Machine Translation of "Law 59/2003, Of 19 December, Electronic Signature." (Spain)

Law 59/2003, Of 19 December, Electronic Signature.

Original Language Title: Ley 59/2003, de 19 de diciembre, de firma electrónica.

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

TEXT

JOHN CARLOS I

KING OF SPAIN

To all who present it and understand it.

Sabed: That the General Courts have approved and I come to sanction the following law.

EXPLANATORY STATEMENT

Royal Decree Law 14/1999 of 17 September on electronic signatures was adopted with the aim of encouraging the rapid incorporation of new technologies for the security of electronic communications in the business of businesses, citizens and public administrations. In this way, it helped to boost the growth and competitiveness of the Spanish economy through the rapid establishment of a legal framework for the use of a tool that provides confidence in the execution of transactions. electronic networks as is the case for the Internet. The Royal Decree Law incorporated into Spanish public law Directive 1999 /93/EC of the European Parliament and of the Council of 13 December 1999 establishing a Community framework for electronic signatures, even before their adoption. promulgation and publication in the Official Journal of the European Communities.

After its ratification by the Congress of Deputies, it was agreed to the fulfillment of the Royal Decree Law 14/1999 as a bill, in order to submit it to a wider public consultation and to the subsequent parliamentary debate for perfect your text. However, this initiative fell on the expiry of the mandate of the Chambers in March 2000. This law, therefore, is the result of the commitment assumed in the VI Legislature, updating at the same time the framework established in the Royal Decree Law 14/1999 by incorporating the modifications that advises the experience accumulated since its entry into force both in our country and internationally.

The development of the information society and the diffusion of the positive effects that it has on it requires the generalization of the confidence of the citizenry in the telematic communications. However, the most recent data point out that there is still a lack of confidence on the part of the speakers in telematic transactions and, in general, in the communications that new technologies allow for the transmission of information, This lack of confidence is a brake on the development of the information society, in particular electronic commerce and administration.

In response to this need to confer security on Internet communications, among others, the electronic signature. The electronic signature is an instrument capable of allowing a verification of the origin and integrity of the messages exchanged through telecommunications networks, offering the bases to avoid repudiation, if adopted appropriate measures based on electronic dates.

The subjects that make the use of electronic signatures possible are the so-called providers of certification services. To this end they issue electronic certificates, which are electronic documents that relate the electronic signature tools held by each user with their personal identity, thus giving them information in the telematic field as a signatory.

The law requires providers of certification services to carry out a permanent protection and management of the electronic certificates they issue. The details of this management should be included in the so-called certification practice statement, where the conditions applicable to the application, issue, use, suspension and extinction of the validity of the electronic certificates are specified. In addition, these providers are required to maintain an accessible consultation service on the status of the certificates in which they are updated if they are in force or if their validity has been suspended or extinguished.

It should also be noted that the law defines a particular class of electronic certificates called recognised certificates, which are the electronic certificates that have been issued in compliance with qualified requirements refers to its content, to the procedures for verifying the identity of the signatory and to the reliability and guarantees of the electronic certification activity.

Recognised certificates are a key part of the so-called recognised electronic signature, which is defined in accordance with the guidelines laid down in Directive 1999 /93/EC as an advanced electronic signature based on a certificate recognized and generated by a secure signature creation device. The recognized electronic signature grants the law the functional equivalence with the handwritten signature with respect to the data entered in electronic form.

Moreover, the law contains the guarantees that must be fulfilled by the signature creation devices so that they can be considered as secure devices and thus form a recognized electronic signature.

The technical certification of the secure electronic signature creation devices is based on the framework established by Law 21/1992, of July 16, of Industry and its development provisions. For this certification, the technical standards published for such purposes shall be used in the Official Journal of the European Communities or, exceptionally, those approved by the Ministry of Science and Technology.

Additionally, the law establishes a framework of obligations applicable to certification service providers, depending on whether they issue recognized certificates or not, and determines their liability regime, taking into account the duties of the signatories and the third recipients of documents signed electronically.

III

This law is enacted to strengthen the existing legal framework by incorporating into its text some novelties regarding the Royal Decree Law 14/1999 that will contribute to energizing the market for the provision of certification services.

Thus, the terminology is revised, the systematic is modified and the text is simplified, facilitating its understanding and giving it a structure more in line with our legislative technique.

One of the novelties that the law offers in respect of Royal Decree Law 14/1999, is the name as a recognized electronic signature of the electronic signature that is functionally equipped with the handwritten signature. This is simply the creation of a new concept demanded by the sector, without any modification of the substantive requirements that both Directive 1999 /93/EC and the Royal Decree Law 14/1999 itself were demanding. This makes it clear that the advanced electronic signature is not sufficient for matching with the handwritten signature; the advanced electronic signature must be based on a recognized certificate and has been created by a secure device creation.

In particular, it is important to highlight the elimination of the registration of certification service providers, which has given way to the establishment of a mere service for the dissemination of information on providers that they operate on the market, the quality certifications and the characteristics of the products and services they have for the development of their activity.

Moreover, the law amends the certification concept of certification service providers to give it greater freedom and to give greater prominence to the participation of the private sector in the systems of certification and eliminating the legal assumptions associated with it, adapting more precisely to the provisions of the directive. Thus, industry self-regulation is encouraged, so that it is the one who designs and manages, according to their own needs, voluntary accreditation systems aimed at improving the technical and quality levels in the supply of certification services.

The new regime is born from the conviction that quality seals are an effective tool to convince users of the advantages of electronic certification products and services, resulting in the need for facilitate and expedite the procurement of these external symbols for those who offer them to the public.

Although the concepts of "accreditation" of certification and "conformity" service providers of the secure electronic signature creation devices contained in the directive are faithfully reproduced in the law, the terminology has been adapted to the most commonly used and known collection in Law 21/1992, of July 16, of Industry.

Another important change is that the law clarifies the obligation to provide an economic guarantee by certification service providers that issue recognized certificates, establishing a a single minimum of EUR 3 million, further easing the combination of the different instruments to constitute the guarantee.

Furthermore, since the provision of certification services is not subject to prior authorisation, it is important to stress that the law strengthens the inspection and control capacities of the Ministry of Science and Technology, indicating that this department may be assisted by independent and technically qualified entities to carry out supervisory and control tasks on certification service providers.

The regulation also has to be highlighted that the law contains in respect of the national electronic identity document, which stands on a recognized electronic certificate called to generalize the use of safe instruments electronic communication capable of conferring the same integrity and authenticity as the one currently surrounding communications through physical means. The law confines itself to setting the basic regulatory framework of the new electronic DNI by highlighting its two most characteristic notes-it accredits the identity of its holder in any administrative procedure and allows the electronic signature of documents-referring to the specific rules as to the particularities of their legal status.

Likewise, another novelty is the establishment in the law of the regime applicable to the performance of legal persons as signatories, in order to integrate these entities into the telematic traffic. It goes beyond the Royal Decree Law of 1999, which only allowed legal persons to be holders of electronic certificates in the field of tax management.

Precisely, the enormous expansion that these certificates have had in this area in recent years, without this having represented any increase in the litigation or legal uncertainty in the transactions, they advise the generalization of the ownership of certificates by moral persons.

In any case, electronic certificates of legal persons do not alter civil and commercial law as regards the figure of the organic or voluntary representative and do not replace the electronic certificates issued to natural persons in which such representation relationships are reflected.

