Law 35/2014, Of 27 November, Of Electronic Trust Services

Original Language Title: Llei 35/2014, del 27 de novembre, de serveis de confiança electrònica

Read the untranslated law here: https://www.bopa.ad/bopa/026071/Pagines/lo26071011.aspx

lo26071011 law 35/2014, of 27 November, of electronic trust services since the General Council in its session of 27 November 2014 has approved the following: law 35/2014, of 27 November, of electronic trust services exhibition of illustrations and one of the essential needs in any developed society in order to promote economic development is the creation of electronic trust in the digital space. In fact, the lack of confidence in this area promotes electronics that consumers, businesses and the Government hesitate to execute transactions by electronic means and adopt new services.
In this sense, the legal framework which is proposed by this law aims to establish secure electronic interactions between citizens, businesses, and the public administration, in order to increase the efficiency of public and private activities that are carried out in a digital space, as well as the business and electronic commerce, not only in the Principality of Andorra, but also considering the perspective of the European Union , with the intention of advancing a desirable convergence.
The legislation in force in the matter until now, that is to say, law 6/2009, of 29 December, electronic signature, referred almost exclusively to the electronic signature, without anticipating the rest of electronic trust services. With regard to the electronic signature, this law replaces legislation until now in force, to which derogates, in particular, the above-mentioned law 6/2009.
On the basis of the experience in the implementation of the certificate has been exported the need of having a new law that allows this introduction of a efficient way. This text, then, expands the range of electronic trust services, among others, to the e-services related to the creation, verification and validation of electronic signatures, electronic stamps, electronic time brands, electronic documents, electronic delivery, authentication of websites and the provision of digital certificates and encryption.
In all cases, the purpose of the legislation is, clearly, to contribute to generate a high level of legal security framework in support of public and private transactions, using the electronic trust services guarantees.
The trusted electronic services, in particular when they are qualified, guarantee the authenticity, so that it can determine that the documents and information may be linked to the person authorized by the signature or the electronic stamp; the integrity, so that these documents and information cannot be modified without the modification being detected; the irrefutabilitat or not rejection of the statements contained in the documents and information that are signed or sealed, as well as their referral or receipt; and finally, the date and the time in which there are documents and information.
Likewise, the frame border to ensure the safety, the reliability and the ease of electronic transactions has to equate to the regulations of the countries that are part of the economic orbit of Andorra, with the aim of facilitating the agreements and the recognition in the field.
Consequently, it is also the objective of this law to adapt the existing legislation and to extend it, including other essential services for citizens trust connected electronics, the companies, and the Government, must be able to benefit from this mutual acceptance and recognition through the borders when is necessary for access to and carrying out procedures or electronic transactions.
From these premises, the law is structured in five chapters. The first chapter includes general provisions. The second chapter refers to electronic trust services, with special emphasis on the electronic signature and the new digital stamp, which replaces the digital signature of the legal persons, but also the timestamps, electronic certificates of authentication of web sites and electronic delivery service. The third chapter deals with the electronic document and digitization. The fourth chapter deals with the provision of electronic trust services, these are the trusted service providers and electronic monitoring and control of electronic trust services. Finally, the fifth chapter determines the system of sanctions.
The law also consists of a repeal and final provision.
Chapter first. General provisions Article 1 object of the Act the object of this law is to regulate the legal effects of electronic signatures), electronic stamps, electronic time brands, electronic certificates of authentication of web site and electronic delivery services.
b) establishing a legal system of electronic trust services providers and their activity, the conditions of supervision and the system of penalties and infringements.
c) Establish the conditions under which Andorra recognizes the efficacy, in its territory, of electronic trust services provided by foreign electronic trust service providers.
Article 2 scope of application 1. This law is applicable to electronic trust service providers established in Andorra and the services provided through a permanent establishment in the country.
It is understood that a lender is set in Andorra, when the site in which you are in fact the centralized administrative management and direction of their business is in the territory of Andorra. To such effects, is presumed, unless evidence to the contrary, that the administrative management and direction of the business of a lender is located centrally on the territory of Andorra when the provider has his habitual residence or your registration address in Andorra, or when it has been registered in the register of companies or other public record of Andorra that was necessary for the acquisition of legal personality.
It is considered that a lender acts through a permanent establishment situated in Andorra, when in the same continuous, or habitual, of facilities or of places of work in which performs the whole or a part of its activity.
The use of technological resources located in Andorra for the provision or access to the services, does not serve, by itself, as a criterion for determining the establishment in Andorra of the operator.

2. This law does not apply to the provision of electronic trust services offered within a closed system, established by provision of a law or in accordance with a contract, when offered to a whole set of participants and are used exclusively between them without having effects on third parties.
3. The provisions of this law does not modify the requirements applicable to the formalisation, validity and effectiveness of business and legal acts or documents stating. Does not modify the applicable rules on the protection of consumers and users, or trade.
Article 3 Definitions for the purposes of this law, the following definitions apply: 1. "Authentication": electronic process that allows the validation of electronic identification of a natural or legal person, or the origin and the integrity of electronic data.
2. "e-Certificate": electronic declaration that links the data validation of a signature or an electronic stamp of a natural or legal person, respectively, with the certificate, and confirming the details of that person.
3. "qualified electronic certificate web site authentication": statement that allows you to authenticate a web site and link it with the person who has been issued a certificate to a trusted service provider qualified electronics that meet the requirements established in this law.
4. "qualified electronic certificate of electronic stamp": statement that is used to support a digital stamp issued by a trusted services provider qualified electronics and that it complies with the requirements laid down in article 8.
5. "qualified electronic certificate of electronic signature ': statement that is used to support digital signatures issued by a trusted services provider qualified electronics and that it complies with the requirements laid down in article 6.
6. "the creator of a seal": a legal entity that creates a digital stamp.
7. "digital signature creation data": data only using the signatory to create an electronic signature.
8. "data from creation of the electronic label": unique data used by the creator of a digital stamp to create it.
9. "validation Data": data used to validate a digital signature or an electronic stamp.
