Full citation: Act on a Card with an Electronic Identification Function for Citizens of the European Union and the European Economic Area of 21 June 2019 (Federal Law Gazette I, p. 846), as last amended by Article 154a of the Act of 20 November 2019 (Federal Law Gazette I, p. 1626)
(1) Citizens of a member state of the European Union or a Contracting Party of the Agreement on the European Economic Area who are not Germans as defined in Article 116 (1) of the Basic Law (Grundgesetz) will be issued a card with an electronic identification function (eID card) upon application.
(2) The eID card enables electronic identification and the transmission of data directly from the eID card to electronic forms as referred to in sections 12 and 13.
(1) Service providers are natural and legal persons who, to carry out tasks of the public administration or for own business purposes, require proof of identity or individual identifying features of the card holder and who have their place of residence, business or office within the European Union or in other countries having an equivalent standard of data protection.
(2) An authorisation certificate is an electronic certificate which enables a service provider
1. to verify its identity vis-à-vis the card holder and
2. to request the transmission of personal and card-related data from the eID card.
(3) The blocking code is a series of characters used only to block eID cards.
(4) The blocking sum is a unique feature generated from the blocking code and the card holder’s family name, given names and date of birth. It serves to transmit a block from the 24-hour reporting hotline or an eID card authority to the administrator of revocation lists. Using the blocking sum and the reference list, the administrator of revocation lists identifies the blocking key of the electronic identification function that is to be blocked.
(5) Blocking attributes of an eID card are service- and card-specific series of characters which serve only to enable the service provider for whom they were generated to identify lost or stolen eID cards.
(6) The serial number of an eID card consists of a four-digit authority ID number and a five-digit, randomly assigned number, and may include both numerals and letters.
(7) The PIN is a six-digit number used to approve the transmission of data from the eID card for the purpose of electronic identification.
(8) The access code is a randomly generated six-digit number printed on the card to protect against unauthorised interception of communications between the eID card and card readers.
(9) The PUK is a randomly generated number to unblock the eID card after the incorrect PIN code has been entered three times in succession.
(10) The card holder is the person for whom the eID card was issued.
Possession and property; manufacturer, issuing authority and administrator of revocation lists
(1) No one may possess more than one valid eID card issued to him- or herself.
(2) The eID card is the property of the Federal Republic of Germany.
(3) The Federal Ministry of the Interior, Building and Community determines
1. the card manufacturer,
2. the authority responsible for issuing authorisation certificates, and
3. the administrator of revocation lists,
and publishes their names in the Federal Gazette.
Model; serial number; chip
(1) The eID card is issued according to a uniform model.
(2) Each eID card is assigned a new serial number. The serial number, blocking code and blocking attributes may not contain any of the card holder’s personal data or reference to such data.
(3) In addition to the serial number, the name of the issuing authority, the date of expiry and the access code, the eID card clearly indicates the following information about the card holder:
1. family name and given names,
2. date and place of birth.
(4) The eID card contains an electronic storage and processing medium (chip) on which the following data are stored:
1. family name and name before marriage,
2. given names,
3. doctoral degree,
4. date and place of birth,
5. address; if the card holder has no residence in Germany, the words “no residence in Germany” may be entered,
7. religious name, stage or pen name,
8. type of document,
9. date of expiry.
(5) The stored data are to be secured against unauthorised alteration, deletion and retrieval.
Period of validity
(1) The eID card is issued for a period of ten years.
(2) Extending the length of validity is not permitted.
(3) Before an eID card expires, the card holder may apply for a new one if he or she demonstrates a legitimate interest in having a new one issued.
(1) The following are responsible for matters related to the eID card:
1. in Germany, the authorities designated by the Länder.
2. outside of Germany, the Federal Foreign Office and its designated missions abroad
(eID card authorities).
(2) The eID card authorities and the authorities entitled to check identification (section 2 (2) of the Act on Identity Cards (Personalausweisgesetz) are responsible for the confiscation and seizure of the eID card.
