- Documents must be signed exclusively with a qualified electronic signature. Advanced and simple signatures are not permitted.
- The automatically generated producer declaration bears the seal of the Zentrale Stelle Verpackungsregister (Central Agency Packaging Register – ZSVR) and must not be altered. The auditor's signature must be added, to make sure that both signatures are embedded in the file.
- The signature card delivered by the trust service must be explicitly activated after receipt. Signatures from signature cards that have not been activated cannot be verified. If the signature card's validity period has expired, it can no longer be used to sign.
- To electronically sign a document, the 'PADES embedded' signature exchange format is mandatory, and must be activated in the signature software used, as necessary.
- The signature software must be set up in such a way that the generated signature time is not in the future. Signature times in the future cannot be verified.
- Information stored in the electronic signature is encrypted. The encryption procedure used for this purpose must comply with current eIDAS Regulation requirements.
The qualified electronic signature (QES) is the equivalent of the traditional handwritten signature in the electronic world. It makes it possible to verify the authorship of a declaration in electronic data transfers over the long term. The qualified electronic signature is the legal counterpart to a handwritten signature.
In addition to a computer, laptop or similar device, a qualified certificate on a secure signature card, a chip card reader and corresponding signature software are needed to produce a qualified electronic signature. Alternatively, a remote signature using a mobile device and 2-factor authentication is possible.
The signature card anchored with a qualified certificate can be ordered from a qualified trusted services provider (trust service). The current list of trust services recognised by the European Commission can be viewed online (https://webgate.ec.europa.eu/tl-browser/#/). Certificates from these trust services are recognised in the European Economic Area.
Users identify themselves to the trust service and are then registered by the service. Digital signatures relate to a process whereby an additional data set – the so-called signature – is generated for each given digital file.
Verification of the digital signature determines whether the signed data have been changed after the signature process. The author of the signature can also be determined during the verification process by reading the certificate. This certificate is secured by a trust service. The use of a password or PIN prevents an unauthorised third party from using the certificate.