Advanced electronic signature in Smart OSH
When you send a document to a worker from Smart OSH for them to sign — a risk assessment, PPE delivery, training certificate — the platform applies a set of technical measures that grant it validity as an advanced electronic signature according to Regulation (EU) 910/2014 (eIDAS).
This page explains what Smart OSH does to guarantee that validity, what evidence it generates and you can consult, and what responsibilities lie with you as the client and data controller.
What Smart OSH does to guarantee legal validity
Section titled “What Smart OSH does to guarantee legal validity”Smart OSH implements four measures that, together, meet the requirements of the advanced electronic signature:
- Signing the document with an internal digital certificate that guarantees integrity: any subsequent modification of the document is detectable.
- Embedded signatory’s signature in the final document.
- Audit log with complete traceability of the transaction.
- Legacy evidential document automatically generated for each signature, detailing the full lifecycle.
The Legacy evidential document
Section titled “The Legacy evidential document”For each signature made, Smart OSH generates a PDF evidential document signed with an internal digital certificate, also known as a Legal evidential certificate or Legal completion certificate.
This document contains all the electronic evidence of the transaction, divided into two stages:
At the time of sending the document:
- Full details of the client company: physical address, email and area manager (OSH / HR).
- Details of the person making the communication (the SPA, where applicable).
- Origin email account and origin IP address.
- Unique document identifier.
- Purpose of the transaction (for example, Risk assessment December 2025).
- Unique worker identifier, full name and contact details.
- Date and time of sending.
At the time of receipt and signature by the worker:
- Destination email account of the worker.
- IP address from which the document was opened.
- Image of the signature.
- Date and time of the signature.
- Date and time of final processing.
- Hash of the digital certificate guaranteeing confidentiality and integrity.
How to access the evidence
Section titled “How to access the evidence”The evidence generated is accessible to both the client administrator and the signing worker:
- The signed document can be viewed from the application front-end.
- It is also sent by email to the worker and, optionally, to the client.
- The Legacy evidential PDF can be downloaded from the administrator account.
- A list of evidence (report) can be generated with: company, document identifier, transaction purpose, worker details, sending date and signing date.
What is your responsibility as a client
Section titled “What is your responsibility as a client”Smart OSH provides the technical infrastructure, but as the data controller under the GDPR there are three points you must attend to:
Worker’s corporate email
Section titled “Worker’s corporate email”To ensure the signature unequivocally identifies the signatory, always use the worker’s personal email account within your organisation’s domain. Avoid generic accounts (info@, personal@, etc.).
Duty to inform workers
Section titled “Duty to inform workers”Include the use of this tool — and the purpose of processing their email account — in the privacy policies or statements you already provide to your workers. This is an obligation under the GDPR that falls on you as the data controller.
Additional retention
Section titled “Additional retention”Although Smart OSH stores the signed document and evidential certificate persistently, it is recommended as good practice to keep a copy of this documentation in your own internal systems.
Legal framework reference
Section titled “Legal framework reference”Smart OSH relies on the following regulatory framework:
- Law 1/2000, Civil Procedure Act.
- Law 34/2002, on Information Society Services and Electronic Commerce.
- Law 59/2003, on Electronic Signature.
- Law 11/2007, on Electronic Access of Citizens to Public Services.
- Regulation (EU) 910/2014 (eIDAS).
- Law 39/2015, on Common Administrative Procedure.
- Regulation (EU) 2016/679 (GDPR).
- Organic Law 3/2018, on Personal Data Protection and Guarantee of Digital Rights.
Under Spanish law, the validity of a contract does not require a handwritten signature: it is valid if the parties with legal capacity reach an agreement, whether verbally, electronically or on paper.
Types of electronic signature according to eIDAS
Section titled “Types of electronic signature according to eIDAS”The eIDAS Regulation is technologically neutral and recognises three types of signature. Smart OSH implements the advanced electronic signature (AES), which is suitable for the usual OSH and HR processes.
Simple signature
Section titled “Simple signature”A check or acceptance box. It allows expressing consent, but does not reliably identify the signatory. In case of litigation, it is very difficult to prove who accepted the document.
Advanced signature (AES) — the one used by Smart OSH
Section titled “Advanced signature (AES) — the one used by Smart OSH”Meets four cumulative requirements:
- It is uniquely linked to the signatory.
- It allows identification of the signatory.
- It is created with means that the signatory maintains under their exclusive control.
- It is linked to the signed data so that any subsequent modification is detectable.
Qualified signature
Section titled “Qualified signature”A variant of the AES with a secure creation device certified by a governmental body. It offers the highest legal guarantees (fully equivalent to a handwritten signature) but is not necessary for the usual use cases of Smart OSH.
Source: “Advanced electronic signature in document distribution”, report prepared by Toni Martín Ávila (IT Government Assessor & DPO, IT360.es) for PrevenControl, 22 April 2019.