How to incorporate appropriate informed consent to the GDPR in a PHP portal

There are many customers who call us to incorporate in their solutions or websites electronic signature technology appropriate to the GDPR. Although we have several products that fit into different scenarios, today we are going to focus on one of them – Viafirma Documents and in a very specific use – electronic signature of informed consent.

To get a little in context, the consent is one of the basic pillars that characterizes any data protection policy, in this sense, paragraph 11 of Article 4 of the General Data Protection Regulation (GDPR) tells us that the consent of the interested party is “Any manifestation of free, specific, informed and unambiguous will by which the interested party accepts, whether through a statement or a clear affirmative action, the processing of personal data concerning him“.

That is, the GDPR determines how to give consent, which has 4 characteristics, which are:

  • Free Consent: It cannot be provided under any type of coercion nor can it be conditioned as it may be (for example) before a reduction of a service.
  • Specific consent: It is not appropriate to grant a general consent, as it was being done, but the purpose of the consent must be specified.
  • Informed consent: It is about informing the user of the purpose of the treatment, the name of the person responsible for the treatment, how the data will be treated and the rights of the person.
  • Unambiguous consent: It is one that has been provided through a statement of the interested party or through a clear affirmative action. It is understood that the interested party gives this consent when he knows, without a doubt, that he is granting his approval. That is why it does not admit forms of tacit or omission consent (which are based on inaction).

In order to give a valid consent, the person in charge must be able to demonstrate that he consented to the processing of his data and for this in our case we will use electronic evidence that will help us to prove it.

There are different ways to sign an electronic document: signature with electronic certificate, biometric signature, signature by OTP / SMS in addition to other evidences such as the geographical situation at the time of signing, photographs, including annexes, time stamp …


If you have a portal or web application in PHP to manage your clinic and want to generate consent based on your own document / template where your customers can fill in their data and sign read on…

Let’s try to explain it step by step. The result may be something similar to the image you will find below:

You have the online example available here.

To start we will use an API with PHP with support for cURL that allows you to make requests to remote servers. In our case, we will integrate with the REST services exposed for integrators by Viafirma Documents and that are secured with OAuth, for which we will use the library that you will find in this link. If you prefer, you can download the complete example together with the used libraries.

In our example we will use a single php file that we will name demo-consent.php and that we will briefly describe below:

Library and definition of constants:


//We define the path to the oAuth libraries indicated above, in our case we have left it at the root within a folder that we have named library

require_once dirname(__FILE__) . '/library/OAuthRequestSigner.php';

define(DOCUMENTS_API_URL, "https://sandbox.viafirma.com/documents/api/v3");

define(DOCUMENTS_CONSUMER_KEY, "xxxxx");

define(DOCUMENTS_CONSUMER_SECRET, "xxxxxxxxxx");

The variables DOCUMENTS_CONSUMER_KEY y DOCUMENTS_CONSUMER_SECRET They will be provided to us by Viafirma through the contact form on their website for integrators: https://www.viafirma.com/developers/es/

Function send_message()


function send_message ()
{
    error_reporting(E_ALL);

    //Construcción de la URL del servicio a invocar
    $url=DOCUMENTS_API_URL."/messages/";

    //Acceso a los servicios securizados mediante oAuth
    OAuthStore::instance('MySQL', array('conn'=>false));

    $req = new OAuthRequestSigner($url, 'POST');

    $fecha = new DateTime();

    $secrets = array(
                'consumer_key'      =>; DOCUMENTS_CONSUMER_KEY,
                'consumer_secret'   =>; DOCUMENTS_CONSUMER_SECRET,
                'token'             =>"",
                'token_secret'      =>"",
                'signature_methods' => array(‘HMAC-SHA1’),
                'nonce'             => '',
                'timestamp'         => $fecha->getTimestamp(),
                );

    $req->sign(0, $secrets);

    //JSON con datos necesarios para Viafirma Documents que describiremos más adelante

    $string_json = file_get_contents("./demo_consentimiento.json");

    //Iniciamos y ejecutamos CuRL

    $ch = curl_init($url);

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
    curl_setopt($ch, CURLOPT_POSTFIELDS, $string_json);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

     // OAuth Header
    $headr = array();
    $headr[] = 'Content-Length: ' . strlen($string_json);
    $headr[] = 'Content-type: application/json';
    $headr[] = ''.$req->getAuthorizationHeader();
    curl_setopt($ch, CURLOPT_HTTPHEADER,$headr);

    $result = curl_exec($ch);
    $array = json_decode($result);
    $link=$array->notification->sharedLink->link;

    //Obtenemos el link de respuesta enviado por Viafirma Documents 
    return $link;

    echo 'NombreiFrame.location.href = "'.$link.'";'; 
    echo "Url para redireccionar o montar iframe: ";
    echo prettyPrint($result); 

    // Closing
    curl_close($ch);

}

demo-consent.json

Although we could define many more variables, with this simple .json and a template defined in Viafirma Documents we would use to carry out the example:

<pre class="json"><code>
{
 "groupCode" : "String",
 "workflow" : {
   "type" : "PRESENTIAL"
 },
 "notification" : {
   "text" : "Texto de la petición de firma",
   "detail" : "Detalle de la petición de firma"
 },
  "document": {
    "templateCode": "nombre_plantilla",
    "formRequired": true
  },
 "callbackMails" : "tucorreoderespuesta@xxx.com"
}
</code>
</pre>
<style>
code.hljs {
  background: #fafafa !important;
  padding: 2em 4em;
  border: 1px solid #eaeaea;
  border-radius: 4px;
}
</style>

Important:

  • Remember to replace the values in the example with those provided by Viafirma for the attribute: groupCode. The group will determine preconfigured behaviour regarding factors such as automatic transfers, style sheets, permissions, etc. It is important that the groupCode matches the group with which you intend to complete your business process.
  • Define in this variable the code of your existing template in Viafirma documents document.templateCode.
  • In the callbackMails field you can report an email account, or several separated by commas, which we will automatically inform when your process has finished, and may include as an annex the signed document and with a personalized message and style.

Once you have implemented both files we can only call them from the button of your page or within your application and will generate an automatic signature request based on the template defined in Viafirma Documents as you can see in the example that we include at the beginning of this article .

The result is that from a PHP web page I can get my patients to fill in and sign the consent in an agile and secure way.

We hope you found it useful.

To continue signing with Viafirma!!!