address where which the must provide with the notice limit mentioned above deciding whether or for that and Schedule X 1 upon whom brought is accordance with the following address General Regulatory T ID: 877102
Download Pdf The PPT/PDF document "a decisionmaking supervisory authorities..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 a decision-making supervisory authoritie
a decision-making supervisory authorities, from that as to penalties issued Rather, the consistency mechanism situations.
2 Contrary -cdfcsBNB7d
Contrary -cdfcsBNB7dB7cd;'Scd address where which the must prov
3 ide with the notice limit mentioned abov
ide with the notice limit mentioned above deciding whether or for that and Schedule X 1 upon whom brought is accordance
4 with the following address: General Regu
with the following address: General Regulatory Tribunals Service LE1 8DJ received by Tribunal within Tribunal will appeal
5 should refers to penalties. This by BA
should refers to penalties. This by BACS is not penalty notice and nd, allowing access " ... whether the sophisticatio
6 n took place Attack which did occur the
n took place Attack which did occur the GDPR. standard under 's airline industry apparent sophistication of this
7 case as to h-BNduC4C'4Cu-dBNdkB
case as to h-BNduC4C'4Cu-dBNdkB4NduC4CNd1.CduC4CdfcNd7dNccddd system
8 s and/or processing applicable appropria
s and/or processing applicable appropriate measures relevant standard, F4sNdWcs7fd finding that particular,
9 BA that the Commissioner applied '
BA that the Commissioner applied 's significant resources in the tOcsbB,cdWbyyC4SdAcu4cNc7CB7Ned
10 uC4CNdF4sNdkB4NdAcu4cNc7CBۀ
uC4CNdF4sNdkB4NdAcu4cNc7CB7Nedl-Cuc4d established manual oltlappropriate security subjects and its ne
11 twork N ( rendered entered into could
twork N ( rendered entered into could have put as that which "deploy file 4cSc,C7dCBSb4cd the use softwa
12 re quality assurance source code. manual
re quality assurance source code. manual penetration significantly increase under OWASP guidance states logging code disp
13 osal policy. card details error, rather
osal policy. card details error, rather accurately logged. could also have been used to the security issue identified
14 management process infrastructure and t
management process infrastructure and that comprehensive monitoring an IT monitor and the unauthorised creation rea
15 son, Microsoft number of usage and
son, Microsoft number of usage and 'aiding functionality', the minimal time the alternative other hand, f
16 ailed attempts admin group, WccduC4Cd m
ailed attempts admin group, WccduC4Cd mitigated the relevant files and/or file, which could have alerted have been tak
17 en adequate, without as part execution
en adequate, without as part execution of the of the usually legacy systems. authentication measures particular prote
18 ctions Preventing Lateral authenticate t
ctions Preventing Lateral authenticate the attacker. plain text implemented sufficiently, performed (where access t
19 o many of to as hardcoded passwords reco
o many of to as hardcoded passwords recognised generally these other risks that security procedures FRhdiO,dhdVdd docu
20 mentation may include 's system
mentation may include 's system used by BA. application/server hardening 's accessed using iC8Cd))ed St
21 ep 2 would have been network. Each have
ep 2 would have been network. Each have implemented time, there could implement are the hh18hd"Oxd the risk
22 paper refers processors, explains a cyb
paper refers processors, explains a cyberattack that were even if Network Access Policy, appears accept this, appropr
23 iate alternative measures. should have e
iate alternative measures. should have ensured that without excessive cost. breakout from known security B7
24 d4sc.delyhFh•d
d4sc.delyhFh•d(8shDlDfd4td.lh(pl6(FloDdhh18lFyd BA's
25 First System Access WDBNNu4
First System Access WDBNNu4dh4B7BfCfd administrative reasons manner that fact that identified alternative
26 T'd access users, being able
T'd access users, being able to an 2018 that F4sNdkB4Nd that what using third sufficient guarantees Securi
27 ty guidance document, referred automated
ty guidance document, referred automated functions) hardware authentication OWASP published There was, before the guidan
28 ce to of the focus should controller, r
ce to of the focus should controller, risks been identified and/or Article above regarding submissions in particular, wr
29 itten Steps 1-8 negentered into 2018, w
itten Steps 1-8 negentered into 2018, when failed to comply with required by and draft against accidental risk. Such Wcc
30 dCSNd a draft take into foll
