MACAU SAR, CHINA Law and Practice Contributed by: Pedro Cortés and Luís Rôlo, Lektou
8. Trust Services and Digital Entities 8.1 Trust Services and Electronic Signatures/Digital Identity Schemes The Electronic Documents and Signatures Law (Law No 5/2005) establishes the legal frame - work for electronic documents and signatures, in which “electronic document” is defined as the result of electronic data processing for the pur - pose of reproducing or representing a person, thing or fact. In terms of the “electronic signatures”, three types of electronic signatures are distinguished in the Electronic Documents and Signatures Law. • “Electronic signature” ‒ simply a set of data in electronic form that, linked or logically associated with an electronic document, can be used as a method to make its authorship known. • “Advanced electronic signature” ‒ electronic signature that is unequivocally linked to the signatory and can be used to verify the signa - tory’s identity, is created using means that are solely under the signatory’s control, and is so linked to the document to which it is affixed that any changes made after it has been applied are detectable. • “Qualified electronic signature” ‒ advanced electronic signature based on a qualified certificate, the signature is created through a secure signature creation device, and can effectively prevent the signature from being fraudulently used in accordance with inter - nationally recognised standards. Affixing a qualified electronic signature is legally equiva - lent to an autograph signature.
A Local Entity as Data Controller Should the local entity be the data controller, then it is bound by the obligations set out in the PDPA as indicated above, inter alia, with regard to the need to obtain the unequivocal consent of the data subject and to provide all the necessary information, as well as to ensure that the sub- contractor implements the appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised dis - closure or access, in particular, where the pro - cessing involves the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the Where processing of data is carried out on behalf of the data controller (eg, by a local entity), the data controller must choose a subcontractor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing of the data, and must further ensure compliance with those measures. The processing by a subcontractor must be governed by a contract or legal act, binding the subcontractor to the data controller and stipulating in particular that the subcontrac - tor shall act only on instructions from the data controller, and that the obligations set out in the PDPA regarding data security measures shall also be incumbent on the subcontractor. For the purposes of keeping proof, the parties to the contract or the legal act relating to data protec - tion and the requirements relating to the data security measures must be in writing in a docu - ment with legally recognised probative value. art and the cost of implementation. A Subcontractor as Data Processor
211 CHAMBERS.COM
Powered by FlippingBook