1. for issuing and suspending authorisations as referred to in sections 15 to 17 is the authority responsible for issuing authorisation certificates under section 3 (3) no. 2.
2. for keeping a revocation list as referred to in section 9 (3) is the administrator of revocation lists under section 3 (3) no. 3.
(1) The eID card authority in the district in which the applicant or card holder is required to register his/her residence or main residence has local responsibility. If the applicant or card holder is not required to register his or her residence, the eID card authority in the district where the person is living at the time of applying or requesting action by the authority is responsible.
(2) Outside of Germany, the missions abroad designated by the Federal Foreign Office in the district in which the applicant or card holder is usually resident is responsible. Applicants or card holders are required to furnish proof of their usual place of residence.
Issuing and blocking the eID card
Issuing the eID card
(1) An eID card is issued to applicants who
1. belong to the group of persons referred to in section 1 (1) and
2. are at least 16 years old.
Minors 16 years old or older may undertake proceedings pursuant to this Act.
(2) The application is to include all information needed to verify the applicant’s identity. Information about doctoral degrees attained and any religious, stage or pen names is voluntary. Applicants must provide the necessary documentation and identify themselves by presenting an official and valid foreign passport or national identity card to the issuing authority in person.
(3) If there are any doubts as to the applicant’s identity, no eID card may be issued.
Blocking and unblocking
(1) To keep the revocation list up to date, the issuing eID card authority must immediately inform the administrator of revocation lists of the eID card’s blocking sum if it becomes aware that
1. an eID card has been lost or stolen,
2. a card holder has died, or
3. an eID card not in the possession of the authority is invalid as defined in section 21.
(2) The card holder may request the immediate blocking of the electronic identification function by informing the administrator of revocation lists of the blocking code. The obligation to report to the eID card authority the loss or theft of an eID card under section 20 (1) no. 3 remains unaffected.
(3) The administrator of revocation lists provides a blocking service, via public communication channels available at all times, to the eID card authorities for the cases referred to in paragraph (1) and to card holders for the cases referred to in paragraph (2). Section 10 (4) of the Act on Identity Cards applies accordingly.
(4) If, after blocking has been carried out in accordance with paragraph (1), the card holder reports in accordance with the conditions of section 8 (2) sentence 3 that the identity card has been found, or if, after the card has been blocked in accordance with paragraph (2), the card holder requests unblocking in accordance with the conditions of section 8 (2) sentence 3, the eID card authority asks the administrator of revocation lists to unblock this eID card.
(5) The eID card authority or the police record the time the loss or theft of the eID card was reported and inform the issuing eID card authority.
(1) At the card holder’s request, the eID card authority allows the card holder to inspect the retrievable data stored on the chip.
(2) At the time of application, the eID card authority provides applicants with information on the electronic identification function under section 12 and the transmission of data directly from the eID card to electronic forms under section 13 and on the measures necessary to ensure the secure use of the electronic identification function. It must also provide information on the possibility of blocking the eID card. The applicant is to be informed of the available information.
(3) An eID card authority that becomes aware of the loss or theft of an eID card must immediately inform the responsible eID card authority, the issuing eID card authority and the police; if the police otherwise become aware of the loss or theft of an eID card, they must immediately inform the responsible and the issuing eID card authorities. In doing so, they should as a rule provide the family name, given names, serial number, issuing eID card authority, date of issue and date of expiry of the eID card. The police are to enter the eID identity card in their register of missing and stolen property.
Collecting, checking and transmitting data
Sections 12 and 13 of the Act on Identity Cards apply accordingly to the form and the procedure for collecting, checking and transmitting data and to the transmission of PINs, PUKs and blocking codes.
Using the eID card
(1) Card holders may use their eID card to verify their identity vis-à-vis public- and private-sector bodies electronically. The same applies if the card holder is acting on behalf of another person, an enterprise or a government agency. In derogation from sentence 1, electronic identification is not permitted if the conditions of section 3a (1) of the Administrative Procedure Act (Verwaltungsverfahrensgesetz), of section 87a (1) sentence 1 of the German Fiscal Code (Abgabenordnung) or of section 36a (1) of the Social Code, Book I (Erstes Buch Sozialgesetzbuch) are not met.