dCSNd a draft take into follow-up questions, financial position requesting further information subsequently p
31 rovided of the fact that agreement coul
rovided of the fact that agreement could submissions and submitted written exchanged correspondence the application Int
32 ernal Procedure, discussed further the A
ernal Procedure, discussed further the Article the last known approximately 429,612 -108,000 this Penalty s-C7'cf
33 dCafd of BA's was able 2018 and 2
dCafd of BA's was able 2018 and 25 2018, the different website: time, when u4,B.cfd-cd encrypted fo
34 rm) there were three .dyd fdBd ��t
rm) there were three .dyd fdBd ��tnd/BBo;x [7; 84; 524; 182;] /T;ype ;/Pag;inat;ion
35 ;/Sub;type; /Fo;oter; /At
;/Sub;type; /Fo;oter; /At;tach;í [;/Bot;tom]; 000;/BBo;x [7; 84; 524; 182;
36 ] /T;ype ;/Pag;inat;ion ;
] /T;ype ;/Pag;inat;ion ;/Sub;type; /Fo;oter; /At;tach;í [;/Bot;tom]; 000;W
37 ccduC4Cd that the 's break out f
ccduC4Cd that the 's break out from the of the key On 22 not to to BA's the CAG. CAG a network working rem
38 otely. CAG provided users could BA
otely. CAG provided users could BA's system via the single username and Swissport account multi-factor authenticat
39 ion action being provide an deter
ion action being provide an deteent against future " ... stresses that assessed objectively merits. However,
40 individuals have "where relevant, a p
individuals have "where relevant, a penalty oral representations Commissioner will 155 DPA sets penalty notice Commis
41 sioner must provisions relevant of notic
sioner must provisions relevant of notices of a notice The period and the Penalty Notice shall adopt supervisory authori
42 ty supervisory authority the date (9). T
ty supervisory authority the date (9). The final decision refeed supervisory authority Dispute resolution co
43 nsistent application of reasoned objecti
nsistent application of reasoned objection extended by in paragraph decision shall supervisory authority supervisory aut
44 horities controller thereof. supervisory
horities controller thereof. supervisory authority authorities concerned sha adopt shall notify rejection of
45 that complaint, complainant and shall in
that complaint, complainant and shall inrm with the this Article conduct joint without delay, consulted in A
46 rticle, expresses reasoned objection Whe
rticle, expresses reasoned objection Where the lead authorities concerned applicable to including financial give rise pr
47 ovides that " ... GDPR makes (AApl1(FloD
ovides that " ... GDPR makes (AApl1(FloDd(Dsd(s•lDlhF8(Fl.hdilDhhdcdCd public authorities other powers 58(2) have contr
48 oller or effective, proportionate natur
oller or effective, proportionate nature, gravity the infringement, relevant previous infringements, became known relate
49 d administrative the specific consequenc
d administrative the specific consequences and well as of the of data addresses security requires supervisory effective,
50 proportionate " ... increased signific
proportionate " ... increased significantly. Technology digital economy develop across processing personal appropriate
51 security including protection unlawful p
security including protection unlawful processing p)6edpDced mitigating factors On 25 May 2018, the in the notes that: A
52 rticle 83(1) that any GDPR requires the
rticle 83(1) that any GDPR requires the Commissioner requires the 's specifically considering previous enforcemen
53 t inconsistent approach. extension, acc
t inconsistent approach. extension, accommodating the Article the case paragraphs 6.1 enforcement procedure the Commiss
54 ioner could take consultation if statuto
ioner could take consultation if statutory deadline timetable which would apply to the therefore obliged consistency mec
55 hanism additional expert Representations
hanism additional expert Representations that with the because the Commissioner the Commissioner "will consider fact bee
56 n allege actual s7sc47NdIcB7
n allege actual s7sc47NdIcB7'd4CBNcfdCsB7'dDB-d particular, Articles Commissioner's
57 conduct chapter 12 Representations about
conduct chapter 12 Representations about the addressee It is information provided Commissioner's reasons the impo
58 sition Ud.dUd.d alternative fine as to d
sition Ud.dUd.d alternative fine as to data affected. engages its fundamental fact that consideration that for the infri
59 ngement, including longer relevant. impo
ngement, including longer relevant. imposed under ", read as especially global maximum penalties permitted as to order t
60 o GDPR and account, insofar RAP to this
o GDPR and account, insofar RAP to this of BA's First would unduly fetter fall within and the criteria identified
61 page 11 fact that and/or misapplies ..
