According to the De-Mail Act, in order to achieve accreditation a provider of De-Mail services will need to provide not only proof of IT security, interoperability and functionality, but also proof of data protection.
The De-Mail service provider must prove that they meet statutory data protection requirements in terms of the design and operation of their De-Mail services.
Emphasis is placed on the trustworthiness of the services provided on the one hand, while special importance is attached to protecting the personal data used in the context of the information domain on the other.

Criteria catalogue for proof of data protection

According to Section 18 (3) No. 4 of the De-Mail Act, a service provider must furnish proof that they meet the relevant data protection requirements when executing and operating De-Mail services in order to achieve accreditation.

The data protection criteria that the service provider must meet are defined in a criteria catalogue, which is the responsibility of the German Federal Commissioner for Data Protection and Freedom of Information (BfDI). The catalogue is available to the public in the De-Mail section of the BfDI's website.

The route to proof of data protection ‒ competence of BfDI

Anyone who wishes to be accredited as a provider of De-Mail services must prove that they meet the statutory data protection requirements in terms of the design and operation of each service. IT aspects have an impact on data security and are therefore already included in the security check; reference can be made to this check for such aspects.

Proof can take the form of a certificate from the BfDI. The certificate is issued if a prior test has convinced the BfDI that the De-Mail-specific requirements relating to the implementation of data protection have really been fulfilled.

The service provider must apply in writing to the BfDI for the certificate and submit an expert report by a qualified testing body. This expert report must show that the service provider meets those requirements defined in the criteria catalogue as De-Mail-specific requirements for the proof of data protection.

The testing body could be an expert body for data protection that has been recognised or officially appointed or authorised at federal or state level. For example, these might be testing bodies/experts recognised as such by the Data Protection Authority of the German Federal State of Schleswig-Holstein (ULD).

In terms of process, this procedure corresponds to the procedure for issuing the security, functionality and interoperability attestations, which also requires submission of test reports by qualified testing bodies and auditors.

As part of the accreditation process, the public authority responsible for the accreditation (the BSI, according to the De-Mail Act) formally confirms that this proof of data protection has been submitted, without carrying out any further checks on its content.