(2) Persons other than the card holder are not permitted to use the electronic identification function.
(3) Electronic identification takes place by means of the transmission of data from the chip in the eID card. Section 18 (2) sentence 2, (3), (4) and (5) of the Act on Identity Cards applies accordingly to the details of data transmission.
Transmitting data from the eID card directly to an electronic form
(1) Card holders may also use their eID card to transmit data stored on the chip directly to an electronic form using a card reader at an office or business.
(2) Before data are transmitted, the provider of this service is obligated to check whether the person presenting the eID card is the card holder by comparing the eID photo with the photo on the person’s valid passport or official ID. The data will be transmitted only if the service provider retrieves the access code with the card holder’s consent and transmits the access code together with a valid authorisation certificate to the chip in the eID card.
Storage for the purpose of electronic identification
Sections 19 and 19a of the Act on Identity Cards apply accordingly to the storage of data for the purpose of electronic identification, also by providers of identification services.
Authorisations; electronic signature
Authorisations for service providers
(1) Service providers require authorisation to request data for the electronic identification function. This authorisation does not affect data protection law. Authorisation is to be secured in technical terms by issuing authorisation certificates.
(2) For the conditions and the procedure, section 21 (2) to (8) of the Act on Identity Cards applies.
Authorisations for providers of card-reading services
In order to transmit data pursuant to section 13, providers of card readers must be authorised to retrieve data from the eID card and must have an authorisation certificate to do so. Section 21 of the Act on Identity Cards applies accordingly.
Authorisations for providers of identification services
Providers of identification services who wish to use the electronic identification function referred to in section 12 in order to provide identification services for third parties require authorisation. Section 21b of the Act on Identity Cards applies accordingly.
The eID card may be configured to serve as a signature creation device as referred to in Article 3 no. 23 of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257 of 28 August 2014, p. 73, L 23 of 29 January 2015, p. 19, L 155 of 14 June 2016, p. 44). Certification in accordance with Article 30 of Regulation (EU) No 910/2014 is carried out by the Federal Office for Information Security. The provisions of the Trusted Services Act (Vertrauensdienstegesetz) remain unaffected.
eID card register
eID card register
(1) To implement this Act, the eID card authorities keep a register of eID cards issued (eID card register).
(2) Data from the eID card register may be used to correct data in the population register and vice versa. For this purpose, the eID card authorities may transmit data in the register to each other.
(3) In addition to processing information required for procedural purposes, the eID card register may contain only the following data:
1. family name and name before marriage,
2. given names,
3. doctoral degree,
4. date of birth,
5. place of birth,
8. serial number,
9. blocking code and blocking sum,
10. date of expiry,
11. issuing authority,
12. the fact that the eID card is on the revocation list, and
13. religious name, stage or pen name.
(4) Personal data in the eID card register are to be kept at least until a new eID card is issued but only until the relevant eID card has expired, at which time they are to be deleted.
Obligations of the card holder; invalidity and confiscation
Obligations of the card holder
(1) Card holders are obligated to do the following without delay:
1. present the eID card to the eID card authority if it contains incorrect information,
2. surrender the old eID card to the eID card authority when receiving a new eID card, and
3. report a lost eID card to the eID card authorities and report if it has been found.
(2) The card holder must take reasonable measures to ensure the confidentiality of the PIN. In particular, card holders may not note the PIN on the eID card or store the PIN together with the card. If the card holder knows that the PIN has been disclosed to a third party, he or she should immediately change the PIN or have the electronic identification function blocked.
(3) Card holders should take technical and organisational measures to ensure that the electronic identification function referred to in section 12 is used only in an environment considered secure according to the state of the art. Card holders should use in particular those technical systems and components certified by the Federal Office for Information Security as secure for this purpose.