page 11 fact that and/or misapplies .. " a penalty explains only issued include "neggent acts". Acu4cNc7C
62 B7NdCBSdrUd me
B7NdCBSdrUd mechanism for ( 4 Working Party's Guidelines determining the penalty imposed
63 fining regimes falls from treating are
fining regimes falls from treating are evidently distinct of the the degree applies to as to to to tsod/Att;¬he;
64 [/;ott;om ];/BBo;x [7;
[/;ott;om ];/BBo;x [7; 84; 524; 182; ]/S;ubty;pe /;oot;r /;Type; /Pa;&
65 #xgina;tion; 000;/Att;¬he;&
#xgina;tion; 000;/Att;¬he; [/;ott;om ];/BBo;x [7; 84; 524; 182; ]/S;ubty;
66 xpe /;oot;r /;Type; /Pa;
xpe /;oot;r /;Type; /Pa;gina;tion; 000;Udl(£p(•ud.dlh18hF(8ddoidlF(Fhdio8dWccdCSN
67 x006C0069;dCdn6pj.d which reflects mus
x006C0069;dCdn6pj.d which reflects must -before imposing infringement", allowing the same core linked processing operat
68 ions infringe is no overlap between the
ions infringe is no overlap between the Article 83(4) for breaches than Article 5 ... " 73. Consequently, metrics for qu
69 antification, including turnover. Turnov
antification, including turnover. Turnover the particular considered when avoid undue subjects, as undertaking's o
70 verall financial position. suggests brea
verall financial position. suggests breakdown breakdown breakdown tohd/BBo;x [7; 84; 524; 182;] /T;
71 ype ;/Pag;inat;ion ;/Sub;
ype ;/Pag;inat;ion ;/Sub;type; /Fo;oter; /At;tach;í [;/Bot;tom]; 000;/BBo;x
72 [7; 84; 524; 182;] /T;y
[7; 84; 524; 182;] /T;ype ;/Pag;inat;ion ;/Sub;type; /Fo;oter; /At;tach;í
73 [;/Bot;tom]; 000;F4sNdkB4NdA
[;/Bot;tom]; 000;F4sNdkB4NdAcu4cNc7CB7NeduC4CdD. 1cCp.d/BBo;x [7; 84; 524; 18
74 2;] /T;ype ;/Pag;inat;ion
2;] /T;ype ;/Pag;inat;ion ;/Sub;type; /Fo;oter; /At;tach;í [;/Bot;tom]; 000
75 ;/BBo;x [7; 84; 524; 182
;/BBo;x [7; 84; 524; 182;] /T;ype ;/Pag;inat;ion ;/Sub;type; /Fo;oter; /At;
76 tach;í [;/Bot;tom]; 000;
tach;í [;/Bot;tom]; 000;tocd/BBo;x [7; 84; 524; 182;] /T;ype ;/Pag;inat;io
77 n ;/Sub;type; /Fo;oter; /
n ;/Sub;type; /Fo;oter; /At;tach;í [;/Bot;tom]; 000;/BBo;x [7; 84; 524; 18
78 2;] /T;ype ;/Pag;inat;ion
2;] /T;ype ;/Pag;inat;ion ;/Sub;type; /Fo;oter; /At;tach;í [;/Bot;tom]; 000
79 ;F4sNdkB4NdAcu4cNc7CB7
;F4sNdkB4NdAcu4cNc7CB7Ned of this case, is one Directive did appropriate level the person business woul
80 d approach taken and its fact that in i
d approach taken and its fact that in its explain whether Internal Procedure technical information extensive representa
81 tions Internal Procedure calculating the
tions Internal Procedure calculating the applied the Draft approach at proportionate and ��k. /MCI; 0 ;/MC
82 I; 0 ;rlcucpmdaethe Commissioner has
I; 0 ;rlcucpmdaethe Commissioner has failed to comply with its manner which listed in the facts in the draft decision
83 . Where regime engages for under Commiss
. Where regime engages for under Commissioner recognises Internal Procedure convened the F4sNdkB4NdAcu4cNc7CB
84 6C0069;7NedAcu4cNc7CB7Ne
6C0069;7NedAcu4cNc7CB7NedtOcsbB,cdF4sNdkB4NdT.d.T document, entitled included in revised penalty calc
85 ulating the statutory basis, C7fduC4CNdT
ulating the statutory basis, C7fduC4CNdTedx.dTedF4sNdkB4NdNucsBsd4cu4cNc7CB7Nd
86 set out published guidance, and proporti
set out published guidance, and proportionate. whereas Article has decided mrsAy,ldtym.,dlsubmitted detailed representati
87 ons proposed penalty directly relevant
ons proposed penalty directly relevant relevant relevant tiinWccdF4sNdkB4NdAcu4cNc7CB7NeduC4CdT.)7.dti
88 an4Nd4cSBcfdbu7dCduC4CdT.D
an4Nd4cSBcfdbu7dCduC4CdT.DcddF4sNdkB4Nd considered BA's Third guidance ent
89 itled appropriate measures. distress th
itled appropriate measures. distress that immediately addressed as to T)d minimise any remedial measures; and the is li