10. "e-stamp and signature verification data": data that are used to verify the electronic signature and electronic label.
11. "Digitization": technological process that allows the obtaining of one or more electronic files containing the encoded image, faithful and full of a document on paper through fotoelèctriques techniques of scanning or any other that may exist. This file consists of the electronic image obtained, their metadata and, if applicable, the signature or the electronic stamp associated with the digitalisation process.
12. "Device to create signs and electronic labels": computer or computer program set up to create a signature or an electronic label.
13. "qualified electronic stamps and signature creation device": a device for creating signs and electronic labels that meet the requirements listed in article 10.
14. "Electronic Document": all content stored in electronic format, in particular, text or sound, visual or audiovisual recording.
15. "Standards": rules or voluntary application of technical specifications that are applicable to a specific subject.
16. "electronic report": a set of electronic documents corresponding to an administrative procedure, regardless of the type of information they contain.
17. «electronic identification ": the process of using a person's identification data in electronic form which unequivocally represent a physical or legal person.
18. "Interoperability": capacity of information systems, and therefore the procedures to which these systems support, share data and make possible the exchange of information and knowledge between them.
19. "electronic time stamp": data in electronic form that link other electronic data with a specific moment and provide proof that such data existed at this time.
20. "qualified electronic time stamp": electronic time stamp which meets the requirements laid down in article 18.
21. "Metadata": any type of information in electronic form associated with the electronic documents, of an instrumental nature and independent of its content, aimed at understanding and diagnosis of some of its characteristics, in order to ensure the availability, access, conservation and the interoperability of the same document.
22. "electronic means": device, installation, equipment or system that allows you to produce, store or transmit documents, data and information; includes any restricted or open communication networks like the Internet, fixed and mobile telephony or other.
23. "Numbers of reference of standards": numerical references through which identifies a standard technique of possible application.
24. "Product": computer or computer program, or components that belong, meant to be used for the provision of electronic trust services.
25. «electronic trust service provider ": a natural or legal person that provides one or more electronic trust services.
26. "qualified electronic trust service provider": electronic trust service provider that meets the requirements established in this law.
27. "electronic Seal": data in electronic form annexed to other electronic data, or that are associated with a logical way, to guarantee the origin and the integrity of the data associated with it.
28. "a digital stamp digital stamp": advanced that meets the following requirements: a) Be linked to the creator of a unique label.
b) Allow the identification of the creator of the seal.
c) have been created using data from creation of the electronic label, which the creator of the label can be used to create a digital stamp, with a high level of trust electronics, under its exclusive control.
d) be linked with the data referred to in such a way that any further modification is detectable.

29. "qualified electronic Stamp»: electronic label that is created by a device for the creation of qualified electronic stamps and that is based on a qualified electronic certificate of electronic stamp.
30. «electronic trust services ": e-services related to the creation, verification and validation of electronic signatures, electronic stamps, electronic time brands, electronic documents, electronic delivery, website authentication and provisioning of encryption and electronic certificates, including certificates of electronic signatures and electronic label.
31. "qualified electronic trust service": electronic trust service that meets the requirements of provisions of this law.
32. «electronic delivery service certificate ": service that allows you to transmit data between third parties by electronic means and provided evidence related to the management of the data transmitted, including proof of the sending and the reception of the data, and that protects the data transmitted against risks of loss, theft, unauthorized alteration or deterioration.
33. «Head Office»: email address available to the public through telecommunication networks the ownership, management and administration of which corresponds to a public administration, a body or an administrative entity in the exercise of its powers.
34. "Signatory": physical person that creates a digital signature.
35. "electronic signature": data in electronic form annexed to other electronic data or logically associated with using the signatory to sign.
36. ' advanced electronic signature ': electronic signature which meets the following requirements: a) Be linked to the signatory so unique.
b) Allow the identification of the signatory.
c) have been created using electronic signature creation data that the signatory may be used, with a high level of trust electronics, under its exclusive control.
d) be linked with the data referred to in such a way that any further modification is detectable.
37. "qualified electronic signature": advanced electronic signature which meets the following requirements: a) have been created by means of a device for the creation of qualified electronic signatures.
b) Be based on a qualified electronic certificate of electronic signature.
38. "user of electronic trust services": person who makes use of electronic trust services.
Article 4 accessibility for people with disabilities whenever possible, electronic trust services provided and the products for end users used in the performance of these services should be accessible to people with disabilities.
Second chapter. The trusted electronic services Section first. The signature scheme and the e-stamp Article 5 legal effects of electronic signatures 1. When a law requires the signature of a natural person, this requirement is understood to have met with the use of the electronic signature that is appropriate.
2. Is not rejected the legal effects and admissibility as evidence in legal and administrative proceedings of any kind to a digital signature for the sake of fulfilling this condition.
3. A qualified electronic signature is, in respect of the data contained in digital media, the same legal effect as a handwritten signature in relation to data recorded on paper.
It is understood that the qualified electronic signature meets the necessary conditions to produce the effects listed in this article, when the qualified certificate on which it is based has been provided by a service provider of qualified electronic trust according to the provisions of this law and the qualified signature creation device with which this occurs is certified.
4. When the electronic signature to be used in the framework of a previously agreed upon by the parties to interact exclusively with each other privately, it should be borne in mind that that the parties have stipulated, unless it is contrary to law.
5. The Government can issue regulatory provisions to define the different levels of security of electronic signatures as well as establish reference numbers of rules relating to the same levels, which should be published in the official bulletin of the Principality of Andorra. It is assumed the fulfillment of safety standards when the electronic signature meets these standards.
Article 6 requirements of qualified electronic signature certificates 1. Qualified electronic signature certificates should indicate specifically that are delivered with this character and must have, at a minimum, the following content: a) an indication, at least in a format suitable for automated processing, that the electronic certificate has been issued as a qualified certificate of signature.
b) a set of data that unequivocally represent the electronic trust service provider qualified electronic certificates issued by qualified, including at least the State in which the provider is established, and – for individuals: the name of the person.
