a decisionmaking supervisory authorities from that as to penalties is - PDF document

1 a decision-making supervisory authoritie
a decision-making supervisory authorities, from that as to penalties issued Rather, the consistency mechanism situations.

2 Contrary ­-cdfcsBNB�7d�
Contrary ­-cdfcsBNB�7d�B7cd;��'Scd address where which the must prov

3 ide with the notice limit mentioned abov
ide with the notice limit mentioned above deciding whether or for that and Schedule X 1 upon whom brought is accordance

4 with the following address: General Regu
with the following address: General Regulatory Tribunals Service LE1 8DJ received by Tribunal within Tribunal will appeal

5 should refers to penalties. This by BA
should refers to penalties. This by BACS is not penalty notice and nd, allowing access " ... whether the sophisticatio

6 n took place Attack which did occur the
n took place Attack which did occur the GDPR. standard under 's airline industry apparent sophistication of this

7 case as to h-BNduC4C'4Cu-dB­NdkB
case as to h-BNduC4C'4Cu-dB­NdkB4N­duC4CNd1.C­duC4Cdf�cNd7�­dNccdd­�d system

8 s and/or processing applicable appropria
s and/or processing applicable appropriate measures relevant standard, F4sNdWcs�7fd finding that particular,

9 BA that the Commissioner applied '
BA that the Commissioner applied 's significant resources in the tOcsb­B,cdWbyyC4SdAcu4cNc7­C­B�7Ned

10 uC4CNdF4sNdkB4N­dAcu4cNc7­C­Bۀ
uC4CNdF4sNdkB4N­dAcu4cNc7­C­B�7Nedl-Cu­c4d established manual oltlappropriate security subjects and its ne

11 twork N ( rendered entered into could
twork N ( rendered entered into could have put as that which "deploy file 4cSc,C7­d�CBSb4cd the use softwa

12 re quality assurance source code. manual
re quality assurance source code. manual penetration significantly increase under OWASP guidance states logging code disp

13 osal policy. card details error, rather
osal policy. card details error, rather accurately logged. could also have been used to the security issue identified

14 management process infrastructure and t
management process infrastructure and that comprehensive monitoring an IT monitor and the unauthorised creation rea

15 son, Microsoft number of usage and �
son, Microsoft number of usage and 'aiding functionality', the minimal time the alternative other hand, f

16 ailed attempts admin group, WccduC4Cd m
ailed attempts admin group, WccduC4Cd mitigated the relevant files and/or file, which could have alerted have been tak

17 en adequate, without as part execution
en adequate, without as part execution of the of the usually legacy systems. authentication measures particular prote

18 ctions Preventing Lateral authenticate t
ctions Preventing Lateral authenticate the attacker. plain text implemented sufficiently, performed (where access t

19 o many of to as hardcoded passwords reco
o many of to as hardcoded passwords recognised generally these other risks that security procedures FRhdiO,dhdVdd docu

20 mentation may include 's system
mentation may include 's system used by BA. application/server hardening 's accessed using iC8Cd))ed St

21 ep 2 would have been network. Each have
ep 2 would have been network. Each have implemented time, there could implement are the hh1�8hd"Oxd the risk

22 paper refers processors, explains a cyb
paper refers processors, explains a cyberattack that were even if Network Access Policy, appears accept this, appropr

23 iate alternative measures. should have e
iate alternative measures. should have ensured that without excessive cost. breakout from known security B7­�

24 d��4sc.delyhFh•d
d��4sc.delyhFh•d�(8shDlDfd4td.lh�(pl6(FloDdhh1�8lFyd BA's

25 First System Access WDBNNu�4
First System Access WDBNNu�4­dh4B7BfCfd administrative reasons manner that fact that identified alternative

26 T'd access users, being able
T'd access users, being able to an 2018 that F4sNdkB4N­d that what using third sufficient guarantees Securi

27 ty guidance document, referred automated
ty guidance document, referred automated functions) hardware authentication OWASP published There was, before the guidan

28 ce to of the focus should controller, r
ce to of the focus should controller, risks been identified and/or Article above regarding submissions in particular, wr

29 itten Steps 1-8 negentered into 2018, w
itten Steps 1-8 negentered into 2018, when failed to comply with required by and draft against accidental risk. Such Wcc

30 dCSN�d a draft take into foll
dCSN�d a draft take into follow-up questions, financial position requesting further information subsequently p