As legal certainty, the law requires, on the one hand, a special legitimation for natural persons to apply for the issue of certificates; on the other hand, it requires applicants to take responsibility for the custody of the electronic signature creation data associated with such certificates, all without prejudice to the fact that they may be used by other natural persons linked to the institution. Finally, with regard to third parties, it limits the use of these certificates to acts that integrate the relationship between the legal person and the public administrations and the things or services that constitute the institution's ordinary turn or traffic, without prejudice to any quantitative or qualitative limits which may be added. It is a matter of combining the dynamism that must be used by the use of these certificates in traffic with the necessary doses of prudence and security to prevent the birth of uncontrollable obligations against third parties due to the inadequate use of the signature creation data. The balance between one and the other principle has been established on the things and services that constitute the turn or ordinary traffic of the company in parallel to as our more than centennial Code of Commerce regulates the connection against third parties of the acts of trade carried out by the establishment factor.

With the expression "spin or ordinary traffic" of an entity is updated to a vocabulary more in line with our days what in the Spanish mercantile legislation is called "factory or mercantile establishment". This includes the transactions made immediately or immediately for the purpose of carrying out the core of the entity's activity and the management or administrative activities necessary for the development of the entity, such as tangible and intangible supplies or ancillary services. Finally, it should be stressed that, even if "ordinary traffic" is a term coined by commercial law, the regulation on certificates of legal persons not only applies to commercial companies, but to any type of legal person who wants to make use of the electronic signature in his/her activity.

Additionally, a special regime for the issuance of electronic certificates is added to entities without legal personality as referred to in Article 33 of the General Tax Law, to the sole effects of their use in the tax area, in the terms established by the Ministry of Finance.

On the other hand, following the pattern marked by Law 34/2002, of July 11, of services of the information society and of electronic commerce, the support in which they appear is included within the modality of documentary proof the data signed electronically, giving greater legal certainty to the use of electronic signatures in submitting it to the rules of effectiveness in the trial of documentary evidence.

In addition, it should be noted that another novel aspect of the law is the explicit acceptance of the representation relationships that may underlie the use of electronic signatures. There is no doubt that the institute of representation is widely generalized in economic traffic, hence the desirability of giving legal certainty the imputation to the legal sphere of the represented the declarations that are submitted by the representative through the electronic signature.

To do this, it is established as a novelty that in the issue of recognized certificates that admit among their attributes relations of representation, this one must be covered in a public document that credits the same representation relationship as well as the adequacy and appropriateness of the powers conferred on the representative. Mechanisms are also provided for to ensure the maintenance of the powers of representation throughout the validity of the recognised certificate.

Finally, it should be noted that the law allows certification service providers to be able, with the objective of improving trust in their services, to establish coordination mechanisms with the data that they require. must act in the public registers, in particular by means of telematic connections, for the purpose of verifying the data contained in the certificates at the time of issue.

Such coordination mechanisms will also be able to provide for the telematic notification by the registers to the certification service providers of subsequent registration variations.

The law consists of 36 articles grouped into six titles, 10 additional provisions, two transitional provisions, one derogating provision and three final provisions.

Title I contains the general principles that define the subjective and objective fields of law enforcement, the effects of electronic signatures and the employment regime before public administrations and access to the law. certification service delivery activity.

The regime applicable to electronic certificates is contained in Title II, which devotes its first chapter to determining who may be their owners and to regulate the vicissitudes that affect their validity. Chapter II covers the recognised certificates and the third one the national electronic identity document.

Title III regulates the activity of the provision of certification services by establishing the obligations to which providers are subject-clearly distinguishing those that only affect those who issue certificates recognised-, and the applicable liability regime.

Title IV sets out the requirements to be met by the electronic signature verification and creation devices and the procedure to be followed to obtain quality stamps in the service delivery activity of certification.

Titles V and VI dedicate their content, respectively, to the establishment of the supervision and sanction regimes of certification service providers.

Finally, the text closes the additional provisions-which refer to the special arrangements that result from preferential application-the transitional provisions-which incorporate legal certainty to the activity deployed in the under the previous rules-the repeal provision and the final provisions relating to the constitutional basis, the enabling for regulatory development and the entry into force.

This provision has been submitted to the procedure for information on technical standards and regulations provided for in Directive 98 /34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for information on technical standards and regulations, as amended by Directive 98 /48/EC, of the European Parliament and of the Council of 20 July 1998 and of Royal Decree 1337/1999 of 31 July 1998 on the (a) the provision of information in the field of technical standards and regulations and regulations relating to the services of the information society.

TITLE I

General provisions

Article 1. Object.

1. This law regulates electronic signatures, their legal effectiveness and the provision of certification services.

2. The provisions contained in this law do not alter the rules concerning the conclusion, formalisation, validity and effectiveness of contracts and any other legal acts or those relating to documents in which they are established.

Article 2. Certification service providers subject to the law.

1. This law shall apply to certification service providers established in Spain and to certification services which providers resident or domiciled in another State offer through a permanent establishment situated in Spain. Spain.

2. A certification service provider is referred to as the natural or legal person who issues electronic certificates or provides other services in relation to the electronic signature.

3. A certification service provider shall be deemed to be established in Spain where his residence or registered office is in Spanish territory, provided that they coincide with the place where the management is effectively centralised. administrative and management of their businesses. In another case, it shall be treated to the place where such management or management is carried out.

4. A provider shall be deemed to operate by means of a permanent establishment situated on Spanish territory where he or she has, on a continuous or regular basis, facilities or workplaces in which he or she carries out all or part of his business.

5. A certification service provider shall be presumed to be established in Spain where such a provider or any of its branches has registered in the Trade Register or in another Spanish public register where registration is necessary. for the acquisition of legal personality.

The mere use of technological means located in Spain for the provision or access to the service will not, on its own, involve the establishment of the provider in Spain.

Article 3. Electronic signature, and electronically signed documents.

1. The electronic signature is the data set in electronic form, consigned together with others or associated with them, which can be used as a means of identification of the signatory.

2. The advanced electronic signature is the electronic signature that allows the signatory to be identified and to detect any subsequent changes to the signed data, which is linked to the signatory in a unique way and to the data to which it refers and which has been created by means that the signer can keep under its exclusive control.

3. The advanced electronic signature based on a certificate recognized and generated by a secure signature creation device is considered to be a recognized electronic signature.

4. The recognised electronic signature shall have regard to the electronic data entered in electronic form with the same value as the handwritten signature in relation to paper entries.

5. Electronic document is considered as an electronic document that incorporates data that is signed electronically.

6. The electronic document will be supported by:

(a) Public documents, because they are electronically signed by officials who are legally assigned the power to give public, judicial, notarial or administrative faith, provided that they act in the field of their competence with the requirements required by law in each case.

(b) Documents issued and signed electronically by civil servants or public employees in the exercise of their public functions, in accordance with their specific legislation.

c) Private documents.

7. The documents referred to in the previous paragraph shall have the legal value and effectiveness corresponding to their respective nature, in accordance with the legislation applicable to them.

8. The support in which the electronically signed data is found shall be admissible as documentary evidence in judgment. If the authenticity of the recognised electronic signature, with which the data incorporated in the electronic document has been signed, is contested, it shall be verified by the certification service provider, which issues the certificates electronic, all the requirements laid down in the law are fulfilled as regards the guarantee of the services which it provides in the verification of the effectiveness of the electronic signature, and in particular, the obligations to guarantee the confidentiality of the process as well as the authenticity, preservation and integrity of the generated information and the identity of the signatories. If the authenticity of the advanced electronic signature, with which the data incorporated into the electronic document has been signed, is contested, it shall be as set out in Article 326 (2) of the Civil Procedure Act.

