Register now!
Register now!

Paperless declaration of consent – but the right way!

  • Law & Order

Who has become a tattoo artist or piercer only to have to deal with lots of paperwork every day? In the age of cell phones, iPads and the like, it’s only natural to do all this stuff electronically. However, the paperless declaration of consent sometimes has a few pitfalls.

Two things first:

  1. The problems and conditions that we are pointing out here are not our own. They were there before us. Please don’t condemn the messenger, it’s not his fault.
  2. There is light at the end of the tunnel. Of course, we also offer solutions for all the problems.

What is the point of all this?

In principle, we don’t actually need any paperwork in our industry, as our contracts and agreements are not form-bound. So even purely verbal agreements would suffice.

The problem only arises when a dispute arises. Because then you may have the problem of provability in court. So: Did I inform my customer correctly? Did they consent to the tattoo/piercing (bodily harm)? Have the legal guardians given their consent? This is why the forms and signatures exist. Because a dispute like this can quickly run into 5 figures. If clinical treatments are involved, it can even run into 6 figures.

The studio is liable with

We would also like to remind you of our last info letter. As a rule, the studio owner is also liable for any formal omissions on the part of the supposedly independent artists. It is therefore worthwhile for both the artist and the studio to pay a little attention to this issue.

The assessment of evidence in court

The advantage of contracts with handwritten signatures is that a court MUST recognize them as evidence. In case of doubt, a court-appointed expert can confirm the authenticity of a signature.

This is not possible with simple emails or copies of signed contracts. This is referred to as the free assessment of evidence by the court. The judge therefore decides at his or her own discretion whether to accept a piece of evidence and how to evaluate it.

The good news: since the introduction of the so-called eIDAS standard in 2016, electronic signatures are also permitted as evidence. However, they must then meet the requirements of the “advanced electronic signature”.

Digital signatures

And, who would have expected otherwise, this is not trivial. After all, Europe is first and foremost a bureaucracy. For a digital signature to meet the requirements of eIDAS for advanced electronic signatures, all of the following criteria (and more!) must be met.

Now that we have some experience in this area, we have to admit that every single one of these criteria makes sense:

  • Sole control
    The signature must be under the sole control of the signatory. It must therefore be impossible for a digital signature to be transferred from one document to another (copy & paste).
  • Identifiability
    It must be possible to clearly identify the signatory on the basis of the digital signature. An email from a specific sender is not sufficient here, for example. However, so-called certificate keys (e.g. linked to the new ID cards) or unique biometric data are suitable.
  • Metadata
    In addition to the signature, further electronic creation data, so-called metadata, must be recorded and stored. This includes, for example, the place, date and time. It must not be possible to manipulate this metadata (e.g. by changing the date setting on the device).
  • Unchangeable
    Once a document has been provided with an electronic signature, both must be unchangeable. This does not apply to scanned documents, for example.
  • Verifiable
    An examination of the above criteria by a court-appointed expert must be possible.

And of course, the processing and storage of such documents (including health data!) must comply with data protection regulations (GDPR). After all, you don’t want your doctor to send your medical history around the world by email:

  • End-to-end encrypted
    The transmission of data must be end-to-end encrypted. Emails, for example, do not fulfill this criterion. This is because any encryption only takes place at your email provider. The transmission from your computer to your provider is unencrypted.
  • DPA in accordance with GDPR
    The (cloud) service provider must confirm in writing that it fulfills the GDPR requirements for storing sensitive personal data in the form of a data processing agreement (DPA).
  • Data center location
    The data may not be stored outside the EU at any time. The data center (DC) must therefore not be located in the USA, for example.

The tray

For the sake of completeness, one small point should be mentioned here. Over the years, a large number of documents accumulate. How do you file them in such a way that you can still find the exact document you need two or three years later? Names change (marriage), dates are postponed.

Let’s be honest: How many of you dare to consistently file even 500 digital documents per year in such a way that you can find every single one at any time? And even if you manage to do this, does this also apply to the other artists in your studio for whom you may be jointly liable?

Without a functioning filing system, you can actually save yourself all the work with the forms.

The practical check

OK, so much for the theory. With this in mind, let’s take a look at a few common alternatives to the electronic filing of declarations of consent…

Confirm contracts online with a click

Very hip: The customer must agree to the terms and conditions, data protection agreement and declaration of consent on your website (e.g. with a checkbox) before they can book or confirm an appointment.

The following criteria are not met here:

  • Sole control
  • Identifiability
  • Unchangeable
  • Verifiable
  • Filing possibly not solved

In the event of a dispute, even the studio owner could subsequently forge such a declaration of consent. This could only be ruled out if the website provider is a trust service provider certified by the Federal Network Agency. And even then, the daughter or wife could still have confirmed the appointment.

In addition, such a declaration of consent can generally be contested, as important elements of the agreement are hidden in the so-called small print (linked documents). The hygiene regulations for “piercing and tattoo, cosmetic and pedicure facilities” of most federal states (as of April 2007) also expressly state:

“Informing and advising the customer about possible health risks associated with tattooing and piercing […] must be carried out before each treatment and documented in writing.”

That means, the process of clarification must be documented. So: Does the customer have allergies? Which ones? Does he take medication? Which ones? What individual risks do they face? How are they dealt with? How long did the information take? A checkbox is not enough here.

Scan and off to the cloud?

Let’s be honest: you have a proper signature under a (hopefully) proper declaration of consent. Then you stand at the scanner in the evening, scan all the paperwork, file it (hopefully) reasonably neatly so that you can still find something in the 1000s of documents and thus waive the legal certainty of the signature in the event of a dispute? Because the following criteria are (possibly) not met here:

  • Sole control
  • Identifiability
  • Metadata
  • Unchangeable
  • Verifiable
  • Storage not solved
  • GCU according to GDPR?
  • Data center location?

With a little skill, a signature scanned in this way can be transferred to any document.

Practical PDFs with signature on the iPad?

But there are also the iPads with the practical signature function from Apple. That should actually be OK, right? No. Because this function is designed to allow you to add your own signature to PDF documents and then forward them. When such a signature is created, it is saved independently of the document on the iPad and can be embedded in any other document. The following criteria are therefore not met here:

  • Sole control
  • Metadata
  • Unchangeable
  • Storage not solved
  • GCU in accordance with GDPR
  • Data center location

I would definitely never sign something like that on someone else’s iPad. I don’t even save my signature on my own iPad, because it has no place in the Apple Cloud. And if a data protection officer gets wind of this, it could be expensive for you.

What does a real solution look like?

Actually quite simple:

  • All agreements and forms are filled out and concluded electronically from the outset , without any detours via the paper form.
  • The signature is made with an advanced electronic signature in accordance with the eIDAS standard. Naturally without any local storage of such signatures.
  • The signature procedure has been verified by a court-certified expert.
  • The documents are encrypted together with the signatures in such a way that only a notary can decrypt the signatures.
  • The signed documents are transferred fully automatically to a GDPR-compliant cloud provider in the EU – end-to-end encrypted, of course.
  • The document is automatically linked to the customer, appointment and artist.
  • All data is automatically backed up daily and protected against loss by mirrored data centers.

This is exactly what we have been working on for you for the last 10 months. You can see the result here (including a short demo video).

Yours,
Paperless declaration of consent - but the right way! - kisscal.tattoo

Your contact - to us!

Contact form

With “*” are mandatory fields

By using this form, you consent to the storage and processing of your data by our website. Further information can be found in the privacy policy