The long-promised has become a reality, and tens of thousands of people are starting to receive access data to new, legally established data boxes these weeks. The Ministry of the Interior has a total of three months to do this, but it will not be idle. Non-entrepreneurial legal entities, specifically unit owners’ associations (SVJ), associations and foundations, were the first to come.
Correct me if I’m wrong, for example in the comments below the article, but at this point all legal entities from these two categories should already have a data card set up. Of course, this does not mean that it can be delivered to it. We’ll show you the difference soon.
How do you find out that you have already set up a data card and what identifier did it receive? Quite easily via the web interface List of holders of data boxes. Be sure to enter the ID number of the association of owners of the house in which you live, or of the foundation where your charity was directed, for example.
You’ll immediately see how you’re doing and whether to expect an envelope with a yellow stripe in the next few days. If you find the note “inactive data box” next to the name of the legal entity after the hyphen in the title, it means that it is already being activated. Expect that everyone who is registered with the legal entity in the category of statutory body will get their hands on login information. For those who previously voluntarily set up a data card for non-entrepreneurial natural persons, these data will be added to the data card. By other mail.
Attention, although you will read in the attached instructions for the shipment that it is a document delivered in accordance with administrative regulations, after the ten-day storage period, this shipment will be returned to the sender and will not be dropped into the mailbox like standard official mail. The Ministry of the Interior as an administrative authority in the given case, the possibility of dropping it into the box according to § 23 paragraph 4 of the Administrative Code excluded.
Let’s remind ourselves of the deadlines associated with the activation of mailboxes. An envelope with a yellow stripe (or a data message with login details delivered to a voluntarily established data card of a natural person – non-entrepreneur) will not wait long for you. The tenth day is considered delivered, whether you pick it up or not. With the paper version, it has the disadvantage that the post office will return it straight to the sender without you looking at it. (You can then request new data at any time, for example on CzechPOINT. You can read the login data delivered to the data card at any time afterwards.)
From the moment you pick up the envelope with the yellow stripe (or when the data is delivered to you by fiction), a new period of 15 days to make the mailbox available begins. If you log into the data box yourself during this period, the mailbox becomes active at that moment and you can deliver to it. If for any reason you do not make it, the mailbox will be activated automatically on the fifteenth day after the delivery of the data. You will recognize it from the already mentioned list, where the introductory text disappears and only a table with data about the mailbox remains. When you log in for the first time, you will set a new password.
Even those who cannot act independently have access
So we know the rules, and now let’s look at the intricacies that are connected with this principle and that mainly concern SVJ and other legal entities with a collective statutory body. In the analog world, SVJ has one mailbox, and only the chairman or someone else who regularly picks it has the keys to it. As a result, they don’t have to find out if someone else accidentally took the letter from the mailbox.
It’s different in the world of data boxes. Every member of the statutory body has equal access to it. If the SVJ has a five-member committee established in its statutes, each member of this committee will receive unique access data. And each member of the committee can independently and without the knowledge of the others speak to public authorities through the data card, although from a legal point of view the statutes of the SVJ often do not allow him to do so. So he can activate the data box, he can look into it and thereby cause documents to be served, and he can send documents from the data box without the committee chairman having to agree, or even often without his knowledge.
Most often, the SVJ statutes use wording taken from the model statutes introduced at the time by decree 371/2004 Coll. Although this decree was repealed with the arrival of the new Civil Code in 2014, the statutes, at least in this part, are set according to it for almost all SVJ.
The committee is a statutory body of the community. The assembly committee is responsible for its activities. The committee is represented externally by its chairman. In the absence of the chairman, he is represented by the vice-chairman. If it is a written legal act made by the committee, it must be signed by the chairman or on his behalf by the vice-chairman and another member of the committee.
In other words, if SVJ wants to externally, i.e. even towards the authorities, to act, he needs the will of the chairman or, in his absence, the vice-chairman together with another member of the committee. Data records are not able to monitor the compliance of legal actions carried out through them with the statutes of a legal entity, i.e., that what someone does for a legal entity is really authorized.
