Tax Agency: Frequently Asked Questions (FAQ)

It is the result of applying a fingerprint calculation function or algorithm to certain information (in this case, to some registry data). This is a piece of data (usually much shorter than the information on which it was calculated) with the property that it is unique to the source information and from which it would be “virtually impossible” to find or obtain other alternative information (and even less so that it would be significant) whose fingerprint was the same as that calculated for the original information. That is, if the original information were changed –even slightly–, the fingerprint of the new modified information would also change and would not match the fingerprint obtained for the original information.

Hence its name, because it is as if it were a (“small”) fingerprint that “identifies” the original (“large”) content from which it was obtained.

To all billing, registration and cancellation records generated by the computerized billing system (SIF).

Additionally, non-verifiable invoice issuing systems, as they are required to generate event records, must also calculate the fingerprint or "hash" of these.

The fingerprint or "hash" is calculated on only a few relevant pieces of data from the records. These data are different depending on the type of record generated (registration billing, cancellation billing or event) on which the fingerprint or "hash" is to be calculated. These can be consulted in the document “Details of the technical specifications for the generation of the fingerprint or hash of the records” which can be found on the developers website and on the electronic headquarters of the Tax Agency.

Finally, the result of applying the fingerprint calculation algorithm to the record data will be stored in the record itself as another field. Furthermore, this trace must also be included within the content of the immediately following record that may be generated subsequently, thus forming part of the record chaining mechanism with which the record traceability requirement is implemented.

The fingerprint or hash calculation algorithm to be used is, for the moment, SHA-256 in all cases, that is, for all types of records. Both this and other details and examples of the fingerprint calculation procedure can be consulted in the document “Details of the technical specifications for the generation of the fingerprint or hash of the records” which can be found on the developer website and on the electronic headquarters of the Tax Agency.

The fingerprint or "hash" of a record plays a fundamental role in knowing whether the integrity and unalterability of certain relevant data in the record has been maintained. On the other hand, since the trace of a record must be included in the content of the immediately following record that may be generated later, it is also part of the record chaining mechanism with which the record traceability requirement is implemented.

All SIF are required to calculate and place the fingerprint correctly, chaining the records as required by the corresponding specifications.

That said, the SIF VERI*FACTU are not required to perform fingerprint checks or offer functionalities that allow them to be checked, since they send all their billing records (RF) to the Tax Agency and it is the latter who can do so (and, for this same reason, they are not required to generate event records).

However, in the case of a non-verifiable invoice issuing system, it must also offer the possibility of checking the fingerprints of the generated records that are available to it. Likewise, when generating a new record, you must perform a check on the correct linking of the previous record generated, which includes verifying that the fingerprint of the previous record generated is correct and that the fingerprint chained to it (from the previous record to the previous one) is also correct. This must be done for both billing, registration and cancellation records, as well as for the event records that it generates (remember that non-verifiable invoice issuing systems are required to generate event records).

No. The fingerprint of RF is not part of the data included in the tax "QR" code added to invoices issued by the billing computer systems (SIF) used by those required to issue invoices to which the regulation approved by Royal Decree 1007/2023, of December 5, applies.

Frequently asked questions (FAQ)

Fingerprint or hash

What is a record hash?

Which records need to have their fingerprint or hash calculated?

Should the fingerprint or hash be calculated over the entire record, or if not, what data in the record should be taken into account to calculate it (and where is it stored)?

What fingerprint or hash calculation algorithm should be used? Is there an example available?

What role does the fingerprint or "hash" play in the security and control of records?

Should a billing computer system (BCS) check the generated fingerprints (and when)? Are there any differences in this regard between VERI*FACTU systems and non-verifiable invoice issuing systems?

Should the billing record (RF) fingerprint, or part of it, be included among the data that form part of the tax "QR" code of the invoice, as in TicketBAI?