9. No legal effects shall be denied to an electronic signature which does not meet the recognised electronic signature requirements in relation to the data to which it is associated with the fact that it is presented in electronic form.

10. For the purposes of this Article, where an electronic signature is used in accordance with the conditions agreed by the parties to relate to each other, the provisions between them shall be taken into account.

Article 4. Employment of the electronic signature in the field of public administrations.

1. This law shall apply to the use of electronic signatures within the public administrations, their public bodies and entities which are dependent or linked to them and in the relations between them and those which are between them or with the particular.

Public administrations, in order to safeguard the guarantees of each procedure, may lay down additional conditions for the use of electronic signatures in procedures. Such conditions may include, inter alia, the imposition of electronic dates on electronic documents integrated into an administrative file. Electronic date means the electronic data set used as a means to verify the time when a performance has been performed on other electronic data to which they are associated.

2. The additional conditions referred to in the preceding paragraph may only refer to the specific characteristics of the application in question and must ensure compliance with the provisions of Article 45 of Law No 30/1992, of 26 November, of the Legal Regime of Public Administrations and of the Common Administrative Procedure. These conditions shall be objective, proportionate, transparent and non-discriminatory and shall not impede the provision of certification services to the citizen when different national public administrations or the Space are involved. European Economic.

3. Rules laying down additional general conditions for the use of electronic signatures before the General Administration of the State, its public bodies and entities which are or are linked to it shall be made on a joint proposal from the Commission. The Ministries of Public and Science and Technology Administrations and prior report of the Superior Council of Informatics and for the impulse of the Electronic Administration.

4. The use of electronic signatures in communications affecting classified information, public security or national defence shall be governed by its specific rules.

Article 5. Arrangements for the provision of certification services.

1. The provision of certification services is not subject to prior authorisation and will be carried out under free competition. No restrictions may be laid down for certification services from another Member State of the European Economic Area.

2. The competition authorities shall ensure that conditions of effective competition are maintained in the provision of certification services to the public through the exercise of the functions legally conferred on them.

3. The provision to the public of certification services by public administrations, their public bodies or entities which are or are linked to them shall be carried out in accordance with the principles of objectivity, transparency and non-compliance. discrimination.

TITLE II

Electronic certificates

CHAPTER I

General provisions

Article 6. Concept of a signer and electronic certificate.

1. An electronic certificate is a document signed electronically by a certification service provider that links signature verification data to a signatory and confirms its identity.

2. The signer is the person who owns a signature creation device and who acts on his or her own behalf or on behalf of a natural or legal person to whom he represents.

Article 7. Electronic certificates of legal persons.

1. They may request electronic certificates from legal persons their administrators, legal representatives and volunteers with sufficient power for these purposes.

Electronic certificates of legal persons may not affect the system of organic or voluntary representation governed by civil or commercial law applicable to each legal person.

2. The custody of the signature creation data associated with each electronic certificate of legal person shall be the responsibility of the applicant physical person, whose identification shall be included in the electronic certificate.

3. The signature creation data may be used only when it is accepted in the relations maintained by the legal person with the public authorities or in the procurement of goods or services which are themselves or are related to their rotation or ordinary traffic.

In addition, the legal person may impose additional limits, for the amount or the matter, for the use of such data which, in any case, must appear on the electronic certificate.

4. Acts or contracts in which the signature of his signature would have been used within the limits provided for in the preceding paragraph shall be construed as facts by the legal person.

If the signature is used to transgress the above limits, the legal person will be bound to third parties only if they assume them as their own or have been held in their interest. Otherwise, the effects of such acts shall be on the natural person responsible for the custody of the signature creation data, who may, where appropriate, repeat against the person who used them.

5. The provisions of this Article shall not apply to certificates which serve to verify the electronic signature of the certification service provider with which he or she signs the electronic certificates issued by him.

6. The provisions of this Article shall not apply to certificates issued in favour of public administrations, which shall be subject to their specific rules.

Article 8. Extinction of the validity of electronic certificates.

1. They are causes of extinction of the validity of an electronic certificate:

a) Expiration of the validity period shown in the certificate.

(b) Revocation by the signatory, the natural or legal person represented by the signatory, an authorised third party or the natural person applying for an electronic certificate of legal person.

(c) Violation or endangering of the secrecy of the signature creation data of the signatory or of the service provider of certification or misuse of such data by a third party.

d) Judicial or administrative resolution ordering it.

e) Death or extinction of the legal personality of the signatory; death, or extinction of the legal personality of the represented; inability to come, in whole or in part, of the signatory or his represented; the representation; dissolution of the legal person represented or alteration of the conditions of custody or use of the signature creation data that are reflected in the certificates issued to a legal person.

(f) Cese in the activity of the certification service provider unless, prior to the express consent of the signatory, the management of the electronic certificates issued by the signatory are transferred to another service provider certification.

g) Alteration of the data provided for obtaining the certificate or modification of the verified circumstances for the issue of the certificate, such as those relating to the position or the powers of representation, in such a way that This is no longer in keeping with reality.

h) Any other lawful cause provided for in the certification practice statement.

2. The period of validity of the electronic certificates shall be appropriate to the characteristics and technology used to generate the signature creation data.

In the case of certified certificates this period may not exceed four years.

3. The termination of the validity of an electronic certificate shall have effects vis-à-vis third parties, in the case of expiry of its period of validity, from the time of the occurrence and, in the other cases, from the time of the indication of such an effect. extinction is included in the consultation service on the validity of the certification service provider's certificates.

Article 9. Suspension of the validity of electronic certificates.

1. Certification service providers shall suspend the validity of the electronic certificates issued if one of the following causes is present:

(a) Request of the signatory, the natural or legal person represented by it, an authorised third party or the natural person applying for an electronic certificate of legal person.

b) Judicial or administrative resolution ordering it.

(c) The existence of reasonable doubts as to the concurrency of the causes of extinction of the validity of the certificates referred to in paragraphs (c) and (g) of Article 8.1.

d) Any other lawful cause provided for in the certification practice statement.

2. The suspension of the validity of an electronic certificate shall take effect from the time it is included in the consultation service on the validity of the certification service provider's certificates.

Article 10. Provisions common to the extinction and suspension of the validity of electronic certificates.

1. The certification service provider shall immediately, in a clear and undoubted manner, record the termination or suspension of the validity of the electronic certificates in the consultation service on the validity of the certificates as soon as has a well-founded knowledge of any of the factors determining the extinction or suspension of its validity.

2. The certification service provider shall inform the signatory of this circumstance prior to or at the same time the termination or suspension of the validity of the electronic certificate, specifying the reasons and the date and time when the certificate shall be without effect. In the case of suspension, it shall also indicate its maximum duration, the validity of the certificate being extinguished if the suspension has not been lifted.

3. The termination or suspension of the validity of an electronic certificate shall not have retroactive effect.

4. The termination or suspension of the validity of an electronic certificate shall be kept accessible in the consultation service on the validity of the certificates at least until the date of the end of their initial period of validity.

CHAPTER II

Recognized certificates

Article 11. Concept and content of recognised certificates.

1. Certified electronic certificates issued by a certification service provider that complies with the requirements set out in this law as regards the verification of the identity and other circumstances of the applicants and the reliability and guarantees of the certification services they provide.