-for legal persons: the name and the registration number according to consist in official records.
c) a set of data that unambiguously represents the signatory which has been issued by the electronic certificate, including at least your name or a pseudonym, who identifies himself as such.
of the digital signature validation) data that correspond to the data of creation of the electronic signature.
e) The data relative to the beginning and end of the period of validity of the certificate.
f) identity code of the certificate, which must be unique for the qualified electronic trust service provider.
g) The advanced electronic signature, or the seal advanced electronic trust service provider email sender.
h.) the place where it is free of the electronic certificate that supports advanced electronic signatures or advanced electronic label to which reference is made in the letter g).
and) the location of the services of State of validity of electronic certificate that can be used to find out the State of validity of qualified electronic certificate.

j) When the details of creating the electronic signature related to the validation of the electronic signature data are on a device creation of qualified electronic signatures, a proper indication of this circumstance, at least in a form suitable for automatic processing.
2. The electronic certificate can contain any other circumstance or significant personal attribute of the owner, depending on the purpose of the electronic certificate and as long as the owner is there to give your consent, under the conditions that will make public declaration of electronic trust practices.
3. If a qualified electronic signature certificate is revoked after the initial activation, loses validity and cannot, in any circumstances, recover its been renewing its validity.
4. The Government can issue regulatory provisions to define more accurately the requirements of the qualified electronic certificates of electronic signatures as well as establish reference numbers of rules relating to the same certificates, which must be published in the official bulletin of the Principality of Andorra. It is assumed in compliance with the requirements set out in paragraph 1 when the qualified electronic signature certificate meets these standards.
Article 7 Legal Effects of electronic stamp 1. When a law requires a signature of a legal person, this requirement is understood to have met with the use of the label that is appropriate.
2. Is not rejected the legal effects and admissibility as evidence in legal and administrative proceedings of any kind to a digital stamp by the mere fact that you present in electronic form.
3. A qualified electronic seal has the presumption of legal guarantee the origin and the integrity of the data to which it is linked.
It is understood that the qualified electronic label meets the necessary conditions to produce the effects listed in this article, when the qualified certificate on which it is based has been provided by a service provider of qualified electronic trust according to the provisions of this law and the qualified device of the seal with which this occurs is certified.
4. The Government can issue regulatory provisions to define the different levels of security of the electronic label, as well as establish reference numbers of rules relating to the same levels, which should be published in the official bulletin of the Principality of Andorra. It is assumed the fulfillment of safety standards when the electronic stamp according to these rules.
Article 8 requirements for qualified electronic certificates of electronic stamp 1. Qualified electronic certificates of electronic stamp must contain: a) an indication, at least in a format suitable for automated processing, that the electronic certificate has been issued as a qualified electronic certificate of electronic stamp.
b) a set of data that unequivocally represent the electronic trust service provider qualified electronic certificates issued by qualified, including at least the State in which the provider is established, and – for individuals: the name of the person.
-for legal persons: the name and the registration number according to consist in official records.
c) a data set to represent the legal person unambiguously to which has issued the certificate, and including at least the name and the registration number, as listed in the official records.
of electronic stamp validation data) that correspond to the data of the electronic seal.
e) The data relative to the beginning and end of the period of validity of the certificate.
f) identity code of the certificate, which must be unique for the qualified electronic trust service provider.
g) The advanced electronic signature, or the seal advanced electronic trust service provider email sender.
h.) the place where it is free of the electronic certificate that supports the advanced electronic signature, or the seal advanced e-what is referenced in the letter g).
and) the location of the services of State of validity of electronic certificate that can be used to find out the State of validity of qualified electronic certificate.
j) When the data of the electronic stamp related to the electronic stamp validation data are on a device creation of qualified electronic stamps, a proper indication of this, at least in a form suitable for automatic processing.
2. the qualified electronic certificates of electronic stamp should not be subject to any mandatory requirement that exceeds the requirements established in the previous section.
3. If a qualified electronic certificate of electronic stamp will revoke after the initial activation, loses its validity and cannot, in any circumstances, recover its been renewing its validity.
4. The Government can issue regulatory provisions to define more accurately the requirements of the qualified electronic certificates of electronic stamp, as well as establish reference numbers of rules relating to the same certificates, which must be published in the official bulletin of the Principality of Andorra. It is assumed in compliance with the requirements set out in paragraph 1 when the electronic certificate of seal according to these rules.
Article 9 electronic signature creation devices and electronic label 1. A device for creating an electronic signature and a digital stamp is a computer or computer program that is used to implement the signature-creation data and electronic label.
2. A secure signature creation device and electronic stamp is what guarantees, at least, by technical means and appropriate procedures to the requirements of article 10.
3. The Government can establish reference numbers of rules regarding electronic signature devices and electronic stamps, and other systems, media and related products referred to in this law, which should be published in the official bulletin of the Principality of Andorra. It is assumed in compliance with the requirements established in this law when the device according to these rules.
Article 10 Requirements of the devices for the creation of qualified electronic signatures and qualified electronic stamps

1. The devices for the creation of qualified electronic signatures and qualified electronic stamps must be guaranteed as a minimum, by technical means and appropriate procedures, that: a) Is guaranteed the secrecy of data of creation of the electronic signature and electronic stamp used for the generation of digital signatures and electronic stamps.
b) data from creation of the electronic signature and electronic label used for the generation of a digital signature and an electronic stamp will only appear once.
c) there is reasonable security that the details of creating the electronic signature and electronic label used for the generation of a digital signature and a digital stamp cannot be found, by deduction, and that the electronic signature and seal are protected against counterfeiting by the technology available at the time.
of) the data of creation of the electronic signature and electronic label used for the generation of a digital signature and a digital stamp can be protected by the legitimate signatory reliably against their use by others.
2. The devices for the creation of qualified electronic signatures and qualified electronic stamps do not have to alter the data that must be signed or prevent such data appear in a signatory before signing.
3. The creation and the management of digital signature creation data and electronic label in the name of the signatory are in charge of a qualified electronic trust service provider.
