BA was the controller of the personal data of its customers, within the meaning of section 6 of English Data Protection Act 2018 DPA and Article 4(7) GDPR, as it determined the purposes and means of the processing of the personal data. By , inter alia, collecting, recording, organizing , structuring and storing the personal data of its customers, BA was processing that data within the meaning of section 3(4) DPA and article 4(2) GDPR.
The Commissioner has found that BA failed to process the personal data of its customers in a manner that ensured appropriate security of the data including: protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures, as required by Article 5(1) (f) and by Article 32 GDPR.
The Commissioner has also found that, in all circumstances of the case and having regard to BA’s representations and the matters listed in article 83(I) and (2) GDPR, the infringements constitute a serious failure to comply with the GDPR and, accordingly, that the imposition of a penalty is appropriate. The amount of the penalty that the Commissioner decided to impose, having taken into account a range of mitigating factors and the impact of the Covid-19 pandemic, is £20m.
For further information or clarifications regarding GDPR , please contact S. Dionysiou & Partners LLC at firstname.lastname@example.org / +357 22 272360.
(source: ico.org.uk / photo:pixabay)