Regulations in Spain relating to data and password protection on the Internet

The Spanish Data Protection Agency (AEPD) has drawn up several rules extending the requirements of the Spanish Data Protection Law (LOPD) in cases where final users and consumers must identify themselves on a web page by creating a username and a password.

When clients can reach a web page and consult their personal data, the Spanish Data Protection Agency considers the web page as an information system and the client or consumer as a user of the information system. In this case, the AEPD states that the passwords must:

  • Not be irreversibly stored (storing the hash)
  • Provide expiration settings
  • Establish a maximum number of incorrect login attempts to reach a medium level of security
  • Register all the accesses and attempts of access to reach a high level of security
  • In the event the client should forget his or her password, it will be impossible for the client to retrieve it. It is recommended to create a new and temporary password that will have to be changed by the user at his or her first opportunity.

As a result, the application of these security measures is mandatory for each database system which is managed with a username and a password. This applies to internal users and employees as well as to the managers of the database.

The failure to have these measures has already led to financial penalties ranging from 1.000€ and 60.000€, depending on the circumstances. Therefore, the rules of the AEPD should be complied with in Spain.

This article is not considered as legal advice

Jesús Sánchez

A Business Law graduate of the Universidad San Pablo (CEU) and a PhD in Consitutional Rights and IT, Jesús Sanchez specialises in IT Law. He is a partner at Áudea, a firm that specialises in the managing the security of information. For any further enquiries please Contact us