H&M has been handed a €35.3 million fine by German authorities after breaching General Data Protection Regulation (GDPR) rules by collecting employee’s private data.

The landmark ruling issued by the Hamburg representative for data protection and freedom of information (HmbBfDI) is the largest ever fine imposed on a private company for violations of GDPR.

The HmbBfDI launched an investigation into the retail giant after it was reported that the personal data of ‘several hundred employees’ at the H&M service centre in Nuremberg was being collected by management for monitoring purposes.

The investigation found that since 2014, records of personal information including details of living circumstances of employees had been stored permanently, in violation of their rights under GDPR.

A statement from the HmbBfDI in German, stated: “After absences from vacation and illness - even short ones - the superiors team leaders held a so-called 'welcome
back talk', after these discussions, not only were specific vacation experiences of the employees recorded, but also symptoms of illness and diagnoses.

“In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and corridor discussions, which ranged from harmless details to family problems and religious beliefs.”

Details of these conversations were partially recorded, stored digitally and were sometimes readable by up to 50 other managers throughout the company, the regulator found, with information on performance and other metrics used in employment assessments.

“The combination of researching private life and the ongoing recording of what activity they were engaged in led to a particularly intensive interference with the rights of those affected,” the statement read.

The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019.

Following the discovery, H&M has undertaken several remedial measures at the Nuremberg service centre.

The statement from the HmbBfDI said that company management had “apologised expressly to those affected” in addition to a suggestion to pay the employees “a considerable amount of non-bureaucratic damages”, in what the regulator said was an “unprecedented commitment to corporate responsibility after a data protection breach”.

Other components of H&M's data protection upgrade include a newly appointed data protection coordinator and monthly data protection status updates.

Johannes Caspar, the Hamburg commissioner for data protection and freedom of information said: “The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg - the amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees.

“The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive," he continued, adding: "The transparent information provided by those responsible and the guarantee of financial compensation show the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work
for their company."

Share Story: