The European Directive on Electronic Signature has been implemented under Spanish law by the Royal Decree Law 14/1999 dated September 17, 1999 (“Spanish Act on Electronic Signatures.”) The Spanish Act sets out the general legal framework for the use of electronic signatures, recognition of their legal effect and the provision of certification services to the public.
This Act should foster the development of e-commerce in Spain. It provides that electronic signature has the same probative value as handwritten signature provided that it is secure. This Act also describes the procedure that a company manufacturing signature creation devices should follow in order to obtain a qualified certificate in Spain.
What is an electronic signature?
The Spanish Act on Electronic Signatures distinguishes electronic signatures and advanced electronic signatures. An electronic signature is defined as data in electronic form, associated to other electronic data or functionally associated with such data, used as a means formally to identify the author or authors of an electronic document. An advanced electronic signature is defined as an electronic signature that identifies the author and has been created using a method that the author has under its exclusive control and is uniquely linked to that author and to the data to which it refers, so that any subsequent modification of the data is detectable.
What is the fundamental principle of the Spanish Act on Electronic Signatures?
An advanced electronic signature is deemed to comply with all the necessary requirements for legal validity if the qualified certificate on which the signature is based has been issued by an accredited certification service provider and the secured signature creation device used to generate the signature has been certified.
What is a certification service provider?
A certification service provider is an individual or organization that issues the certification on which the electronic signature is based. The Spanish Act on electronic Signatures applies to all certification service providers located in Spain. Certification service providers may issue qualified or non-qualified certifications. Non-qualified certifications are electronic certifications that link signature verification data (i.e.: public key) to a signatory in order to confirm her identity. Qualified certifications are certifications that contain information required by law, such as the powers of the signatory, a unique identification code, etc.
What requirements apply to certification service providers?
Certification service providers must comply with a number of requirements. They must, for instance, apply for their registration at the Certification Service Providers Registry prior to the commencement of their business activities; verify the identity of any individual applying for certification; and provide the signature creation device and the signature verification device. If certification service providers are to issue qualified certifications, they must also comply with a number of additional obligations. They must, for example, provide a reliable service by guaranteeing to customers a rapid and secure service; employ qualified personnel; keep relevant documentation for 15 years; and provide a bank guarantee or insurance policy of 4% of the value for which the use of each certification issued is limited.
Certification service providers and certified electronic signature products are accredited by the General Secretary for Communications.