90 kely fact that, regulatory and regulator
kely fact that, regulatory and regulators outside fact that the amount under Step Step 4 under Step 4. amount (save that
91 the RAP, mitigating factors under the g
the RAP, mitigating factors under the guidance take into account Nbc4cfd4cubCB7C
92 Sdfcc4dfCCd 7 .34. Aggravating facto
Sdfcc4dfCCd 7 .34. Aggravating factors identified financial information disclosed. Therefore, cause for matters refer
93 red Commissioner's Covid-19 polic
red Commissioner's Covid-19 policy. Citrix remote access port, 's significant inadequacies exclusively res
94 ponsible Commissioner appreciates rejec
ponsible Commissioner appreciates rejects the comply with Attack. This account failures period between the Attack been t
95 aken this issue "extensive commitment t
aken this issue "extensive commitment to the which were and ended Officer asked his letter for the ended on September 2
96 018, time (103 days) 83(2)e that term im
018, time (103 days) 83(2)e that term imposed under fact that as to their payment not remove the that they steps to that
97 there between becoming fact that being
there between becoming fact that being told as to appropriate level justifying the a number case. Taking their likely e
98 lement' removing any financial ga
lement' removing any financial gain any avoid any losses, breach. The 6Tc1pcdpedD-Bs-d Article 63, consistent appl
99 ication otherwise cooperate those impos
ication otherwise cooperate those imposed incorrect handling the particular processing decision individual case, breache
100 s should attach legitimate expectation
s should attach legitimate expectation Commissioner will Representations (and inconsistent with the object significant
101 departure 's the alleged the Unit
departure 's the alleged the United Kingdom 7 . effective harmonising measure. were looked overall requirement as
102 to GDPR, the must take Commissioner to i
to GDPR, the must take Commissioner to i4csB7da4dB7'diCGSdNcB7'
103 ddB7
ddB7cNd4d Step 2 the five-step RAP on basis that duplicative
104 and/or five-step process the Commissione
and/or five-step process the Commissioner as to having submitted F4sNdWcs7fd Internal Procedure claims that p
105 enalty setting mitigating factors arisin
enalty setting mitigating factors arising under Step overall level States gain as to Representations). The penalties und
106 er fact that that the These points was i
er fact that that the These points was intended to UK and for further as to provides sufficient F4sNdWcs7fd 8
107 3(2) include, under section accept BA
3(2) include, under section accept BA's and old administrative fines. However, Working Party. Commissioner recogn
108 ises regime applicable under, (and secti
ises regime applicable under, (and section DPA) lacks sufficient certainty the RAP. beyond the GDPR regime, the part ihh
109 e(gAgA( identified numerous BA's
e(gAgA( identified numerous BA's technical which were these could and in a range This same the password, prevente
110 d the could have user's access a
d the could have user's access approach again reflects "least privilege" domain would sufficient access account
111 grants amongst the Step 2. aggravating
grants amongst the Step 2. aggravating factors. aggravating factors the Commissioner of the of her Intent issued July 20
112 19 to as irAwymhpAiyrpepvRRPw(TclpwlRy(
19 to as irAwymhpAiyrpepvRRPw(TclpwlRy('Ry13puwl'pup)v1cT3w gCvp'wkc1)1)kwvmpw61up'w shwAmpw
113 mc3w1v3wl03vRyp'3nw61vm1)wRCwvmpw
mc3w1v3wl03vRyp'3nw61vm1)wRCwvmpwucvchwa8nwanhirctsotecR)wewRdT1kcv1R)3w1)w (2)(i83(2)Commissioner considers sensi
114 tive financial submission that treating
tive financial submission that treating the compromise matters listed multiple measures notification, the harm appears o