2. Recognised certificates shall include at least the following data:

a) The indication that they are issued as such.

b) The unique identifier of the certificate.

d) The advanced electronic signature of the certification service provider that issues the certificate.

e) the identification of the signatory, in the case of natural persons, by name and surname and their national identity document number or by means of a pseudonym which is known as such unequivocally and, in the case of legal persons, by name or social reason and their tax identification code.

f) The signature verification data that corresponds to the signature creation data that is under the signer control.

g) The beginning and end of the certificate validity period.

h) The limits of use of the certificate, if set.

i) The value limits of the transactions for which the certificate can be used, if they are set.

3. Recognised certificates may also contain any other specific circumstances or attributes of the signatory in case it is significant depending on the purpose of the certificate itself and whenever it so requests.

4. If the recognised certificates support a representation relationship, they shall include an indication of the public document attesting to the authority of the signatory to act on behalf of the person or entity to which he represents and, in the registration of the registration data, in accordance with Article 13 (2), if the registration is compulsory.

Article 12. Obligations prior to the issue of recognised certificates.

Prior to the issue of a recognised certificate, certification service providers shall fulfil the following obligations:

a) Check the identity and personal circumstances of the certificate applicants in accordance with the provisions of the following article.

b) Verify that the information contained in the certificate is accurate and that it includes all the information prescribed for a recognized certificate.

c) Ensure that the signer is in possession of the signature creation data corresponding to the verification data that is contained in the certificate.

d) Ensure the complementarity of the signature creation and verification data, provided both are generated by the certification service provider.

Article 13. Verification of the identity and other personal circumstances of the applicants for a recognised certificate.

1. The identification of the natural person applying for a recognised certificate shall require his/her personation before the persons responsible for verifying it and shall be accredited by means of the national identity card, passport or other means admitted in law. The person may be waived if his signature on the application for the issue of a recognised certificate has been legitimised in the presence of a notarial.

The system of application of certificates issued after the applicant's identification with the public authorities shall be governed by the provisions of the administrative rules.

2. In the case of recognised certificates of legal persons, certification service providers shall also verify the data relating to the constitution and legal personality and the extension and validity of the powers of representation. of the applicant, either by consulting the public register in which the documents of the constitution and the proxy are entered, either by means of the public documents which serve to prove the abovementioned ends in a feisty manner, when those are not mandatory enrollment.

3. If the recognised certificates reflect a voluntary representation relationship, the certification service providers shall verify, the data relating to the legal personality of the representative and the extent and validity of the powers of the representative, either by consulting the public register in which they are registered or by means of the public documents which serve to prove the aforementioned ends in a feisty manner, where those are not compulsory registration. If recognised certificates support other representation assumptions, certification service providers shall require the accreditation of the circumstances in which they are based, in the same manner as previously provided for.

When the recognised certificate contains other personal circumstances or attributes of the applicant, such as his or her status as the holder of a public office, his or her membership of a professional college or his or her degree, they shall be checked by the official documents to them, in accordance with their specific rules.

4. The provisions of the preceding paragraphs may not be enforceable in the following cases:

(a) Where the identity or other permanent circumstances of the applicants for the certificates has already established the service provider of certification under a pre-existing relationship, in which, for the identification of the interested, the means identified in this article would have been used and the period of time since the identification is less than five years.

(b) When applying for a certificate, another in force is used for the issue of which the signatory has been identified in the manner prescribed in this Article and the certification service provider is satisfied that the period of time since identification is less than five years.

5. Certification service providers may carry out the verification measures provided for in this Article by themselves or through other natural or legal persons, public or private, with the responsibility, in any case, of the service provider certification services.

Article 14. International equivalence of recognised certificates.

Electronic certificates that certification service providers established in a State that is not a member of the European Economic Area issue to the public as recognised certificates in accordance with the legislation applicable in that State shall be considered equivalent to those issued by those established in Spain, provided that one of the following conditions is met:

(a) The certification service provider meets the requirements laid down in Community legislation on electronic signatures for the issue of recognised certificates and has been certified in accordance with a system voluntary certification established in a Member State of the European Economic Area.

(b) that the certificate is guaranteed by a certification service provider established in the European Economic Area who complies with the requirements laid down in Community legislation on electronic signatures for the issue of recognised certificates.

(c) The certificate or the certification service provider is recognised under a bilateral or multilateral agreement between the European Community and third countries or international organisations.

CHAPTER III

The national electronic identity document

Article 15. National electronic identity document.

1. The national electronic identity document is the national identity document that electronically credits the personal identity of its holder and allows the electronic signature of documents.

2. All natural or legal persons, whether public or private, shall recognise the effectiveness of the national electronic identity document in order to prove the identity and other personal data of the holder that they contain, and to accredit the the signer identity and the integrity of the signed documents with the electronic signature devices in the included.

Article 16. Requirements and characteristics of the national electronic identity document.

1. The competent bodies of the Ministry of the Interior for the issuance of the national electronic identity document shall comply with the obligations under this Law to the certification service providers issuing certificates. recognised with the exception of that relating to the lodging of the security referred to in Article 20 (2

2. The General Administration of the State shall, as far as possible, use systems to ensure the compatibility of electronic signature instruments included in the national electronic identity document with the various devices and generally accepted electronic signature products.

TITLE III

Providing certification services

CHAPTER I

Obligations

Article 17. Protection of personal data.

1. The processing of personal data required by providers of certification services for the development of their activity and the administrative bodies for the exercise of the functions conferred by this law shall be subject to the provisions of the Organic Law 15/1999, of December 13, of Protection of Personal Data and in its standards of development.

2. For the issue of electronic certificates to the public, certification service providers may only collect personal data directly from or prior to the express consent of the signatories.

The required data shall be exclusively necessary for the issuance and maintenance of the electronic certificate and the provision of other services in relation to the electronic signature, and cannot be processed for purposes distinct without the express consent of the signatory.

3. Certification service providers who enter a pseudonym on the electronic certificate at the signing of the certificate shall verify their true identity and keep the documentation supporting it.

Such certification service providers shall be required to disclose the identity of the signatories upon request by the judicial bodies in the exercise of the functions they have attributed and in the other cases provided for in Article 11.2 of the Organic Law on the Protection of Personal Data in which it is required.

4. In any event, the certification service providers shall not include in the electronic certificates they issue, the data referred to in Article 7 of the Organic Law 15/1999 of 13 December, of Data Protection of Personal Character.

Article 18. Obligations of certification service providers to issue electronic certificates.

Certification service providers issuing electronic certificates shall comply with the following obligations:

a) Do not store or copy the signature creation data of the person to whom they have provided their services.

(b) Provide the applicant before the issue of the certificate with the following minimum information, which shall be transmitted free of charge, in writing or by electronic means:

1. The signatory's obligations, the way in which the signature creation data is to be safeguarded, the procedure to be followed to communicate the loss or possible misuse of such data and certain electronic signature creation and verification devices that are compatible with the signature data and the certificate issued.

2. The mechanisms to ensure the reliability of the electronic signature of a document over time.

3. The method used by the provider to check the identity of the signer or other data contained in the certificate.

4. The precise conditions of use of the certificate, its possible limits of use and the way in which the provider guarantees his or her patrimonial responsibility.

5. The certifications obtained, if any, by the certification service provider and the applicable procedures for the out-of-court settlement of the conflicts that may arise from the exercise of its activity.