If a member of the statutory body exceeds his authority given by the statutes or other internal regulations of the legal entity, and for example sends a document from the SVJ data box, thereby acting legally, although he is not authorized to do so, it can cause annoyance to all involved. The legal act will be absolutely invalid, which the authorized chairman will have to object to in a complex way, the procedure will probably be prolonged for the administrative body, and the unauthorized sender will face the most problems. “A legal entity can file a claim for damages against him, and if intent is proven, criminal liability also comes into consideration,” says the lawyer Marie Koričanská from BKS attorneys.
The complicated legal situation is additionally spiced up by the fact that for content sent from data boxes (outside of the data of the authorities) it applies to the authorities signature fiction. Such a document may not be electronically signed at all, yet the recipient looks at it as if it were signed:
An act performed by a person referred to in § 8 paragraphs 1 to 4 or by an authorized person, if they have been authorized to do so, via the data box has the same effects as an act made in writing and signed, unless another legal regulation or internal regulation requires the joint action of several of the listed persons.
The date tag makes it possible to hide who sent the text from it
Not that this situation couldn’t happen in the analog world. The problem with the digital world of data is that it makes it much easier to act in violation of the authority granted, make it more difficult to identify the unauthorized act as a subject, and that even those who have no fraudulent intentions at all can get into trouble with the law. Let’s not just stick with SVJ, we’ll show it on the example of a classic company that has one executive (statutory body) and a secretary with access to letterheads and a stamp.
The secretary, with the knowledge of the boss, sends the mail, which he signs. If the executive forgot to sign the document, or if the secretary signed it with her own signature instead, such a letter would surely attract the attention of the recipient of the mail. He would look in the commercial register and find out who is authorized to act on behalf of the company and if this condition is met. Now let’s leave aside the possibility that the secretary doesn’t get along with her boss and wants to harm the company on her way out by directly forging the executive’s signature on an important document.
In the case of a message sent by data card to a public authority, there is no need to have a signature on the document. In addition, if the sender does not check the optional flag “Add sender identification”, the recipient has no way to know which of the authorized or authorized users of the data box actually sent the message. It is thus much easier for people with access to the data box to pretend to be a person authorized to act on behalf of the subject, even if they do not have this right.
The legal regulation of dealings for a legal person in the articles of association and the slightly unfortunate regulation of the fiction of signature in the Act on electronic transactions and authorized conversion of documents stand in opposition to each other. Why unhappy? It puts the office (public authority) in an evidentially complicated situation, where it will be necessary to prove whether the document was sent by the chairman, who can act on behalf of the SVJ alone, or by the vice-chairman, who can only act in writing together with another member of the committee. In the first case, the fictitious signature would be admissible, in the second, not. Without the mentioned sender identification flag, the office has no way to find out which user sent the document from the received message. Only the operator of the data mailbox system has this information.
In such a case, the recipient should always be on the lookout and, if he comes across an unsigned document, for which the application of a fictitious signature comes into consideration, he should proactively insist on proving who is acting on behalf of the legal entity in the absence of a sign of the sender’s identification. “Otherwise, there is a risk that all the conditions for fulfilling the fictitious signature will not be met and the document will have to be viewed as unsigned, with all the consequences,” warns Koričanská.
And it doesn’t necessarily just have to be about sending a document. It is sufficient for a member of the statutory body to act externally on behalf of SVJ by logging into the data log and either activating it or causing incoming messages to be delivered. This undoubtedly results in legal consequences that are binding for the entity in question.
Teach your colleagues or change your bylaws
Unfortunately, data boxes do not allow to narrow the range of authorized users below the legal minimum and to say that not all members of the statutory body get access, but only some. On the other hand, it is possible to authorize another person to dispose of the mailbox. In the case of single-member statutory bodies, however, it will always be up to the authorized user to decide whether and to whom else the rights may be transferred. However, collective statutory bodies lack this option, and public authorities should take a more suspicious approach to documents that are not electronically signed.
The described situation has two solutions: instructive and radical. As part of a collective statutory body, you can remind others of the statutes and agree with its members that only one person will retrieve messages from the data card. Or you change the articles of association in such a way that you turn the collective statutory body into an individual one. In the case of SVJ, the committee ends and the chairman takes over.