4. The electronic trust service providers qualified to manage the data of creation of the electronic signature and electronic label in the name of the signatory, can make backup copies of the data of creation of the electronic signature and electronic label, provided that they meet the following requirements: a) the safety of copied data sets is the same level as for the original data sets.
b) that the number of copied data sets does not exceed the minimum required to ensure the continuity of the service.
Article 11 Certification of the devices for the creation of qualified electronic signatures and qualified electronic stamps 1. Qualified electronic signature creation devices and qualified electronic stamps must be certified by the appropriate public or private bodies designated by the Government, provided that they have been subjected to a process of security assessment carried out in accordance with the rules for the evaluation of the security of information technology products.
2. The Government published the names and addresses of public or private bodies referred to in paragraph 1.
Article 12 publication of a list of devices for the creation of qualified electronic signatures and certificates of qualified electronic stamps certificates the Government published in the official bulletin of the Principality of Andorra, a list of devices for the creation of qualified electronic signatures and qualified electronic stamps, certified by the bodies referred to in the previous article, as well as information about the devices for the creation of digital signatures and electronic stamps that have ceased to be certified.
Article 13 electronic signature verification devices and electronic label 1. A device for verification of signature and e-stamp is a computer or computer program that is used to implement the signature verification data and electronic label.
2. secure verification devices of electronic signature and electronic seal should ensure, whenever technically possible, that the process of verification of a digital signature and a digital stamp meets the following conditions: to) That the data used to verify the signature and the electronic label correspond to the data displayed to the person who verifies the signature and electronic seal.
b) the signature and the electronic stamp will verify reliably and the result of the verification is presented correctly.
c) that the person who verifies the digital signature and the stamp may establish reliably the contents of the data message was signed.
d) That verify reliably the authenticity and validity of the certificate that is required to verify the signature and electronic seal.
e) That clearly shows the result of the verification and the identity of the user of electronic trust services or, when it is the case, clearly states that the use of a pseudonym.
f) that can detect any relevant changes related to safety.
3. The data relating to the verification of the electronic signature and seal, such as the time in which there is a verification of the validity of the electronic certificate, must be able to be stored by the person who verifies the signature and the stamp or, under their responsibility, by trusted third-party electronics.
Article 14 requirements for the validation of electronic signatures qualified and qualified electronic stamps of 1. The process of validation of a qualified electronic signature and a seal qualified electronic signature and confirms the validity of the electronic label, provided that: a) the electronic certificate that supports the signature or electronic label is a qualified electronic certificate of electronic signature or electronic label that conforms to the provisions of article 6 or article 8 , respectively.
b) the certificate is authentic and valid email required qualified.
c) data from the signature and validation of the electronic label correspond to the data provided to the user.
d) The data set that represents unequivocally the signatory is provided correctly to the user.
e) in the event that you use a pseudonym, the use of the same pseudonym is clearly indicated to the user.
f) the electronic signature and electronic seal were created by means of a device for the creation of qualified electronic signatures.
g) the integrity of the signed data has not been compromised.
h) have fulfilled the requirements of article 3, paragraphs 36 and 28, respectively.
I) the system used to validate the signature and the stamp features the user electronic correct result of the process of validation and allows you to detect any problem that affects security.

2. The Government may issue regulatory provisions to define more accurately the requirements of the validation of electronic signatures qualified electronic stamps and qualified, as well as establish reference numbers of rules relating to the same validation, which must be published in the official bulletin of the Principality of Andorra. It is assumed in compliance with the requirements set out in paragraph 1 when the validation according to these rules.
Article 15 qualified validation service for qualified digital signatures and qualified electronic stamps 1. Provides a validation service for qualified electronic signatures and qualified electronic stamps, the electronic qualified trust service provider: a) perform validation in accordance with article 14, and b) allow the parts users receive the result of the process of validation of a reliable, efficient, automated way, and with the advanced electronic signature, or the seal advanced electronic service provider of qualified validation.
2. The Government may issue regulatory provisions to define more precisely the requirements of qualified service of qualified electronic signatures and validation of qualified electronic stamps, as well as establish reference numbers of rules relating to the same qualified service of validation, which must be published in the official bulletin of the Principality of Andorra. It is assumed in compliance with the requirements set out in paragraph 1 when the validation service according to these rules.
Article 16 Conservation Service of the qualified electronic signatures and qualified electronic stamps 1. Provides a service for the conservation of digital signatures and qualified electronic stamps the electronic qualified trust service provider use procedures and technologies capable of increasing the reliability of the data for the validation of the qualified electronic signature and stamp of qualified beyond the technological validity period.
2. The Government may issue regulatory provisions to define more precisely the requirements for electronic signatures qualified conservation and qualified electronic stamps, as well as establish reference numbers of rules relating to the same conservation, which must be published in the official bulletin of the Principality of Andorra. It is assumed in compliance with the requirements set out in paragraph 1 when the conservation service according to these rules.
Second section. Electronic time marks Article 17 legal Effect of electronic time marks 1. Is not rejected the legal effects and admissibility as evidence in legal and administrative proceedings of any kind to a electronic time stamp for the sake of fulfilling this condition.
2. The qualified electronic time stamp has the presumption of legal guarantee the date and the hour that follows, and the integrity of the data that are associated with these date and time.
Article 18 requirements of qualified electronic time marks 1. A qualified electronic time stamp must meet the following requirements: a) be linked with accuracy to the Coordinated Universal time (UTC) so that you can eliminate any possibility to modify the data without being detected.
b) be based on a source of temporary information accurate.
c) have been issued by a trusted services provider qualified electronics.
d) have been signed through the use of an advanced electronic signature, or a digital stamp qualified advanced electronic trust service provider, or any equivalent method.
2. The Government may issue regulatory provisions to define more precisely the requirements for linking the exact date and time with the data, and a source of temporary information accurate, as well as establish reference numbers of rules relating to the same data, which should be published in the official bulletin of the Principality of Andorra. It is assumed the fulfillment of safety standards when the electronic time stamp according to these rules.
