Security Measures for Automated Files  List ▷ 2020

The Organic Law on Data Protection, or LOPD, It is a statute that is responsible for providing protection to personal data. If you are interested in knowing what are the most important security measures for automated files according to the LOPD, continue reading this listing.

The objective behind the LOPD is protect the personal and family integrity of all people. This through the regulation of the obligations of citizens who deal with personal data.

For this reason, LOPD includes three levels of security cumulative (Low, medium and high) to guarantee the confidentiality of the information.

Know all the low-level security measures for automated files

Know all the low-level security measures for automated files

The low or basic level of LOPD is the one who applies to files that only contain identification data. This includes: address, telephone number, ID, name, emails, nationality, bank details, age, among others.

Below, we collect all the low-level security measures for automated files:

Security document

All users who have access to personal data, must provide their respective roles and obligations in a security document. Everything must be well defined in the documentation. Likewise, it is also necessary to clarify the delegation authorizations and control functions of the data controller.

Notification and management

There must be a management procedure and notification of all events that affect personal data. The type of incidents, when it occurred or detected, who detected the event, to whom it was communicated, consequences and corrective measures must be accurately recorded.

Legal office

The people that develop functions in the legal office they can have access to necessary resources, as long as they are required.

Authorized rights

Must exist mechanisms that guarantee that only users with authorized rights can have access to resources. The personnel registered in the security document have the power to grant, cancel or alter the authorized access, according to the criteria established by the person responsible for the file.

Electronic supports and documents

Those electronic documents and media who have personal information must be inventoried according to the type of information they contain. In addition, only authorized personnel in the security document may have access.

Document output

The output of those electronic documents and supports that contain information of a personal nature, must be authorized by the person responsible for the file, or it must have an authorization registered in the security document.

Transfer of information

Must exist measures that guarantee the prevention of abduction, loss or unauthorized access during the output of the document. This also includes the electronic media.

Measurements in the office

In the case of the legal office, it must have established the correct authentication and identification measures of users who try to access the information system to verify that they have the necessary authorization.


If there is a password-based authentication mechanism, it is necessary to run a process that is in charge of assigning, distributing and storing them to guarantee their confidentiality. The security document must include the change of passwords in a period not exceeding one year.


Weekly, at a minimum, you must establish a procedure for backing up of personal data. Except on occasions when no data updates have been recorded.

Data recovery

In turn, there must be procedures that guarantee, at all times, the data recovery, the reconstruction of them. This in case of loss or destruction.

Recovery procedures

There must be a record in which it is recorded what have been the procedures performed for data recovery. Likewise, it is necessary to indicate who carried out the process, what data was recovered, among other requirements. To execute any procedure, the authorization of the person responsible for the file is essential.

Modification of systems

In case the implementation or modification of the information system, East should not be run on real data. This with the aim of safeguarding personal data. The exception is when the security levels that correspond to the treatment have been ensured and duly recorded in the security document.

List of all medium level security measures for automated files according to the LOPD

List of all medium level security measures for automated files according to the LOPD

Regarding the automated files with medium security level, The low-level provisions must also be considered together to ensure maximum protection.

Next, we present a list of all the medium level security measures for automated files according to the LOPD:

Security managers

In the security document they must be designated one or more security officers. They must be in charge of coordinating compliance with the measures. The designation may apply to all files or data processing. However, this must also be clearly stated in the security document.


When personal data are subjected to the medium level of security, the systems, treatment facilities and information storage must be submitted to an internal or external audit every two years. This in order to verify compliance with security measures.

Check-in and check-out

The law firm must have a check-in and check-out system that allows, directly or indirectly, to identify the type of document. In addition to also knowing the date, time, issuer, number of documents included, type of information, shipping method and the authorized user responsible for receipt.

Unauthorized access

It is necessary to have a mechanism that takes care of limit the number of unauthorized access attempts to the personal data system.

Computer equipment location

Only authorized and designated personnel In the security document you can have access to the location of the computer equipment that is responsible for providing support to the information system.

What types of penalties could be imposed on me if I do not comply with these measures?

What types of penalties could be imposed on me if I do not comply with these measures?

The sanctions imposed by the Organic Law on Data Protection They are established according to the nature of the personal rights that have been affected, the damages caused, the degree of intentionality, the volume of treatments carried out and other relevant circumstances. However, What types of sanctions could be imposed on me if I do not comply with these measures?

Let’s see below:

Minor offenses

The minor infractions are grounds for sanctions between 601.01 euros and 60,101.21 euros. It depends on the gravity.

Some examples are:

  • Failure to apply for registration of the file in the Spanish Agency for Data Protection. (AEPD).
  • Make a data collection without giving prior notification.
  • Ignore to requests for cancellation or rectification.
  • Don’t consider inquiries of the AGPD.

Serious offenses

In the case of serious offenses, the sanctions can range between 60,101.21 euros up to 300,506.25 euros.

Cases include:

  • Failure to register properly of the file to the AGPD.
  • Collect data to use them for a different purpose.
  • Not having consent of people to collect their personal data.
  • Not admit access to files.
  • Preserve indexed data or not to carry out the modification requests.
  • Do not keep the principles or guarantees of the Organic Law on Data Protection.
  • Work with protected data without proper authorization.
  • Do not make notifications provided by the LOPD to the AGPD.
  • Not having the proper security measures to preserve the files.

Extremely serious offenses

In the case of infractions that are extremely serious, the amount of the penalty may increase from 300,506.25 euros up to 601,012.1 euros.

You can be penalized if you incur in cases such as:

  • File creation that reveal data that is protected.
  • Resort to deception or collect data fraudulently.
  • Collect protected data without the authorization of the affected person.
  • Hinder or ignore requests for rectification or cancellation in a systematic way.
  • Breach confidentiality of protected data.
  • Communicate or transfer personal data without being allowed.
  • Not meeting the requests of the AGPD about illegitimate use.
  • Treat the data without guarantees and illegitimately.
  • Ignore the requirements of the AGPD.
  • Send personal data permanently or temporarily, without authorization, to countries that do not have a comparable level of protection.

If you have any questions, leave them in the comments, we will answer you as soon as possible, and it will be of great help to more members of the community. Thank you! 😉

You may be interested:

Leave a Comment