This post is also available in: Español

The United Kingdom’s Information Commissioner’s Office (“ICO”) has proposed two penalties for £99.2 million and £183.39 million (€110 million and €204 million, respectively) under the EU’s General Data Protection Regulation (“GDPR”) for personal data security breaches.

For the first time, the penalties were determined taking into account the percentages established under article 83.5 of the GDPR.

Specifically, that article states that, when imposing the most severe penalties, the supervisory authorities for data protection may take €10 million or 2% of annual revenues as a starting point, with the amounts potentially increasing up to €20 million, or 4% of the annual revenues for the prior fiscal year.

The first proposed penalty is against Marriott International, one of the world’s largest hotel chains. The proposal arises from investigation of a cyberattack suffered by the company in 2014, although it was not reported to the ICO until September of 2018.

According to the ICO, the security breach was the result of an intrusion at Starwood Hotels & Resorts Worldwide, a company acquired by Marriott International in 2015, which may have affected the personal data of over 500 million customers worldwide, including 30 million European Union residents. Specifically, that cyberattack involved names, addresses, phone numbers, email addresses, passport numbers, itineraries and even credit card information.

The proposed €110 million fine represents 2.4% of Marriott International’s total revenue.

The second proposed fine is against the airline British Airways, part of the IAG group, following the theft of customer data from the airline’s website. The proposal comes after the cyberattack suffered by the company in 2018 that, according to the ICO, could have affected the personal data of up to 500,000 passengers.

Specifically, that security breach affected customers who made reservations through the website and paid with credit cards between April 21 and July 28 of 2018. During that time, the attackers gained access to customer names, addresses, email addresses and credit card information.

In this case, the fine proposed by the UK authority is equivalent to 1.5% of British Airways’ global revenue for the fiscal year that ended on December 31, 2017.

These new fines proposed are similar to those imposed on Uber for the unauthorized access gained to the personal data of 57 million users worldwide. The United Kingdom, France and the Netherlands have imposed penalties on that company for €433,818, €400,000 and €600,000,

By Marta Zaballos and Alejandro Negro

This post is also available in: Español


484 artículos

Blog de Cuatrecasas, uno de los referentes en la abogacía de negocios en España y Portugal. Representamos a algunas de las principales empresas cotizadas de ambos países y asesoramos a nuestros clientes en operaciones estratégicas, así como a inversores extranjeros interesados en el mercado ibérico


66 artículos


59 artículos

Alejandro Negro