) pressing the link contained in the confirmation email by the Client/User (so-called double opt-in). The double opt-in on the part of the Client/User must take place within three calendar days of the creation of the account or submission of the application form. mySaveID will check the Client's offer within 5 working days and declare acceptance or rejection of the offer to the Client within this period by sending a separate e-mail to the e-mail address provided by the Client. The confirmation e-mail after registration of the account does not constitute acceptance by mySaveID. mySaveID reserves the right to reject offers of the Client to conclude a contract without further information. While mySaveID is checking the offer, the Client only has the option of completing his account further.
3.3 Before a Client/User is given the option to generate signatures or seals, the Client/User must check that the certificate corresponds to the information that the Client/User has provided and the Client/User must explicitly acknowledge and accept the certificate.
4 Required hardware and software
It is the Client's responsibility to establish the system requirements, to enable the use of the Certification And Trust Services. This includes:
- Smartphone with iOS or Android
- Current browser version (Chrome, Safari, Firefox, Edge)
Secure cryptographic hardware for signature or seal creation and private key storage is not needed by the Client/User.
5 Obligations on the part of the Client
5.1 In order to provide the Certification And Trust Services, the Client/User undertakes to cooperate as required. In particular, the Client/User undertakes to submit all required information and documents completely and truthfully. The provision of e-mail addresses or telephone numbers that cannot be assigned to the Client/User is not permitted.
5.2 Client/User undertakes to keep its data up to date and to notify or make changes without undue delay. In particular, the Client/User shall ensure that the information on which the qualified certificate and the attributes are based is permanently correct and shall have attributes in the certificate blocked without undue delay if the facts on which the information in the attribute is based have changed.
5.3 The Client/User shall indemnify mySaveID against all claims by third parties resulting from the Client/User providing or maintaining outdated information unless the Client/User is not responsible for this.
6 Use in accordance with the purpose
6.1 The Client/User is obliged to use the Certification And Trust Services in accordance with their purpose exclusively to support business processes and transactions, i.e. to prove its identity and the associated attributes (e.g. age, information from public registers) to third parties, according to the current CPS.
6.2 Misuse of the Certification And Trust Services is prohibited. Misuse shall be deemed to have occurred in particular if
- the Certification And Trust Services are used to impersonate another person.
- the Certification And Trust Services are used to feign the authenticity of forged documents.
- the Certification And Trust Services are provided to unauthorised third parties for use.
- access IDs for the Certification And Trust Services are disclosed to third parties.
- data is processed via the Certification And Trust Services that contain malware such as viruses, Trojans, spyware, adware or backdoors.
- information is stored on the storage space provided as part of the use of the Certification And Trust Services that violates laws or the rights of third parties or references are made to such information.
- the applicable copyright and trademark law as well as other industrial property rights and personal rights of third parties are violated.
- the Certification And Trust Services are used by the Client beyond the use permitted in accordance with these GTC.
6.3 The Client/User shall indemnify mySaveID against all third-party claims asserted by third parties on the basis of misuse of the Certification And Trust Services, unless the Client is not responsible for such misuse.
7 Responsibility for passwords and access
7.1 The Client is responsible for the security and confidentiality of all access codes, in particular any passwords, PINs and blocking passwords. The Client undertakes to protect the access codes disclosed to it or created by it in the context of the provision of the services from access by third parties.
7.2 The Client is obliged to inform mySaveID immediately if there is any unauthorised use of access IDs. This duty to inform also applies in the event of suspected unauthorised access to the Certification And Trust Services or misuse of access IDs, whether through the exploitation of a security vulnerability or the loss of access IDs.
7.3 mySaveID is entitled to block such access IDs for which there are actual indications of unauthorized third-party access to the Certification And Trust Services.
8 Logs and Deletion Concept
8.1 mySaveID keeps event logs on the operation of the Certification And Trust Services in order to be able to prove proper operation. These records are disclosed exclusively to law enforcement authorities on court order and to persons who may access them if they have a legitimate interest. Technical event logs will be retained for a maximum period of 30 days. Audit logs containing information associated with providing trust services, for example registration and certificate request, certificate acceptance, certificate and CRL issuance, creation of signatures or seals, or related to the identification of communication partners will be kept for an unlimited time period (according to German Trust Services Act, VDG).
8.2 For further information on event logs and the deletion concept of mySaveID in connection with the Certification And Trust Services, please refer to the CPS.
9 Revocation of certificates
9.1 mySaveID provides a revocation service for issued certificates. The issued certificate will be revoked (i) at the request of the Client, (ii) at the request of a third party entitled to revocation or (iii) by mySaveID directly if there are special reasons.
9.2 Details of revocation and how to contact us for revocation are set out in the CPS.
10 Availability
10.1 The Client and mySaveID agree on specific availability times for the Certification And Trust Services. The availability times for (i) Certification And Trust Services pursuant to the eIDAS-Regulation are set forth in the CPS and for (i) Certification And Trust Services that are related additional services are set forth in the service description.
