Docs Italia beta

Documenti pubblici, digitali.

7.1 Participation to TDH Ecosystem – The contractual model

The procedures for joining the TDH Digital Ecosystem involve the signing of conventions and contracts that govern the operations of the Second and Third Parties, relating to the exchange of data and contents both with subjects within the aforementioned Ecosystem and externally such as, for example, tourists who will use the contents displayed on the Tourism Digital Hub.

Given the continuous evolution of the digital world and the need to better protect all categories of data, in compliance with the obligations established by the European and national legislator, for the purposes of defining the contractual model for joining the TDH Ecosystem, we proceeded to use a methodological approach based on the following elements:

Enrollment mode

Enrollment in TDH’s Digital Ecosystem is made digitally, with standard identification by:

  • SPID – mandatory
  • eIDAS – mandatory
  • Electronic Identity Card (CIE)
  • Health Card - National Services Card (TS - CNS)

And signature in accordance with the standards of computer documents formed (membership agreement and its attachments) by:

  • Signature through the Public Digital Identity Service (SPID [3])
  • Digital signature according eIDAS [4] Regulation
  • FEQ (Qualified E-Signature)

The correct management of delegation is also guaranteed at the time of signing the adhesion contract (in this sense, for Institution and companies it is necessary to manage the issue of delegation at the sign, or the verification that a specific person can bind the organization through the signature).

Simplicity This facilitates the process of joining and signing the contract, placing on institutional bodies only the contractual obligations that are really necessary and guaranteeing a streamlined contractual model.
Standardization The standardization of contractual models is ensured, delegating the insertion of any ancillary clauses to the annexes.
Personal Data Protection The used approach is Privacy by Design, i.e., in compliance with the fundamental principles of personal data protection, at the same time appropriately declining the methods of personal data processing at the time of signing the contract.
Data type The categories / types of data to be transferred in the various stages of implementation are identified, proposing at the same time a contractual model that provides reasonable control mechanisms about the ownership of the rights of use, correctness, reliability and updating of the data to be transferred to the Ministry of Tourism, with the explanation of the obligations of treatment, storage and destruction in accordance with the law by the parties and sufficient guarantees and indemnities in favor of the Ministry itself and the participants in the ecosystem.
Data Security There must be an adequate level of control over the minimum-security standards for data and transmission systems, in line with data & cyber security best practice standards designed to minimize system risk.
API Management

The following API management aspects are clearly spelled out:

  • binding and non-derogable technological and security standards;
  • Validation and control process by means of a competent structure (Technical Management Board and team) that validates, certifies and monitors APIs and content at start-up and when fully operational;
  • Periodic review processes for APIs and content.
[1]
With the adoption of the Resolution n.157/2020 of March 23, 2020,

Emanation of the Guidelines for the electronic signature of documents pursuant to art. 20 of the CAD, AgID has introduced a new way of signing computer documents: the Signature through the Public Digital Identity Service. The architecture of the signing process with SPID relies on art. 20 of the CAD, where it is stated that the fulfilment of the requirement of the written form and the effectiveness provided for by article 2702 of the Civil Code of the computer document formed takes place, after the computer identification of its author, through a process having the requirements set by AgID pursuant to art. 71 in such a way as to ensure the security, integrity and immodifiability of the document and, in a clear and unequivocal way, its traceability to the author.

[2]
The eIDAS Regulation (Electronic identification and trust services),

effective as of July 1, 2016, establishes the conditions for mutual recognition in the field of electronic identification and common rules for electronic signatures, web authentication and related trust services for electronic transactions. The measure makes it possible to adopt at European level a single, homogeneous and interoperable technical-legal framework in the field of electronic signatures, electronic seals, electronic time validations, electronic documents, as well as for electronic registered mail services and certification services for Web Authentication.

Consequently, according to art. 20 of the CAD, similarly to the SPID Digital Signature, also the eIDAS digital signature affixed on IT documents satisfies the requirement of the written form and has the effectiveness provided for by article 2702 of the Civil Code when it is formed, after computer identification of its author, through a process having the requirements fixed by AgID according to art. 71 in such a way as to guarantee the security, integrity and immodifiability of the document and, in a clear and unequivocal way, its traceability back to the author.

[3]
With the adoption of the Resolution n.157/2020 of March 23, 2020,

Emanation of the Guidelines for the electronic signature of documents pursuant to art. 20 of the CAD, AgID has introduced a new way of signing computer documents: the Signature through the Public Digital Identity Service. The architecture of the signing process with SPID relies on art. 20 of the CAD, where it is stated that the fulfilment of the requirement of the written form and the effectiveness provided for by article 2702 of the Civil Code of the computer document formed takes place, after the computer identification of its author, through a process having the requirements set by AgID pursuant to art. 71 in such a way as to ensure the security, integrity and immodifiability of the document and, in a clear and unequivocal way, its traceability to the author.

[4]
The eIDAS Regulation (Electronic identification and trust services),

effective as of July 1, 2016, establishes the conditions for mutual recognition in the field of electronic identification and common rules for electronic signatures, web authentication and related trust services for electronic transactions. The measure makes it possible to adopt at European level a single, homogeneous and interoperable technical-legal framework in the field of electronic signatures, electronic seals, electronic time validations, electronic documents, as well as for electronic registered mail services and certification services for Web Authentication.

Consequently, according to art. 20 of the CAD, similarly to the SPID Digital Signature, also the eIDAS digital signature affixed on IT documents satisfies the requirement of the written form and has the effectiveness provided for by article 2702 of the Civil Code when it is formed, after computer identification of its author, through a process having the requirements fixed by AgID according to art. 71 in such a way as to guarantee the security, integrity and immodifiability of the document and, in a clear and unequivocal way, its traceability back to the author.