6. The other information contained in the certification practice statement.

The above information that is relevant to third parties affected by the certificates must be available at the request of the third parties.

c) Maintain an updated directory of certificates indicating the certificates issued and whether they are in force or if their validity has been suspended or extinguished. The integrity of the directory will be protected by using the appropriate security mechanisms.

d) Ensure the availability of a consultation service on the validity of fast and secure certificates.

Article 19. Declaration of certification practices.

1. All certification service providers shall make a declaration of certification practices in which they shall detail, in the framework of this law and its implementing provisions, the obligations they undertake to comply with in respect of the management of the establishment and verification of signature and electronic certificates, the conditions applicable to the application, issue, use, suspension and termination of the validity of the certificates the technical security measures and the organisation, profiles and mechanisms of information on the validity of certificates and, where appropriate, the existence of coordination procedures with the relevant public registers which allow for the immediate exchange of information on the validity of the powers indicated in the certificates and which must be included preceptively enrolled in those records.

2. The certification practice declaration of each provider shall be readily available to the public, at least by electronic means and free of charge.

3. The declaration of certification practices shall be considered as a security document for the purposes laid down in the legislation on the protection of personal data and shall contain all the requirements laid down for that purpose. document in that legislation.

Article 20. Obligations of certification service providers to issue recognised certificates.

1. In addition to the obligations laid down in this Chapter, certification service providers who issue recognised certificates shall fulfil the following obligations:

a) Demonstrate the reliability required to deliver certification services.

(b) Ensure that the date and time at which a certificate was issued or extinguished or suspended its validity can be accurately determined.

(c) Personal employment with the skills, knowledge and experience necessary for the provision of the certification services offered and the appropriate safety and management procedures in the field of the signature electronic.

d) Use reliable systems and products that are protected against any alteration and ensure the technical and, where appropriate, cryptographic security of the certification processes to which they are supported.

e) Take action against falsification of certificates and, in the event that the certification service provider generates signature creation data, ensure its confidentiality during the generation process and its delivery by a secure procedure to the signer.

f) Keep all information and documentation relating to a recognized certificate and certification practice statements in force at any time, at least for 15 years, recorded by any means. from the time of issue, so that the signatures made with it can be verified.

g) Use reliable systems to store recognised certificates to verify their authenticity and prevent unauthorised persons from altering the data, restrict their accessibility in the cases or to persons whom the Signer has indicated and allowed to detect any changes affecting these security conditions.

2. Certification service providers who issue recognised certificates shall constitute liability insurance in the amount of at least EUR 3,000,000 in order to face the risk of liability for damages that might cause the use of the certificates that you issue.

The guarantee may be replaced in whole or in part by a guarantee by bank guarantee or security insurance, so that the sum of the insured amounts is at least 3,000,000 euros.

The amounts and means of insurance and security established in the two preceding paragraphs may be modified by royal decree.

Article 21. Cessation of the activity of a certification service provider.

1. The certification service provider who is to cease his activity must inform the signatories using the electronic certificates he has issued as well as the applicants for certificates issued in favour of persons. legal; and may transfer, with their express consent, the management of those who remain valid on the date the cessation occurs to another certification service provider who assumes them or, otherwise, to terminate their validity.

This communication shall be carried out at least two months in advance of the effective cessation of the activity and shall inform, where appropriate, the characteristics of the provider to whom the transfer of the management of the activities is proposed. certificates.

2. The certification service provider issuing electronic certificates to the public shall inform the Ministry of Science and Technology, in advance of the preceding paragraph, of the cessation of its activity and of the destination it intends to give to the the certificates, specifying, where appropriate, whether to transfer the management and to whom or if it will expire.

You will also communicate any other relevant circumstances that may prevent the continuation of your activity. In particular, it shall communicate, as soon as it becomes aware, the opening of any insolvency proceedings against it.

3. Certification service providers shall forward to the Ministry of Science and Technology prior to the definitive cessation of their activity the information relating to electronic certificates whose validity has been extinguished in order to ensure that take charge of their custody within the meaning of Article 20.1.f. This Ministry shall keep a specific consultation service accessible to the public where an indication of such certificates is provided for a period considered sufficient by reference to the consultations carried out.

CHAPTER II

Responsibility

Article 22. Responsibility of the certification service providers.

1. Certification service providers shall be liable for any damages caused to any person in the exercise of their activity when they fail to comply with the obligations imposed on them by this law.

The liability of the regulated certification service provider in this law shall be enforceable in accordance with the general rules on contractual or non-contractual fault, as appropriate, if it is the responsibility of the provider of certification services demonstrate that he acted with the professional diligence that is required of him.

2. If the certification service provider does not comply with the obligations referred to in paragraphs (b) to (d) of Article 12, by ensuring an electronic certificate issued by a certification service provider established in a non-State belonging to the European Economic Area, shall be liable for damages caused by the use of such a certificate.

3. In particular, the certification service provider shall be liable for any damages caused to the signatory or to third parties in good faith for the lack or delay in the inclusion in the service of consultation on the validity of the certificates of the extinction or suspension of the validity of the electronic certificate.

4. Certification service providers shall take all responsibility vis-à-vis third parties for the performance of persons in whom they delegate the performance of some or some of the functions necessary for the provision of services. certification.

5. The regulation contained in this law on the liability of the certification service provider is without prejudice to the provisions of the legislation on unfair terms in contracts concluded with consumers.

Article 23. Liability limitations of certification service providers.

1. The certification service provider shall not be liable for damages caused to the signatory or third parties in good faith, if the signatory incurs any of the following:

(a) Not having provided the certification service provider with accurate, complete and accurate information on the data to be entered on the electronic certificate or necessary for its issuance or for extinction or suspension of its validity, where its inaccuracy has not been detected by the certification service provider.

b) The lack of communication without delay to the certification service provider of any modification of the circumstances reflected in the electronic certificate.

c) Refuse in the preservation of their signature creation data, in the assurance of their confidentiality and in the protection of all access or disclosure.

d) Do not request the suspension or revocation of the electronic certificate in case of doubt as to the maintenance of the confidentiality of your signature creation data.

e) Use signature creation data when the validity period of the electronic certificate has expired or the certification service provider notifies you of the extinction or suspension of its validity.

(f) Overcome the limits contained in the electronic certificate as to its possible uses and the individual amount of transactions that may be carried out with it or not be used in accordance with the conditions laid down and notified to the signatory by the certification service provider.

2. In the case of electronic certificates which collect a representation power of the signatory, whether or not the person or entity represented, where the person or entity is aware of the existence of the certificate, is required to apply for revocation. or suspension of the validity of the certificate in the terms provided for in this law.

3. Where the signatory is a legal person, the applicant for the electronic certificate shall assume the obligations referred to in paragraph 1.

4. The certification service provider shall also not be liable for any damages caused to the signatory or to third parties in good faith if the recipient of the documents signed electronically acts in a negligent manner. In particular, it shall be understood that the addressee acts in a negligent manner in the following cases:

(a) When you do not check and take into account the restrictions contained in the electronic certificate as to its possible uses and the individual amount of transactions that may be made with it.

b) When you do not consider the suspension or loss of validity of the electronic certificate published in the consultation service on the validity of the certificates or when you do not verify the electronic signature.

5. The certification service provider shall not be liable for any damages caused to the signatory or third parties in good faith for the inaccuracy of the data contained in the electronic certificate, if they have been credited to it by public document. Where such data are to be entered in a public register, the certification service provider shall verify them in the register at the time immediately preceding the issue of the certificate, and may use, in its case, telematic means.