The third section. Electronic certificates of authentication of websites Article 19 requirements for qualified electronic certificates of authentication of web sites 1. Qualified electronic certificates of authentication of web sites should contain: a) an indication, at least in a format suitable for automated processing, that the electronic certificate has been issued as a qualified electronic certificate of authentication of websites.
b) a set of data that unequivocally represent the electronic trust service provider qualified electronic certificates issued by qualified, including at least the State in which the provider is established, and – for individuals: the name of the person.
-for legal persons: the name and the registration number according to consist in official records.
c) a data set to represent the legal person unambiguously to which has issued the certificate, and including at least the name and the registration number, as listed in the official records.
d) Elements of the addresses, including at least the city and State, of the legal person to whom the certificate is issued, and according to official records appears.
e) the name or domain names that are exploited by the person to whom it is issued the electronic certificate.
f) The data relative to the beginning and the end of the period of validity of the certificate.
g) the code of electronic certificate, which must be unique for the qualified electronic trust service provider.
h.) The advanced electronic signature, or the seal advanced electronic trust service provider email sender.
and) the place where it is free of the electronic certificate that supports advanced electronic signatures or advanced electronic label to which reference is made in the letter h).
j) the location of the services of State of validity of electronic certificate that can be used to find out the State of validity of qualified electronic certificate.

2. The Government may issue regulatory provisions to define more accurately the requirements of the qualified electronic certificates of authentication of web site, as well as establish reference numbers of rules relating to the same requirements, which must be published in the official bulletin of the Principality of Andorra. It is assumed the compliance with the requirements of section 1 when the electronic certificate of authentication of web site meets these standards.
Section four. Electronic delivery service Article 20 legal Effect of electronic delivery service 1. The data sent, received, or placed at the disposal by means of an electronic delivery service, are admissible as evidence in administrative and judicial proceedings of any kind with regard to the integrity of the data, and the certainty of the date and time at which the data were sent to a specific recipient, received by him, or placed at their disposal.
2. The data sent, received or made available by a qualified electronic delivery service, have the legal presumption of the integrity of the data and the accuracy of the date and time of sending, receiving or making available of the data indicating the qualified electronic delivery system.
Article 21 requirements of qualified electronic delivery services 1. Electronic delivery services qualified must meet the following requirements: a) to be provided by one or more qualified electronic trust service providers.
b) make sure the sender identification unequivocally and to ensure the identification of the recipient before the delivery of the data.
c) protect the process of sending or receiving of data by means of an advanced electronic signature or an electronic stamp advanced a trusted service provider qualified electronics, so that it prevents the possibility that the data may be modified without being detected.
d) clearly indicate to the sender and the recipient of the data any modification of the data necessary for the sending or receipt of the data.
e) Indicate, by means of a qualified electronic time stamp, the date and time of sending, reception and eventual modification of the data.
f) in the event that the data is transferred between two or more qualified electronic trust service providers, have to apply the requirements set out in all the letters prior to all qualified electronic trust service providers.
2. The Government may issue regulatory provisions to define more accurately the requirements of the services of qualified electronic delivery as well as establish reference numbers of rules relating to the same services, which should be published in the official bulletin of the Principality of Andorra. It is assumed the compliance with the requirements of section 1 when the service is according to these rules.
Third chapter. The electronic document and Electronic Document digitalisation Article 22 1. As long as the law requires that the information certifies in writing, this requirement shall be considered satisfied if it consists in a digital format and accessible for subsequent consultation.
2. an electronic document may be considered a public document as long as they meet the requirements required by the specific legislation in force.
3. The electronic documents are considered to be equivalent to paper documents, are admissible as evidence in judicial proceedings and administrative document of any kind, and have the courage and the legal effects that correspond to its nature.
4. Any document that contains a qualified electronic signature or a competent person qualified electronic label to issue the document in question, has the legal presumption of authenticity and integrity, as long as the document does not contain any dynamic feature able to modify it automatically.
Article 23 documentary Digitalization 1. Provided that the reproduction does not violates intellectual property rights, authorize electronic copies of documents in paper or other media susceptible to digitalisation, whether it's public or private documents.
2. You will be able to preserve in digital media a public or private document on paper with the effects provided in the following section of this article if the digitization is performed by a qualified digitization process.
3. The process of digitalisation allows qualified to consider the electronic documents obtained as equivalent to paper documents scanned, and admissible as evidence in judicial and administrative procedures of all types, with the same value as the originals on paper originals, and without the need to have these originals.
4. The Government can issue regulatory provisions to define more precisely the requirements of digitization processes described, as well as establish reference numbers of rules relating to the same processes, which have to be published in the official bulletin of the Principality of Andorra. It is assumed the compliance with the requirements of section 1 when the process according to these rules.
The fourth chapter. The provision of electronic Trust Services Section first. Electronic trust service providers service providers electronic trust Article 24 1. The electronic trust services are provided under the regime of free competition, in accordance with the General rules governing the exercise of economic activities.
2. The public administrations that provide electronic trust, either directly or through related entities or organisms, they must do so in accordance with the principles of objectivity, transparency, non-discrimination and competition.
Article 25 electronic trust service providers of third countries 1. The services of qualified electronic trust of third countries are considered equivalent to the services of qualified electronic trust supplied by trusted qualified electronic service providers established in Andorra, in the following cases: a) in the case of electronic trust service providers established in the territory of the European Union, if the qualified service provider is well supervised by the competent authority of the country of the European Union in question and this condition appears in the list of electronic trust published by the European Union.

b) if the provision of services of electronic trust service provider of a third country conform to the standards selected by the Government, which are those of the European Union, and the lender has been certified according to these standards.
c) if the services of qualified electronic trust originating from third country are recognized under an agreement between Andorra and other countries or international organizations.
2. In the case of the letter c) of the previous section, these agreements should ensure that electronic trust service providers of third countries or international organisations meet the requirements applicable to electronic trust services qualified, and the qualified electronic certificates supplied by trusted qualified electronic service providers established in the territory of the Principality of Andorra, particularly with regard to the protection of personal data , security and monitoring.