31 rovided of the fact that agreement coul
rovided of the fact that agreement could submissions and submitted written exchanged correspondence the application Int

32 ernal Procedure, discussed further the A
ernal Procedure, discussed further the Article the last known approximately 429,612 -108,000 this Penalty s-C7'cf

33 dCafd of BA's was able 2018 and 2
dCafd of BA's was able 2018 and 25 2018, the different website: time, when u4�,B.cfd­-cd encrypted fo

34 rm) there were three .dyd fdBd ��t
rm) there were three .dyd fdBd ��tnd&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion

35 ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At
;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í [;&#x/Bot;&#xtom];&#x 000;&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;

36 &#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion ;
&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í [;&#x/Bot;&#xtom];&#x 000;W

37 ccduC4Cd that the 's break out f
ccduC4Cd that the 's break out from the of the key On 22 not to to BA's the CAG. CAG a network working rem

38 otely. CAG provided users could BA
otely. CAG provided users could BA's system via the single username and Swissport account multi-factor authenticat

39 ion action being provide an deter
ion action being provide an dete�ent against future " ... stresses that assessed objectively merits. However,

40 individuals have "where relevant, a p
individuals have "where relevant, a penalty oral representations Commissioner will 155 DPA sets penalty notice Commis

41 sioner must provisions relevant of notic
sioner must provisions relevant of notices of a notice The period and the Penalty Notice shall adopt supervisory authori

42 ty supervisory authority the date (9). T
ty supervisory authority the date (9). The final decision refe�ed supervisory authority Dispute resolution co

43 nsistent application of reasoned objecti
nsistent application of reasoned objection extended by in paragraph decision shall supervisory authority supervisory aut

44 horities controller thereof. supervisory
horities controller thereof. supervisory authority authorities concerned sha� adopt shall notify rejection of

45 that complaint, complainant and shall in
that complaint, complainant and shall in�rm with the this Article conduct joint without delay, consulted in A

46 rticle, expresses reasoned objection Whe
rticle, expresses reasoned objection Where the lead authorities concerned applicable to including financial give rise pr

47 ovides that " ... GDPR makes (AApl1(FloD
ovides that " ... GDPR makes (AApl1(FloDd(Dsd(s•lDlhF8(Fl.hdilDhhdcdCd public authorities other powers 58(2) have contr

48 oller or effective, proportionate natur
oller or effective, proportionate nature, gravity the infringement, relevant previous infringements, became known relate

49 d administrative the specific consequenc
d administrative the specific consequences and well as of the of data addresses security requires supervisory effective,

50 proportionate " ... increased signific
proportionate " ... increased significantly. Technology digital economy develop across processing personal appropriate

51 security including protection unlawful p
security including protection unlawful processing p)6edpDced mitigating factors On 25 May 2018, the in the notes that: A

52 rticle 83(1) that any GDPR requires the
rticle 83(1) that any GDPR requires the Commissioner requires the 's specifically considering previous enforcemen

53 t inconsistent approach. extension, acc
t inconsistent approach. extension, accommodating the Article the case paragraphs 6.1 enforcement procedure the Commiss

54 ioner could take consultation if statuto
ioner could take consultation if statutory deadline timetable which would apply to the therefore obliged consistency mec

55 hanism additional expert Representations
hanism additional expert Representations that with the because the Commissioner the Commissioner "will consider fact bee

56 n allege actual s�7sc47NdIcB7
n allege actual s�7sc47NdIcB7'd4CBNcfdCs­B7'dDB­-d particular, Articles Commissioner's

57 conduct chapter 12 Representations about
conduct chapter 12 Representations about the addressee It is information provided Commissioner's reasons the impo

58 sition Ud.dUd.d alternative fine as to d
sition Ud.dUd.d alternative fine as to data affected. engages its fundamental fact that consideration that for the infri

59 ngement, including longer relevant. impo
ngement, including longer relevant. imposed under ", read as especially global maximum penalties permitted as to order t

60 o GDPR and account, insofar RAP to this
o GDPR and account, insofar RAP to this of BA's First would unduly fetter fall within and the criteria identified

61 page 11 fact that and/or misapplies ..
page 11 fact that and/or misapplies .. " a penalty explains only issued include "neg�gent acts". Acu4cNc7­C

62 ­B�7Nd�CBSdrUd me
­B�7Nd�CBSdrUd mechanism for ( 4 Working Party's Guidelines determining the penalty imposed