6. The exemption from liability to third parties obliges the certification service provider to prove that it acted in any case with due diligence.

TITLE IV

Electronic signature devices and certification systems for certification service providers and electronic signature devices

CHAPTER I

Electronic Signature Devices

Article 24. Electronic signature creation devices.

1. The signature creation data is the unique data, such as private cryptographic codes or keys, that the signer uses to create the electronic signature.

2. A signature creation device is a program or computer system that serves to apply the signature creation data.

3. A secure signature creation device is a signature creation device that offers at least the following warranties:

a) That data used for signature generation can occur only once and reasonably ensures its secret.

b) That there is a reasonable assurance that the data used for the signature generation cannot be derived from the signature verification or signature and that the signature is protected against counterfeiting with the existing technology at any time.

c) That the signature creation data can be reliably protected by the signer against its use by third parties.

d) That the device used does not alter the data or document to be signed or prevent it from being displayed to the signer before the signature process.

Article 25. Electronic signature verification devices.

1. The signature verification data is the data, such as public cryptographic codes or keys, that are used to verify the electronic signature.

2. A signature verification device is a program or computer system that serves to apply the signature verification data.

3. Electronic signature verification devices shall ensure, whenever technically possible, that the verification process of an electronic signature satisfies at least the following requirements:

a) That the data used to verify the signature corresponds to the data shown to the person who verifies the signature.

b) The signature is reliably verified and the result of that verification is correctly presented.

c) That the person who verifies the electronic signature can, if necessary, reliably establish the content of the signed data and detect whether they have been modified.

d) That the identity of the signatory or, if any, the use of a pseudonym, as the result of the verification, be clearly displayed.

e) That the authenticity and validity of the corresponding electronic certificate should be reliably verified.

f) That any changes to your security can be detected.

4. Also, the data concerning the verification of the signature, such as the moment in which it is produced or a finding of the validity of the electronic certificate at that time, may be stored by the person who verifies the signature electronic or trusted third parties.

CHAPTER II

Certification of certification service providers and electronic signature creation devices

Article 26. Certification of certification service providers.

1. The certification of a certification service provider is the voluntary procedure whereby a qualified public or private entity issues a declaration in favour of a certification service provider, which implies recognition compliance with specific requirements in the provision of services offered to the public.

2. The certification of a certification service provider may be requested by the certification service provider and may be carried out, inter alia, by certification entities recognized by a designated accreditation entity in accordance with the provisions of the Law 21/1992, of 16 July, of Industry, and its provisions of development.

3. Technical standards or other appropriate certification criteria may be used in certification procedures. Where technical standards are used, those that have broad recognition approved by European standardisation bodies and, failing that, other international or Spanish standards shall be used.

4. Certification of a certification service provider shall not be necessary to recognise legal effectiveness for an electronic signature.

Article 27. Certification of secure electronic signature creation devices.

1. The certification of secure electronic signature creation devices is the procedure by which a device is proven to meet the requirements set forth in this law for consideration as a secure signature creation device.

2. The certification may be requested by the manufacturers or importers of signature creation devices and shall be carried out by the certification bodies recognised by a designated accreditation body in accordance with the provisions of the Law 21/1992, of 16 July, of Industry and its provisions of development.

3. The certification procedures shall be used for the technical standards whose reference numbers have been published in the Official Journal of the European Union and, exceptionally, those approved by the Ministry of Science and Technology. publish on the Internet address of this Ministry.

4. The certificates of conformity of the secure signature creation devices shall be amended or, where appropriate, revoked when the conditions for obtaining them are no longer met.

Certification bodies will ensure the dissemination of certificate revocation decisions for signature creation devices.

Article 28. Recognition of compliance with the rules applicable to electronic signature products.

1. It shall be presumed that the electronic signature products referred to in Article 20 (1) (d) and Article 24 (3) are in conformity with the requirements laid down in those Articles if they comply with the technical standards the reference numbers of which have been published in the Official Journal of the European Union.

2. Certificates of conformity on secure signature creation devices which have been granted by the bodies designated for that purpose in any Member State of the European Economic Area shall be recognised as effective.

TITLE V

Monitoring and control

Article 29. Monitoring and control.

1. The Ministry of Science and Technology shall monitor compliance by certification service providers who issue electronic certificates to the public of the obligations laid down in this law and in its development provisions. It shall also monitor the operation of the system and the certification bodies of secure electronic signature creation devices.

2. The Ministry of Science and Technology shall carry out the inspection measures that are necessary for the exercise of its control function.

Officials attached to the Ministry of Science and Technology carrying out the inspection referred to in the previous paragraph shall be considered as public authorities in the performance of their duties.

3. The Ministry of Science and Technology may agree on appropriate measures for compliance with this law and its development provisions.

4. The Ministry of Science and Technology may have recourse to independent and technically qualified entities to assist it in the supervision and control work on certification service providers assigned to it by this law.

Article 30. Duty of information and collaboration.

1. Certification service providers, the independent accreditation body and certification bodies have an obligation to provide the Ministry of Science and Technology with all the necessary information and collaboration for the exercise of their functions.

In particular, they shall allow their agents or the inspection staff to have access to their facilities and the consultation of any documentation relevant to the inspection concerned, where appropriate, where appropriate, Article 8.5 of Law 29/1998 of July 13, the regulator of the Jurisdiction-Administrative Jurisdiction. In their inspections, they may be accompanied by experts or experts in the fields on which they are concerned.

2. Certification service providers shall communicate to the Ministry of Science and Technology the start of their activity, their identification data, including the tax identification and registration, if any, of the data to be established. communication with the provider, including the domain name of the Internet, the public attention data, the characteristics of the services to be provided, the certifications obtained for its services and the certifications of the devices that they use. This information shall be duly updated by the providers and shall be published in the internet address of the said ministry in order to give it maximum dissemination and knowledge.

3. Where, as a result of an inspector's performance, knowledge of facts which may be the constituent of offences established in other laws, the bodies or bodies responsible for their supervision shall be given the same account. sanction.

TITLE VI

Violations and penalties

Article 31. Violations.

1. Infringements of the provisions of this law are classified as very serious, serious and minor.

2. These are very serious violations:

(a) Failure to comply with any of the obligations laid down in Articles 18 and 20 on the issue of recognised certificates, provided that serious damage has been caused to the users or the safety of the services of certification has been severely affected.

The provisions of this paragraph shall not apply in respect of non-compliance with the obligation to provide the economic guarantee provided for in Article 20 (2).

(b) The issue of recognised certificates without carrying out all the previous checks referred to in Article 12, where this affects the majority of recognised certificates issued in the three years preceding the start of the a penalty procedure or from the start of the activity of the provider if this period is less.

3. These are serious violations:

(a) Failure to comply with any of the obligations laid down in Articles 18 and 20 on the issue of recognised certificates, except for the obligation to provide the security provided for in Article 20 (2), where it does not constitute a very serious infringement.

(b) The lack of establishment by providers issuing recognised certificates of the economic guarantee referred to in Article 20 (2).

(c) The issue of recognised certificates without carrying out all the previous checks referred to in Article 12, in cases where it does not constitute a very serious infringement.

(d) Failure by certification service providers not to issue recognised certificates of the obligations referred to in Article 18, if serious harm to the users or the safety of the certification services would have been severely affected.

(e) Failure by a service provider to certify the obligations laid down in Article 21 in respect of the cessation of its activities or the production of circumstances which prevent the continuation of its activities; the activity, where the activities are not punishable in accordance with the provisions of the Organic Law 15/1999 of 13 December on the Protection of Personal Data.