11 Rights of use
11.1 mySaveID grants the Client a simple, non-exclusive right of use to copyright-protected components of the Certification And Trust Services for the term of the contract, insofar as this is necessary for the use of the Certification And Trust Services. As the Certification And Trust Services run exclusively on the servers of mySaveID or a service provider commissioned by mySaveID, mySaveID grants no rights to either the object code or the source code.
12 Reservation of right of modification
12.1 mySaveID is entitled to amend or supplement the provisions of these GTC and the scope of services of the Certification And Trust Services with effect for the future if there is a valid reason (e.g. legal or functional adjustments). The change or addition shall be announced to the Client by e-mail to the e-mail address stored in the account at least six weeks before it takes effect and the Client shall be informed clearly and comprehensibly about the change or addition.
12.2 If the Client does not object to the change or addition within 30 days of the announcement of the change or addition and continues to use the Certification And Trust Services, this is deemed to be consent to the change or addition; mySaveID will refer to this separately in the announcement.
12.3 If a change or addition to the Certification And Trust Services impairs the accessibility or usability, the Client may terminate the contract free of charge with a notice period of 30 days. The period begins with the receipt of the announcement by mySaveID. The possibility of termination does not apply if the impairment of access or usability is only insignificant or if mySaveID offers to maintain access and usability of the Certification And Trust Services as previously agreed. mySaveID will also refer to these rights separately in the announcement.
13 Payment
13.1 mySaveID provides the Certification And Trust Services for Users free of charge. Accordingly, the following provisions of this section 13 do not apply to Users.
13.2 Billing shall be based on the number of Users or on the actual volume of transactions (pay-as-you-go). Unless otherwise agreed with the Client in an individual contract, the Client undertakes to pay the remuneration in accordance with the billing model presented and selected in the ordering process. All prices are quoted net plus VAT and in euros.
13.3 mySaveID is entitled to invoice the services at the beginning of a calendar month for the previous month. Amounts are due on receipt of the invoice and payable within 30 days to an account specified by mySaveID.
13.4 The Client is only entitled to set-off with undisputed or legally established claims. The Client shall only be entitled to rights of retention from counterclaims arising from the same contractual relationship.
14 Term and termination
14.1 The contract has an indefinite term and may be terminated at any time in accordance with section 14.2.
14.2 The Client and mySaveID may terminate the contract at any time with three (3) months' notice to the end of the calendar month. Terminations by the Client and mySaveID must be in writing within the meaning of Section 127 (2) of the German Civil Code (BGB).
14.3 Notwithstanding section 14.2, Users may terminate the contract at any time without notice. Termination can be executed, for example, by using the termination button.
14.4 As soon as the contract between the Client and mySaveID ends or the Client withdraws the invitation for the User, the Certification And Trust Services for the User are discontinued with the exception of the following functionalities ("Inactive Account"):
- Deleting the own account
- To view own account data
The User has an Inactive Account until another company as a Client bears the remuneration for the Certification And Trust Services or the User or mySaveID terminates the contract with the User.
14.5 Notwithstanding the above provisions, the right of both contracting parties to terminate for good cause (Kündigung aus wichtigem Grund) shall remain unaffected. Good cause for such termination shall in particular deem to exist if:
- A contracting party repeatedly breaches its obligations and does not remedy such breach of contract even within a reasonable period of time or after a warning.
- The Client is in default of payment of remuneration or a not insignificant part of the remuneration for two consecutive dates or, in a period extending over more than two dates, is in default of payment of remuneration in an amount equal to the remuneration for two months.
- The Client misuses the Certification And Trust Services (cf. section 6).
15 Activation and deactivation of services
15.1 The Client has the option at any time to activate or block individual components of the Certification And Trust Services for Users in his account, subject to the respective valid remuneration according to the price list.
15.2 This section 15 does not apply to Users. The scope of services for Users depends on the Certification And Trust Services activated by the Client.
16 Discontinuation of Certification And Trust Services
16.1 If mySaveID ceases to operate as a certification or trust service provider, the Client will be notified of this two months in advance. mySaveID is entitled to transfer the rights and obligations arising from the contract to another certification and trust service provider with the same notice period. The Client has the right to terminate the contract at the time of the transfer. mySaveID will inform the Client separately of his right to terminate the contract in the notification.
16.2 If no other certification and trust service provider takes over the contract, mySaveID is entitled to terminate the contract in accordance with the termination provisions under section 14 at the time of discontinuation. In this case, mySaveID will refund any prepaid fees on a pro rata basis. mySaveID is entitled to revoke the certificates in this case and transfer them to the Federal Network Agency responsible for mySaveID.
17 Liability
17.1 mySaveID is liable without limitation in the following cases:
- Intent and gross negligence;
- Injuries to life or body;
- Assumption of guarantees;
- Malice.
