H&M fined €35.3m over GDPR breach

H&M has been handed a €35.3 million fine by German authorities after breaching General Data Protection Regulation (GDPR) rules by collecting employee’s private data.

The landmark ruling issued by the Hamburg representative for data protection and freedom of information (HmbBfDI) is the largest ever fine imposed on a private company for violations of GDPR.

The HmbBfDI launched an investigation into the retail giant after it was reported that the personal data of ‘several hundred employees’ at the H&M service centre in Nuremberg was being collected by management for monitoring purposes.

The investigation found that since 2014, records of personal information including details of living circumstances of employees had been stored permanently, in violation of their rights under GDPR.

A statement from the HmbBfDI in German, stated: “After absences from vacation and illness - even short ones - the superiors team leaders held a so-called 'welcome
back talk', after these discussions, not only were specific vacation experiences of the employees recorded, but also symptoms of illness and diagnoses.

“In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and corridor discussions, which ranged from harmless details to family problems and religious beliefs.”

Details of these conversations were partially recorded, stored digitally and were sometimes readable by up to 50 other managers throughout the company, the regulator found, with information on performance and other metrics used in employment assessments.

“The combination of researching private life and the ongoing recording of what activity they were engaged in led to a particularly intensive interference with the rights of those affected,” the statement read.

The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019.

Following the discovery, H&M has undertaken several remedial measures at the Nuremberg service centre.

The statement from the HmbBfDI said that company management had “apologised expressly to those affected” in addition to a suggestion to pay the employees “a considerable amount of non-bureaucratic damages”, in what the regulator said was an “unprecedented commitment to corporate responsibility after a data protection breach”.

Other components of H&M's data protection upgrade include a newly appointed data protection coordinator and monthly data protection status updates.

Johannes Caspar, the Hamburg commissioner for data protection and freedom of information said: “The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg - the amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees.

“The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive," he continued, adding: "The transparent information provided by those responsible and the guarantee of financial compensation show the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work
for their company."

    Share Story:

Recent Stories


Supermicro and NVIDIA’s AI Solution for Retailers
To find out more: click here

Poundland significantly reduces antisocial behaviour, aggression and shoplifting with Motorola Solutions VT100 body cameras
Retail should not be a high-risk occupation. As a company, we are focused on listening to our colleagues and customers to help them with the issues they are facing in-store and so far, the feedback on our body cameras has been excellent. They act as a great visual deterrent, help to de-escalate situations and overall, this project has significantly aided our goal to make the retail environment safer.

For further information on Motorola Solutions’ retail security products, including body cameras, click here.

Advertisement