(f) Unjustified resistance, obstruction, excuse or refusal to the inspector's performance of the bodies empowered to carry it out in accordance with this law and the lack or lack of presentation of the requested information by of the Ministry of Science and Technology in its inspection and control function.

g) Failure to comply with resolutions issued by the Ministry of Science and Technology to ensure that the certification service provider complies with this law.

4. They constitute minor infractions:

Failure by certification service providers not to issue recognised certificates, of the obligations referred to in Article 18 and the other of this law, where it does not constitute a serious or very serious infringement serious, except those contained in Article 30 (2).

Article 32. Penalties.

1. For the commission of offences referred to in the previous article, the following penalties shall be imposed:

(a) For the commission of very serious infractions, the infringer will be charged a fine of 150,001 to 600,000 euros.

The commission of two or more serious infringements within three years may, depending on the criteria for the graduation of the following article, give rise to the ban on action in Spain for a maximum period of two years.

b) For the commission of serious infractions, the infringer shall be imposed a fine of 30,001 to 150,000 euros.

c) For the commission of minor infractions, the infringer shall be charged a fine of up to 30,000 euros.

2. Serious and very serious infringements may be carried out, at the expense of the sanction, the publication of the sanction resolution in the "Official State Gazette" and in two national newspapers or on the homepage of the website of the provider and, where appropriate, on the website of the Ministry of Science and Technology, once the latter has a firm character.

For the imposition of this sanction, the social impact of the offence committed, the number of users affected and the severity of the offence will be considered.

Article 33. Graduation of the amount of the penalties.

The amount of fines imposed, within the limits indicated, shall be graduated taking into account the following:

a) The existence of intentionality or reiteration.

b) The recidivism, by commission of infractions of the same nature, sanctioned by firm resolution.

c) The nature and extent of the damage caused.

d) Time limit during which the infringement has been committed e) The benefit that the infringer has reported to the infringer.

f) Volume of billing to affect committed violation.

Article 34. Provisional measures.

1. In the case of criminal proceedings for serious or very serious infringements, the Ministry of Science and Technology may adopt, in accordance with Law No 30/1992 of 26 November 1992, the Legal System of Public Administrations and the Rules of Procedure Common Administrative and its implementing rules, the measures of a provisional nature which are deemed necessary to ensure the effectiveness of the resolution which is definitively adopted, the good end of the procedure, the prevention of the effects of the of the infringement and the requirements of the general interest.

In particular, the following may be agreed:

(a) Temporary suspension of the activity of the certification service provider and, where appropriate, provisional closure of its establishments.

b) Precinct, deposit or seizure of records, media and computer files and documents in general, as well as computer equipment and equipment of all types.

(c) Warning to the public of the existence of possible infringing conduct and of the opening of the sanctioning file in question, as well as of the measures taken to cease such conduct.

In the adoption and enforcement of the restriction measures referred to in this paragraph, the guarantees, rules and procedures provided for in the legal order to protect the rights to privacy will be respected in any case. personnel and the protection of personal data, where personal data may be affected.

2. In the case of damages of exceptional seriousness in the safety of systems employed by the service provider of certification that seriously undermine the trust of the users in the services offered, the Ministry of Science and Technology may agree to the suspension or loss of validity of the certificates concerned, even if they are final.

3. In any event, the principle of proportionality of the measure shall be respected with the objectives to be achieved in each case.

4. In cases of urgency and for the immediate protection of the interests involved, the provisional measures provided for in this Article may be agreed upon prior to the initiation of the sanctioning file.

The measures must be confirmed, modified or lifted in the initiation agreement of the procedure, which must be carried out within 15 days of its adoption, which may be the subject of the appropriate action.

In any event, such measures shall be without effect if the sanctioning procedure is not initiated within that period or where the initiation agreement does not contain an express statement about them.

Article 35. Periodic penalty payment.

The administrative body responsible for resolving the sanctioning procedure may impose periodic penalty payments in the amount not exceeding EUR 6 000 for each day that elapses without complying with the provisional measures that would have taken place. agreed.

Article 36. Competition and sanctioning procedure.

1. The imposition of penalties for failure to comply with this law will, in the case of very serious infringements, correspond to the Minister of Science and Technology and in the case of serious and minor infringements, the Secretary of State for Telecommunications and for the Information Society.

However, failure to comply with the obligations laid down in Article 17 shall be sanctioned by the Data Protection Agency in accordance with the provisions of the Organic Law 15/1999 of 13 December on Data Protection. Personal Character.

2. The sanctioning power regulated in this Law shall be exercised in accordance with the provisions of the Law on the Legal Regime of Public Administrations and the Common Administrative Procedure and its implementing rules.

Additional disposition first. Public faith and use of electronic signatures.

1. The provisions of this law do not replace or amend the rules governing functions which correspond to officials who are legally entitled to give faith in documents as regards the scope of their powers provided that they act with the requirements required by law.

2. In the field of electronic documentation, it shall be for the authorities of certification services to prove the existence of the services provided in the exercise of their electronic certification activity, at the request of the user, or a judicial or administrative authority.

Additional provision second. Exercise of the sanctioning authority on the accreditation entity and the certification bodies for electronic signature creation devices.

1. In the field of certification of signature creation devices, it will be up to the Secretary of State for Telecommunications and the Information Society of the Ministry of Science and Technology to impose sanctions by the commission, by the certification bodies for electronic signature creation devices or by the institution which accredits them, for the serious infringements referred to in paragraphs e), f) and g) of Article 31 (2) of Law 21/1992, 16 of In July, the Commission shall, in accordance with the procedure laid down in Article 3 (2), provide for the following: 31 of that law which they commit in the exercise of activities related to the certification of electronic signatures.

2. Where such offences are subject to the qualification of very serious infringements, they shall be sanctioned by the Minister for Science and Technology.

Additional provision third. Issuing of electronic certificates to entities without legal personality for the performance of tax obligations.

Electronic certificates may be issued to entities without legal personality as referred to in Article 33 of the General Tax Law for the sole purposes of their use in the tax area, in terms of establish the Minister of Finance.

Additional provision fourth. Provision of services by the National Mint and Timbre-Real Casa de la Moneda.

The provisions of this law are without prejudice to the provisions of Article 81 of Law 66/1997 of 30 December 1997 on fiscal, administrative and social order measures.

Additional provision fifth. Amendment of Article 81 of Law 66/1997 of 30 December 1997 on fiscal, administrative and social order measures.

Paragraph 12 is added to Article 81 of Law 66/1997, of December 30, of fiscal, administrative and social order measures, with the following wording.

" Twelve. In the exercise of the functions attributed to him by this article, the National Mint and Currency-Real Casa de la Moneda shall be exempt from the lodging of the security referred to in Article 20 (2) of Law 59/2003, Electronic Signature. "

Additional provision sixth. Legal status of the national electronic identity document.

1. Without prejudice to the application of the current national identity document in all matters that are in accordance with its particular characteristics, the national electronic identity document shall be governed by its rules of law. specifies.

2. The Ministry of Science and Technology may contact the Ministry of the Interior to take the necessary measures to ensure compliance with the obligations incumbent upon it as a provider of certification services. in relation to the national electronic identity document.

Additional provision seventh. Issuance of invoices by electronic means.

The provisions of this law are without prejudice to the requirements arising from the tax rules on the issue of invoices by electronic means.