Article 26 requirements for qualified electronic trust service providers 1. The trusted service providers qualified electronics wishing to provide services of qualified electronic trust: a) must inform any person who wants to use a trusted service qualified email about the necessary conditions relating to the use of this service.
b) have to use systems and secure products that are protected against all alteration and to ensure the safety and the technical reliability of the processes that support it.
c) must use secure systems to store data that they facilitate verifiable form, in such a way that:-Are available to the public for consultation only when you have obtained the consent of the person to whom the data were issued.
-Only authorised persons can make entries and changes.
-You can check the authenticity of the information.
d) should take action against the counterfeiting and theft of data.
e) must register for a minimum of fifteen meters from the end of the term of the service provided, all the relevant information concerning the data generated and received, particularly those that serve as evidence in legal proceedings. This record can be done by electronic means.
f) must have a plan for an injunction to ensure the continuity of the service, in accordance with the provisions of the supervisory body, in accordance with article 33.2. b).
g) must ensure a lawful processing of personal data in accordance with article 28.
2. issue a qualified electronic certificate, the electronic qualified trust service provider should check the identity of any such form and, if applicable, any specific attributes of the person or entity to which the qualified electronic certificate issued, by means of the display of public or private documents that prove sufficient form.
This information must be verified by a qualified service provider or by a third party authorized to perform under the responsibility of qualified service provider: a) in the presence of the person or a representative of the legal person authorized, or b) at a distance, using other qualified electronic certificates issued by a qualified service provider.
3. In the case of electronic certificates issued to natural persons but who have a relationship with an organization, company, institution, company or other legal entity, the electronic trust service providers should check, in addition to the identity of the applicant and the person identified in the electronic certificate, data relating to the Constitution and the legal status of the entity , and the extension and the validity of the powers or the powers of representation of the applicant, by means of the public documents that prove reliable form or the query to the relevant public register, in the case of data that should appear there.
4. It is not necessary to apply the established in paragraphs 2 and 3 in the case of an applicant's identity and the circumstances of which are known by the electronic trust service provider, due to a pre-existing relationship in which you have used the means of identification that there are established, if not it's been three years since the identification and if it transpires that all data are valid.
5. the electronic trust service providers are personally responsible for the actions of verification provided for in this article, even in the event that the delegate to other people.
6. the electronic trust service providers qualified electronic certificates issued qualified, must register in the database of electronic certification revocation certificates within a period of ten minutes after having taken effect the revocation.
7. With regard to the provisions of paragraph 6, the qualified electronic trust service providers that issued qualified electronic certificates must provide anywhere user information on the State of validity or revocation of qualified electronic certificates issued by them. This information must be available at any time at least for each electronic certificate in an automated way that is reliable, efficient and free.
8. The Government can establish reference numbers standards for systems and products that are worthy of trust electronics. It is assumed in compliance with the requirements established by this article when the systems and very safe products meet these standards.
Article 27 safety requirements applicable to electronic trust service providers 1. The electronic trust service providers must take appropriate technical and organisational measures to manage the risks to the security of electronic trust services they provide. Taking into account the State of the art, these measures must ensure a level of security appropriate to the degree of risk. In particular, should adopt measures to prevent and minimize the impact of security incidents and to inform those concerned of the negative effects of any incident.
Without prejudice to the provisions of article 35, any electronic trust service provider may present to the supervisory body the report of a security audit conducted by an independent body recognized in order to confirm that they have taken the appropriate security measures.

2. the electronic trust service providers that are addressed to the public and those who are qualified, have to report to the competent monitoring body, as soon as possible and preferably within a period of 24 hours after having knowledge, any security breach or loss of integrity in the service of electronic trust provided and in the corresponding personal data.
The supervisory body can inform the public about the security breach or loss of integrity in the service of electronic trust provided and in the corresponding personal data, or require the electronic trust service provider that you do, if you consider that the disclosure of the security breach is of public interest.
3. For the application of paragraphs 1 and 2, the competent supervisory body is empowered to give binding instructions to electronic trust service providers.
Article 28 protection of personal data 1. The treatment of the personal data that the electronic trust service providers need to develop its activity is subject to the current legislation regarding the protection of personal data.
2. The personal data required for electronic trust services provider must be strictly necessary for the provision of electronic trust services.
3. The electronic trust service providers must ensure the confidentiality and integrity of data related to the individual affected by the provision of an electronic trust service.
4. The electronic trust service providers can make a legal transfer of data to another electronic trust service provider, in the event of cessation of the activity, or the Government, in accordance with the legislation on personal data protection.
5. the electronic trust service providers can deliver in the digital certificates a pseudonym instead of the name of a natural person. In this case, you have to identify the individual connected with the pseudonym.
Article 29 Statement of practices of electronic trust 1. The electronic trust service providers must draw up a declaration of trust in email practices which must include obligations and warranties which are committed in connection with the management of trusted services electronics and data involved in the same services, the terms and conditions applicable to the requests, the use, the suspension of the validity , and extinction, the applicable security measures, as well as the rest of the data and information that are established in relation to each electronic trust service.
2. The provider of electronic trust services should make public, at least by electronic means, the electronic declaration of trust practices, free of charge and with free access.
Article 30 civil liability insurance 1. The electronic trust service providers must have signed a civil liability insurance. The minimum amount of liability insurance of electronic trust services providers that are addressed to the public and those who are qualified is six hundred thousand euros in order to ensure the coverage of damages that may be caused by reason of their activity.
2. The Government, by Decree, you can modify the amount of this guarantee and also establish other alternative formulas guarantee to supply all or part of insurance.
Article 31 cessation of the activity of electronic trust services 1. The cessation of the activity of electronic trust services requires communication to the users of their services, with a minimum of two months prior to the completion of the activity.
2. The lender to stop the activity of benefit can be transferred, with the consent of the users, the service and the information associated with that are still in force at another service provider that assume or, otherwise, extinguish the validity and reimburse users the part proportional to the remaining validity period of the service.
3. The provider must also communicate that has decided to cease the activity of providing to the public or private institution accredited by the Government to do the functions of accreditation entity in the same period established in paragraph 1. In this communication you must declare if you transfer to another service provider or if you terminated the validity of digital certificates.