17.2 If none of the cases in section 17.1 apply, mySaveID is only liable - irrespective of the legal grounds - if mySaveID culpably breaches a material contractual obligation. A material contractual obligation is an obligation whose fulfilment is essential for the proper performance of the contract and on whose fulfilment the Client may regularly rely (so-called cardinal obligations, Kardinalspflichten). If the culpable breach of such an essential contractual obligation was not caused intentional or grossly negligent, the liability is limited to such contract-typical damages that were reasonably foreseeable at the time of the conclusion of the contract.
17.3 As contract-typical foreseeable damage, the parties agree on an aggregate maximum sum of EUR 100,000 for all claims. The Client confirms not to use the Certification And Trust Services in cases of greater damage potential.
17.4 mySaveID is only liable for the correctness of the identity verification carried out as part of the Certification And Trust Services within the scope of the verification options available. Ultimately, mySaveID therefore only confirms with a certificate or seal that someone has presented the required proof of identification at the specified time, that the visual inspection was positive and that the corresponding information was included in the certificate or seal as provided.
17.5 Any further liability of mySaveID is excluded. In particular, strict liability for initial defects pursuant to Section 536a (1) sentence 1 of the German Civil Code (BGB) is excluded insofar as it would apply to mySaveID and no injury to life or body is involved.
17.6 Liability under the German Product Liability Act (ProdHaftG) and the presumption of fault under Art. 13 of the eIDAS Regulation and attribution under Section 6 of the German Trust Services Act (Vertrauensdienstegesetz) shall remain unaffected by this section.
17.7 The Client shall be liable in accordance with the statutory provisions, unless these GTC contain specific provisions.
18 Force majeure
18.1 Events of force majeure which make performance substantially more difficult or temporarily impossible shall entitle the respective party to postpone the performance of its service by the duration of the hindrance and a reasonable start-up period. Industrial disputes and similar circumstances shall be deemed equivalent to force majeure to the extent they are unforeseeable, serious and not the fault of the respective party.
18.2 The parties shall immediately notify each other of the occurrence of such circumstances.
19 Data privacy
19.1 mySaveID processes and uses personal data to provide the Certification And Trust Services offered. Details on the processing of personal data can be found in the privacy policy, which can be accessed online at any time on our website at https://www.mysaveid.de/en_GB/privacy-policy-customers.
19.2 To the extent that mySaveID processes personal data on behalf o the Client as a Processor as set forth in Art. 4 No. 8 GDPR, the data processing agreement signed between the parties separately, shall apply.
20 Export
The Client undertakes to comply with any possible export laws and/or export restrictions. In particular, the Client undertakes to observe any restrictions on use as well as import and export restrictions for electronic signatures abroad..
21 Right of revocation (Widerrufsrecht)
21.1 Insofar as the Client is a consumer within the meaning of Section 13 of the German Civil Code (BGB), the statutory right of revocation described in the revocation policy shall apply. Insofar as the Client is an entrepreneur within the meaning of Section 14 BGB, no (voluntary) right of revocation shall be granted.
21.2 The right of revocation expires in the case of a contract for the supply of digital content not on a physical data carrier if mySaveID has commenced performance of the contract after the Client has expressly consented to mySaveID commencing performance of the contract before the expiry of the revocation period and has confirmed that by giving his consent he loses his right of revocation on commencement of performance of the contract.
22 Online dispute resolution and consumer dispute resolution
22.1 The European Commission provides an online dispute resolution platform (ODR platform) to resolve disputes initially without the need to go to court. You can access the ODR platform under the following link:
https://ec.europa.eu/consumers/odr/
22.2 mySaveID will endeavour to resolve any disagreements amicably. However, mySaveID is not willing or obliged to participate in dispute resolution proceedings before a consumer arbitration board.
23 Miscellaneous
23.1 mySaveID may at any time engage third parties as subcontractors for the provision of the Certification And Trust Services.
23.2 Deviating, conflicting or supplementary general terms and conditions of the Client do not apply and - even if known - do not become part of the contract, unless their validity is expressly agreed to in writing by mySaveID.
23.3 Rights and obligations arising from the contractual relationship with mySaveID may only be assigned by the Client with the prior written consent of mySaveID. Section 354a of the German Commercial Code (HGB) remains unaffected.
23.4 German law shall apply exclusively to all claims arising from the contract. The provisions of the UN Convention on Contracts for the International Sale of Goods (CISG) shall not apply. The exclusive place of jurisdiction for all disputes arising from or in connection with this contract shall be Frankfurt am Main if the Client is a merchant or a legal entity under public law or a special fund under public law or has no general place of jurisdiction in the Federal Republic of Germany.
23.5 Amendments and supplements to these terms and conditions or the contract must be made in writing and must be expressly marked as such. This also applies to the cancellation or amendment of this written form clause.
23.6 Should provisions of these GTC be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions of the GTC. The same shall apply in the event that the GTC contain a regulatory gap. Instead of the invalid or unenforceable provisions or to fill the gap, an appropriate provision shall apply which, as far as legally possible, comes as close as possible to what the contracting parties would have intended if they had considered this point when concluding the GTC.