Additional disposition octave. Amendments to Law 34/2002 of 11 July on services of the information society and electronic commerce.

One. Addition of a new paragraph 3 to Article 10 of Law 34/2002 of 11 July on services of the information society and electronic commerce.

A paragraph 3 is added with the following text:

" 3. Where a range of telephone numbers has been assigned to additional charging services in which access to the information society services is permitted and its use by the service provider is required, it shall be use and download of software that performs marking functions, must be done with the prior, informed and express consent of the user.

For this purpose, the service provider shall provide at least the following information:

a) The characteristics of the service to be provided.

b) The functions that will be performed by the computer programs that are downloaded, including the telephone number that will be marked.

(c) The procedure for ending the connection of additional charging, including an explanation of the particular time at which that end will occur, and (d) The procedure necessary to restore the connection number prior to the additional charging connection.

The above information should be clearly visible and identifiable.

The provisions of this paragraph are without prejudice to the provisions of the telecommunications regulations, in particular with regard to the applicable requirements for access by users to the telephone numbers, where appropriate, attributed to the additional charging services. '

Two. Article 38 (2), (3) and (4) of Law 34/2002 of 11 July 2002 on the services of the information society and electronic commerce are drawn up in the following terms

" 2. These are very serious violations:

(a) Failure to comply with the orders given pursuant to Article 8 in those cases where they have been given by an administrative body.

(b) Failure to comply with the obligation to suspend transmission, data accommodation, access to the network or the provision of any other equivalent intermediary service, where a competent administrative body is required to do so; order, pursuant to Article 11.

(c) The significant breach of the obligation to retain traffic data generated by the communications established during the provision of a service of the information society, as provided for in Article 12.

(d) The use of the retained data, in compliance with Article 12, for purposes other than those mentioned in it.

3. These are serious violations:

(a) Failure to comply with the obligation to retain traffic data generated by communications established during the provision of a service of the information society, as provided for in Article 12, unless it must be considered to be a very serious infringement.

(b) The significant non-compliance with the provisions of paragraphs (a) and (f) of Article 10.1.

c) The mass shipment of commercial communications by e-mail or other equivalent electronic means of communication or the dispatch, within one year, of more than three commercial communications by the means referred to the same consignee, where the requirements laid down in Article 21 are not met in those consignments.

(d) The significant non-compliance with the obligation of the service provider established in Article 22 (1), in relation to the procedures for revoking the consent given by the recipients.

(e) Not to make available to the recipient of the service the general conditions to which the contract is subject, as provided for in Article 27.

(f) The usual non-compliance with the obligation to confirm receipt of an acceptance, where the exclusion has not been agreed or the contract has been concluded with a consumer.

g) The resistance, excuse or refusal to the inspector's performance of the organs empowered to carry it out in accordance with this law.

h) The significant non-compliance with the provisions of Article 10 (3).

i) the significant non-compliance with the reporting obligations or the establishment of a data-processing rejection procedure as set out in Article 22 (2).

4. They are minor infractions:

(a) The lack of communication to the public registry in which they are registered, in accordance with Article 9, of the name or domain names or addresses of the Internet that they employ for the provision of services of the information society.

(b) Not to report in the manner prescribed by Article 10.1 on the aspects referred to in paragraphs (b), (c), (d), (e) and (g) thereof, or paragraphs (a) and (f) where it does not constitute a serious infringement.

(d) The sending of commercial communications by e-mail or other equivalent electronic means of communication where the requirements laid down in Article 21 are not met in such consignments and do not constitute an infringement severe.

e) Not to provide the information referred to in Article 27.1, where the parties have not agreed to their exclusion or the addressee is a consumer.

(f) Failure to comply with the obligation to confirm receipt of a request in accordance with Article 28, where the exclusion of the request has not been agreed or the contract has been concluded with a consumer, unless constitutes a serious infringement.

g) Failure to comply with the reporting obligations or to establish a procedure for the rejection of data processing, as set out in Article 22 (2), where it does not constitute a serious infringement.

(h) Failure to comply with the obligation of the service provider established in Article 22 (1), in relation to the procedures for revoking the consent given by the addressees where it does not constitute serious violation.

(i) Failure to comply with Article 10 (3), where it does not constitute a serious infringement. "

Three. Amendment of Article 43 (1), second paragraph of Law 34/2002 of 11 July on services of the information society and electronic commerce.

The second subparagraph of Article 43 (1) is worded as follows:

" notwithstanding the foregoing, the imposition of penalties for failure to comply with the decisions given by the competent bodies in the light of the relevant matter or entity referred to in paragraphs (a) and (b) of the Article 38.2 of this law shall correspond to the body which issued the unfulfilled decision. It shall also be the responsibility of the Data Protection Agency to impose penalties for the commission of the offences referred to in Articles 38.3 (c), (d) and (i) and (d), (g) and (h) of this Act. "

Four. Amendment of Article 43 (2) of Law 34/2002 of 11 July of services of the information society and electronic commerce.

Article 43 (2) is worded as follows:

" 2. The sanctioning authority governed by this law shall be exercised in accordance with the provisions of Law No 30/1992 of 26 November 1992 on the Legal Regime of Public Administrations and the Common Administrative Procedure, and on its rules of development. However, the maximum duration of the simplified procedure shall be three months. '

Additional provision ninth. Accessibility guarantee for people with disabilities and seniors.

Electronic signature services, processes, procedures and devices must be fully accessible to persons with disabilities and the elderly, who may not be discriminated against in any case of the rights and powers recognized in this law for reasons based on disability or advanced age.

Additional provision 10th. Amendment of the Law on Civil Procedure.

A paragraph three is added to Article 326 of the Civil Procedure Act with the following wording:

"Where the party to whom the effectiveness of an electronic document is concerned is requested or challenged by its authenticity, it shall be carried out in accordance with Article 3 of the Law on Electronic Signature."

First transient disposition. Validity of electronic certificates issued prior to the entry into force of this law.

Electronic certificates that have been issued by certification service providers under the Royal Decree Law 14/1999 of 17 September on electronic signatures will remain valid.

Second transient disposition. Certification service providers established in Spain prior to the entry into force of this law.

The certification service providers established in Spain prior to the entry into force of this law will have to communicate to the Ministry of Science and Technology their activity and the characteristics of the services they provide in the period of one month from the date of entry into force. This information will be published in the internet address of the ministry in order to give you the maximum dissemination and knowledge.

Single repeal provision. Regulatory repeal.

The Royal Decree Law 14/1999 of 17 September on electronic signatures is repealed and all provisions of equal or lower rank are contrary to the provisions of this law.

Final disposition first. Constitutional foundation.

This law is issued under the terms of Article 149.1.8., 18. ª, 21. and 29. of the Constitution.

Final disposition second. Regulatory development.

1. The Government will adapt the regulatory regulation of the national identity document to the provisions of this law.

2. The Government is also empowered to issue the other regulatory provisions that are necessary for the development and implementation of this law.

Final disposition third. Entry into force.

This law shall enter into force three months after its publication in the "Official State Gazette".

Therefore, I command all Spaniards, individuals and authorities, to keep and keep this law.

Madrid, 19 December 2003.

JOHN CARLOS R.

The President of the Government,

JOSÉ MARÍA AZNAR LÓPEZ

Law 59/2003, Of 19 December, Electronic Signature.

Original Language Title: Ley 59/2003, de 19 de diciembre, de firma electrónica.

Subscribe to a Global-Regulation Premium Membership Today!

TEXT

Search Translated Laws of Spain