4. The lender must guarantee for a period of four years, counting from the point at which it ceases to pay the services of trust electronics, the availability of a consultation service about the validity of the extinct electronic certificates.
5. In the event that the lender does not transfer the activity of providing services to another lender, the Government has to take care of identifying information or consultation, once removed from the certification activity, in order to ensure the conservation of the data.
Article 32 Liability 1. The electronic trust service providers are responsible for any damages caused to any person, including the loss of profit, by reason of the breach of the obligations established in this law, unless they can prove that they have acted with due diligence.
2. the electronic trust service providers are not responsible for any damages or loss of profit caused to the user of electronic trust services, to the recipients of the services or third parties in good faith, when these damages result from the breach of the duty of the user of electronic trust services, recipients of services, or of the third party in good faith that trusts in the digitally signed document in accordance with that established in articles 14 and 15. To invoke this exemption of liability, the provider of electronic trust services must prove that he has acted with due diligence.
3. When a provider of services of electronic trust duly inform their customers in advance about the limitations of the use of the services provided and these limitations are recognizable by a third party, the service provider of trust will not be liable for any damages caused by use of the services which go beyond the limitations indicated.

4. In the event that the provider of electronic trust services have been sanctioned by any of the accessory penalties provided for in article 41.1. b), or has been the subject of the provisional measure established in article 43 in), you must: a) Report the suspension to all users of its electronic certificates, indicating the start date and the completion.
b) consign the suspension on the electronic certificate, indicating the start date and the completion.
Second section. Supervision and control of electronic trust services Article 33 Monitoring and control 1. The Government has to control the electronic trust service providers that are addressed to the public and those who are qualified to fulfil the obligations set out in this law. For this purpose, the Government may carry out the necessary inspections.
The Government designates the public or private entity that makes the functions of accreditation entity as a supervisory body, which enjoys all the powers of supervision and investigation necessary for the exercise of its functions.
2. The supervisory body is responsible for the performance of the following tasks: a) responsibility for the supervision of electronic trust services providers listed in paragraph 1 established in Andorra, and electronic trust services they provide, through previous monitoring activities and, in order to ensure they meet the requirements established by this law.
b) ensure that the information and data referred to in article 26.1, letter e), recorded by the electronic trust services providers listed in paragraph 1, are preserved and are accessible in the event of cessation of the activities of a provider of services of qualified electronic trust, during the time period referred to in article 26.1. e).
3. The supervisory body must submit annually to the Government a report on the activities of corresponding supervision in the preceding calendar year before the end of the first quarter of the following year. This report should include, as a minimum: a) detailed information on their activities of monitoring.
b) a summary of the notifications of violations received from electronic trust service providers, in accordance with article 27.2.
c) statistics on the market and the use of electronic trust services, including information about the electronic trust service providers listed in the first section, the electronic trust services they provide, the products we use and the general description of its customers.
4. Civil servants appointed by the supervisory body to make the inspections are considered agents of the authority in the performance of its functions.
Article 34 reporting obligations and cooperation 1. The electronic trust service providers indicated in article 33.1 have a duty to facilitate the organisation of monitoring all information and collaboration that are required for the exercise of its functions.
2. In particular, the electronic trust service providers indicated in article 33.1 must report at the beginning of its activity, and updating with the frequency established by the regulation, its identification data, the characteristics of the services we provide, the accreditations and certifications obtained for their services and other necessary data of interest to the public which will fix the regulations.
This information may be subject to publication on the website of the Agency for supervision of electronic trust services providers in order to grant the maximum diffusion and knowledge.
3. The electronic trust service providers indicated in article 33.1 must allow inspectors access to its facilities and to consult all the documents which they consider to be relevant to carry out effectively its task of control. In the inspections the inspectors can be accompanied by people they deem necessary.
Article 35 supervision of electronic trust service providers 1. The electronic trust service providers indicated in article 33.1 must be audited annually by an independent body recognised by confirm that both they and the electronic trust services which comply with the requirements established in this law. This audit report of security should be present without undue delay to the supervisory body.
2. Without prejudice to the provisions of paragraph 1, the body of supervision can, at any time, on its own initiative or in response to a request of the Government, audit electronic trust service providers indicated in article 33.1, to confirm that both they and the electronic trust services continue to fulfil the conditions laid down by this law.
The supervisory body must inform the Andorran Agency of Data Protection of the results of their audits in case you have breached the legislation on the protection of personal data.
3. The supervisory body is empowered to give binding instructions for electronic trust services providers listed in article 33.1 in order to correct any failure of the requirements indicated in the report of the security audit.
In case the electronic trust service provider required have not qualified this breach within the period fixed by the monitoring body, will lose their qualifications, without prejudice to the corresponding sanctions eventually imposed in case of violation of this legislation.
Article 36 Home of a trusted service electronics 1. The electronic trust service providers indicated in article 33.1 must notify the supervisory authority his intention to initiate the provision of a service of electronic trust, and must submit a security audit report drawn up by an independent body recognized, according to the provisions of article 35.
2. Once the electronic trust service providers indicated in article 33.1 can begin to provide the service of electronic trust, have been included in the lists of electronic trust referred to in article 37, and noted there is this circumstance.

3. The supervisory body verifies the conformity of the service provider of trust and trust services qualified electronics provided with the requirements of the law.
The supervisory body indicates the State of qualification of skilled service providers and qualified electronic trust services provided in lists of electronic trust after the verification has been completed positively, at the latest one month after the notification in accordance with paragraph 1.
If the check has not been completed within the period of one month, the body of supervision reports the electronic trust service provider specifying the reasons for the delay and the deadline to conclude the verification.
Article 37 electronic trust lists 1. The Government establishes, maintains and publishes electronic trust lists with information relating to the electronic trust service providers, along with the information related to the trust services qualified electronics provided by lenders.
2. The Government establishes, maintains and publishes, safely, the lists of electronic trust signed or sealed electronically provided in paragraph 1 in a form suitable for automatic processing.
3. Making available to the public of the above information is done through a secure channel, in a form signed or stamped electronically appropriate for automatic processing.