63 fining regimes falls from treating are
fining regimes falls from treating are evidently distinct of the the degree applies to as to to to tsod&#x/Att;¬he;

64 [/;ott;&#xom ];&#x/BBo;&#xx [7;
[/;ott;&#xom ];&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;&#x ]/S;&#xubty;&#xpe /;oot;r /;&#xType;&#x /Pa;&

65 #xgina;&#xtion;&#x 000;&#x/Att;¬he;&
#xgina;&#xtion;&#x 000;&#x/Att;¬he; [/;ott;&#xom ];&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;&#x ]/S;&#xubty;&#

66 xpe /;oot;r /;&#xType;&#x /Pa;&#
xpe /;oot;r /;&#xType;&#x /Pa;&#xgina;&#xtion;&#x 000;Udl�(£p(•ud.dlh18hF(8ddoidlF(Fhdio8dWccdCSN&#

67 x006C0069;dC­dn6pj.d which reflects mus
x006C0069;dC­dn6pj.d which reflects must -before imposing infringement", allowing the same core linked processing operat

68 ions infringe is no overlap between the
ions infringe is no overlap between the Article 83(4) for breaches than Article 5 ... " 73. Consequently, metrics for qu

69 antification, including turnover. Turnov
antification, including turnover. Turnover the particular considered when avoid undue subjects, as undertaking's o

70 verall financial position. suggests brea
verall financial position. suggests breakdown breakdown breakdown tohd&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;&#x] /T;&#x

71 ype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#x
ype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í [;&#x/Bot;&#xtom];&#x 000;&#x/BBo;&#xx

72 [7;
84;&#x 524;&#x 182;&#x] /T;&#xy
[7;
84;&#x 524;&#x 182;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í

73 [;&#x/Bot;&#xtom];&#x 000;F4sNdkB4N­dA
[;&#x/Bot;&#xtom];&#x 000;F4sNdkB4N­dAcu4cNc7­C­B�7NeduC4CdD. 1cCp.d&#x/BBo;&#xx [7;
84;&#x 524;&#x 18

74 2;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion
2;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í [;&#x/Bot;&#xtom];&#x 000

75 ;&#x/BBo;&#xx [7;
84;&#x 524;&#x 182
;&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;

76 &#xtach;í [;&#x/Bot;&#xtom];&#x 000;
&#xtach;í [;&#x/Bot;&#xtom];&#x 000;tocd&#x/BBo;&#xx [7;
84;&#x 524;&#x 182;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xio

77 n ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /
n ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í [;&#x/Bot;&#xtom];&#x 000;&#x/BBo;&#xx [7;
84;&#x 524;&#x 18

78 2;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion
2;&#x] /T;&#xype ;&#x/Pag;&#xinat;&#xion ;&#x/Sub;&#xtype;&#x /Fo;&#xoter;&#x /At;&#xtach;í [;&#x/Bot;&#xtom];&#x 000

79 ;F4sNdkB4N­dAcu4cNc7­C­B�7
;F4sNdkB4N­dAcu4cNc7­C­B�7Ned of this case, is one Directive did appropriate level the person business woul

80 d approach taken and its fact that in i
d approach taken and its fact that in its explain whether Internal Procedure technical information extensive representa

81 tions Internal Procedure calculating the
tions Internal Procedure calculating the applied the Draft approach at proportionate and ��k. &#x/MCI; 0 ;&#x/MC

82 I; 0 ;rlcucpmdaethe Commissioner has
I; 0 ;rlcucpmdaethe Commissioner has failed to comply with its manner which listed in the facts in the draft decision

83 . Where regime engages for under Commiss
. Where regime engages for under Commissioner recognises Internal Procedure convened the F4sNdkB4N­dAcu4cNc7­C­B�

84 6C0069;7NedAcu4cNc7­C­B�7Ne
6C0069;7NedAcu4cNc7­C­B�7NedtOcsb­B,cdF4sNdkB4N­dT.d.T document, entitled included in revised penalty calc

85 ulating the statutory basis, C7fduC4CNdT
ulating the statutory basis, C7fduC4CNdTedx.dTedF4sNdkB4N­dNucsB��sd4cu4cNc7­C­B�7Nd

86 set out published guidance, and proporti
set out published guidance, and proportionate. whereas Article has decided mrsAy,ldtym.,dlsubmitted detailed representati

