The UK Information Commissioner's Office (ICO) said BA would be fined a "record" £20 million ($25 million, 22 million euros), considerably less than the proposed amount totaling £183 million.
"As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty," the watchdog said in a statement.
The proposed amount was announced in July last year after computer hackers in 2018 stole bank details from hundreds of thousands of British Airways passengers.
The ICO on Friday repeated its finding that BA had infringed European Union (EU) data protection rules, or GDPR.
"Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR," Friday's statement said.