Article 38 electronic trust services qualified Certification is possible to obtain a certification of compliance with the requirements applicable to electronic trust services qualified, by means of a procedure by which the public or private institution accredited by the Government that makes the functions of accreditation entity issues a non-binding proposal, independent and objective manner to the Government after the appropriate checks.
The certificate issued by the Government, and assumes that the trusted certificate electronic service is qualified.
Chapter five. Sanctioning Offences Article 39 1. Infringements of this Law are classified as minor, serious and very serious.
2. minor offences Are failure to comply on the part of electronic trust services providers of legal obligations are not mentioned in the following sections.
3. Are serious offences: a) The provision of a reliable service with qualified electronic infringement of any of the obligations established in article 26, when in fact it does not constitutes a very serious infringement.
b) the provision of a service of trust electronics, qualified or not, with infringement of any of the obligations set out in articles 27, 29, 30 and 31.
c) the false allegation of compliance with technical standards applicable to the products and services of trust electronics.
d) resistance, the obstruction, the excuse or the unjustified refusal to the inspection of the public or private institution accredited by the Government that makes the functions of accreditation body.
e) breach of the resolutions dictated by the competent body to ensure that the service provider according to this law.
f) recidivism in the Commission of two minor offenses, even if they are of different nature, provided that they commit within a period of two years from the first and the author has been sanctioned.
4. very serious offences Are: a) the issuance of qualified electronic certificates of any kind, without the previous checks laid down in article 26.
b) The provision of a reliable service with qualified electronic infringement of any of the obligations set forth in article 26 when they have caused damage or injury to users or when the security of the electronic trust service has been severely affected.
c) the false allegation of electronic trust services and products certifications.
of recidivism in Committee) two serious offences, even if they are of different nature, provided that they commit within a period of two years from the first and the author has been sanctioned.
Article 40 competition and sanctioning procedure 1. The supervisory body is competent to arrange the opening of disciplinary proceedings and for an instructor, who may be one of its members. The resolution of the files corresponds to the Minister responsible for trade in the case of minor offences, and the Government in the case of serious or very serious offences.
2. The sanctioning powers provided for in this chapter must be exercised in accordance with the regulations governing the performance of the general administration, with the specifications provided for by this law.
3. In the event of serious infringements and very serious sanctions, the resolution must be published in the official bulletin of the Principality of Andorra, without prejudice that may be also published on the websites of the Government or to the supervisory body.
Article 41 Penalties 1. The penalties for the offences set forth in article 39 are the following: a) minor offences are sanctioned with a fine of up to 50,000 euros.
b) serious offences are sanctioned with a fine of 50,001 to 100,000 euros. In addition, you can also impose such sanctions as follows:-suspension of the exercise of the activity of electronic trust services in Andorra, up to a maximum period of two years.
-Suspension of the validity of the digital certificates issued by the provider of services subject to the sanction, up to a maximum period of two years, with a refund to users of the proportional to the period of validity of electronic certificates affected by the sanction.
c) very serious offences are sanctioned with a fine of 100,001 to 400,000 euros. In addition, you can also impose such sanctions as follows:-prohibition and termination of the permanent exercise of the activity of electronic trust services in Andorra.
-phasing out of all digital certificates issued by the service provider sanctioned, with the refund to users of the part proportional to the remaining validity period of the electronic certificates affected.
2. Likewise, the Government has published in the official bulletin of the Principality of Andorra, in your web page, the data relating to the suspension or the termination set forth in paragraph 1, indicating: a) the provider of services subject to the sanction.
b) lender certificates subject to sanction.
c) the nature of the sanction imposed (suspension or termination).

d) in the case of termination, the date on which they cease to be valid electronic certificates of the service provider concerned. The date of expiry of the validity of the electronic certificates subject to sanction can never be earlier than the date of publication of the sanction on the website of the supervisory body.
e) in the case of suspension, the start date of the suspension and the completion date from which electronic certificates turn to have legal effects recognized in this law. The start date of the suspension can never be earlier than the date of publication of the sanction on the website of the supervisory body.
3. Access to the information indicated in paragraph 2 must always be free and free of charge.
Article 42 graduation of the amount of the fines the amount of fines, within the limits indicated, he graduated, taking into account the following circumstances: a) The social impact of the infringement committed and the number of users affected.
b) recidivism or repetition.
c) the existence or non-existence of intentionality.
of) the amount and nature of the damage caused.
e) the benefit that the violation has been reported to the offender. In this case, the penalty may not be less than the benefit obtained.
Article 43 injunctive relief in the procedures for serious or very serious offences, the supervisory body to instruct the transcript may adopt provisional measures which it considers necessary to prevent the maintenance of the effects of the infringement and to ensure the effectiveness of the resolution to be issued. Among others, you can adopt the following measures: a) the temporary suspension of the activity of the electronic trust service provider and, if necessary, the temporary closure of the establishment.
b) the seal, the deposit or the seizure of records, media and computer files and documents in general, as well as appliances and computer equipment.
c) the warning to the public of the existence of possible behaviours infractores, of sanctioning the transcript shall and the precautionary measures adopted.
d) the suspension of validity of electronic certificates affected.
Article 44 Prescription 1. The minor offences prescribed after one year from the date of their Commission, the serious do two years and very serious at the end of three.
2. The penalties prescribed in the three years from the date of notification of the decision to impose sanctions on firm.
Repealing provision abolishes all the provisions of rank less than or equal to this law that are incompatible and, in particular, the law 6/2009, of 29 December, electronic signature, the Decree of 2-06-2010 by which approves the regulation of organization and functioning of the National Commission of accreditation and the Decree of 2-06-10 by which approves the regulation on accreditation of certification service providers in the case of the qualified electronic signature or recognized.
Final provision this law shall enter into force three months to be published in the official bulletin of the Principality of Andorra.
Casa de la Vall, 27 November 2014 Vicenç Mateu Zamora Syndic General Us the co-princes the sancionem and promulguem and let's get the publication in the official bulletin of the Principality of Andorra.
Joan Enric Vives Sicília François Hollande Bishop of Urgell, President of the French Republic Co-prince of Andorra Co-prince of Andorra