87 ons proposed penalty directly relevant
ons proposed penalty directly relevant relevant relevant tiinWccdF4sNdkB4N­dAcu4cNc7­C­B�7NeduC4CdT.)7.dti

88 an4Nd4cSBcfdbu�7dC­duC4CdT.D
an4Nd4cSBcfdbu�7dC­duC4CdT.Dcd��dF4sNdkB4N­d considered BA's Third guidance ent

89 itled appropriate measures. distress th
itled appropriate measures. distress that immediately addressed as to T)d minimise any remedial measures; and the is li

90 kely fact that, regulatory and regulator
kely fact that, regulatory and regulators outside fact that the amount under Step Step 4 under Step 4. amount (save that

91 the RAP, mitigating factors under the g
the RAP, mitigating factors under the guidance take into account Nb��c4cfd4cub­C­B�7C

92 Sdfc­c4dfC­Cd 7 .34. Aggravating facto
Sdfc­c4dfC­Cd 7 .34. Aggravating factors identified financial information disclosed. Therefore, cause for matters refer

93 red Commissioner's Covid-19 polic
red Commissioner's Covid-19 policy. Citrix remote access port, 's significant inadequacies exclusively res

94 ponsible Commissioner appreciates rejec
ponsible Commissioner appreciates rejects the comply with Attack. This account failures period between the Attack been t

95 aken this issue "extensive commitment t
aken this issue "extensive commitment to the which were and ended Officer asked his letter for the ended on September 2

96 018, time (103 days) 83(2)e that term im
018, time (103 days) 83(2)e that term imposed under fact that as to their payment not remove the that they steps to that

97 there between becoming fact that being
there between becoming fact that being told as to appropriate level justifying the a number case. Taking their likely e

98 lement' removing any financial ga
lement' removing any financial gain any avoid any losses, breach. The 6Tc1pcdpedD-Bs-d Article 63, consistent appl

99 ication otherwise cooperate those impos
ication otherwise cooperate those imposed incorrect handling the particular processing decision individual case, breache

100 s should attach legitimate expectation
s should attach legitimate expectation Commissioner will Representations (and inconsistent with the object significant

101 departure 's the alleged the Unit
departure 's the alleged the United Kingdom 7 . effective harmonising measure. were looked overall requirement as

102 to GDPR, the must take Commissioner to i
to GDPR, the must take Commissioner to i4�­cs­B�7da�4dB7'diCGSdNc­­B7'

103 d��d�B7
d��d�B7cNd��4d Step 2 the five-step RAP on basis that duplicative

104 and/or five-step process the Commissione
and/or five-step process the Commissioner as to having submitted F4sNdWcs�7fd Internal Procedure claims that p

105 enalty setting mitigating factors arisin
enalty setting mitigating factors arising under Step overall level States gain as to Representations). The penalties und

106 er fact that that the These points was i
er fact that that the These points was intended to UK and for further as to provides sufficient F4sNdWcs�7fd 8

107 3(2) include, under section accept BA&#x
3(2) include, under section accept BA's and old administrative fines. However, Working Party. Commissioner recogn

108 ises regime applicable under, (and secti
ises regime applicable under, (and section DPA) lacks sufficient certainty the RAP. beyond the GDPR regime, the part ihh

109 e(gAgA( identified numerous BA's
e(gAgA( identified numerous BA's technical which were these could and in a range This same the password, prevente

110 d the could have user's access a
d the could have user's access approach again reflects "least privilege" domain would sufficient access account

111 grants amongst the Step 2. aggravating
grants amongst the Step 2. aggravating factors. aggravating factors the Commissioner of the of her Intent issued July 20

112 19 to as irAwymhpAiyrpepvRRPw(TclpwlRy(
19 to as irAwymhpAiyrpepvRRPw(TclpwlRy('Ry13puwl'pup)v1cT3w gCvp'wkc1)1)kwvmpw61up'w shwAmpw

113 mc3w1v3wl03vRyp'3nw61vm1)wRCwvmpw
mc3w1v3wl03vRyp'3nw61vm1)wRCwvmpwucvchwa8nwanhirctsotecR)wewRdT1kcv1R)3w1)w (2)(i83(2)Commissioner considers sensi

114 tive financial submission that treating
tive financial submission that treating the compromise matters listed multiple measures notification, the harm appears o