(1) An eID card is invalid if
1. it lacks information mandated by this Act, or the information (other than address) is incorrect, or
2. the date of expiry has passed.
(2) The eID card authority declares an eID card to be invalid if the requirements for issuing it were not met at the time of issuing or later ceased to be met.
Confiscation and seizure
(1) An invalid eID card may be confiscated.
(2) An eID card may be seized if
1. it is held by an unauthorised person, or
2. there is reason to believe that the eID card is invalid.
(3) Seizure or confiscation must be confirmed in writing.
(4) Objections and actions for rescission in the cases of paragraphs (1) and (2) have no suspensive effect.
Fees and expenses; fines
Fees and expenses, authorisation to issue statutory instruments
(1) For individually attributable public services rendered under this Act, the eID card authorities levy fees and expenses according to paragraphs (2) and (3).
(2) The fee should cover the costs related to the individually attributable public service of all those involved in the service. The fee must include the expenses regularly related to the service. The fee is to be calculated based on the costs which are eligible, according to business principles, for inclusion in the accounts as indirect and overhead costs, especially personnel and material costs and imputed costs. Overhead costs also include the costs of legal and technical supervision. The calculation of fees referred to in sentences 1 to 4 is based on the costs to all of the Länder associated with the service in question. Section 3 (1) and (2), sections 5 to 7, section 9 (3) to (6) and sections 10 to 12 of the Act on Fees and Expenses for Federal Services (Bundesgebührengesetz) apply accordingly.
(3) The Federal Ministry of the Interior, Building and Community is authorised, by statutory instrument with the agreement of the Bundesrat and for the area of Land administration, to specify in further detail the matters for which fees are charged, the level of such fees and the reimbursement of expenses.
(4) The Federal Foreign Office may, by means of a special fee ordinance under section 22 (4) of the Act on Fees and Expenses for Federal Services, determine that the Federal Republic of Germany’s missions abroad may impose a surcharge for individually attributable public services rendered pursuant to this Act and the statutory instruments based on this Act, in order to compensate for differences in purchasing power. This surcharge may amount to as much as 300 per cent.
(1) Anyone is deemed to have committed an administrative offence who
1. fails to provide correct information in violation of section 8 (2) sentence 1,
2. uses the electronic identification function in violation of section 12 (2), or
3. fails to report in a timely fashion in violation of section 20 (1) no. 3.
(2) The administrative offence may be punishable by a fine of up to 30,000 euros in the cases of paragraph (1) no. 2, and by a fine of up to 3,000 euros in the other cases.
Authorisation to issue statutory instruments
The Federal Ministry of the Interior, Building and Community is authorised, by statutory instrument with the agreement of the Bundesrat and in consultation with the Federal Foreign Office,
1. to determine the model of the eID card,
2. to specify how to protect access to the data stored on the chip,
3. to specify the details of the application procedure,
4. to specify the details of the procedure for transmitting all the application data from the eID card authorities to the card manufacturer,
5. to specify how to manufacture the eID card and how to transmit the PIN, PUK and blocking code,
6. to specify the details of handing over and sending the eID card,
7. to specify how to modify eID card data such as the card holder’s name or address,
8. to specify the details of using the electronic identification function and of transmitting data directly from the card to an electronic form,
9. to specify the details
a) of the PIN,
b) of blocking and unblocking, and
c) of storing and erasing the blocking attributes and the blocking code;
10. to determine the technical security framework necessary to ensure that public- and private-sector bodies may create and operate a user account in accordance with section 14 in conjunction with section 19 (5) of the Act on Identity Cards,
11. to specify the details of issuing authorisations and authorisation certificates.
In derogation from section 6 (1) no. 2 and section 7 (2), until 31 October 2021 the authority responsible for persons entitled to apply for an eID card whose usual place of residence is outside of Germany will be the authority under section 6 (1) no. 1 in whose district the person in question is temporarily staying.