€35m GDPR Fine for H&M in Germany

In Hamburg, Germany, the data protection authority announced that H&M – The second largest retail in the world – has been fined €35.2M ($41.3M) for breaching the European Union’s General Data Protection Regulation in relation to the monitoring of hundreds of their staff by a German subsidiary.

Data protection authority, HmbBfDl issued a statement last Thursday, from Professor Dr Johannes Caspar, Hamburgs commissioner for Data Protection and Freedom of Information, which said – “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is, therefore, adequate and effective to deter companies from violating the privacy of their employees”.

It continued – “Some supervisors acquired broad knowledge of employees’ private lives through one-on-one conversations that included discussions about “family issues and religious beliefs. Since at least 2014, parts of the [H&M Germany] workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive.”

It has been revealed that the staff were subject to, after a small period of absence like vacations and sick leave, a ‘Welcome Back Talk’ by team leaders. These sessions were recorded with every detail of the employee’s period away from the office and was put on file. In addition to this information being stored, it was discovered that some supervisors also added more personal aspects of the employees lives to the data. A portion of this was digitally stored at a location where it was accessible by up to 50 other managers throughout the organization.

HmbBfDl said: “In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

Roughly a year ago, this process was originally identified after data collected by supervisors could be accessed for some hours after a configuration error. H&M released a small statement saying that “the breach was related to storage of employees’ personal data at the service center, and H&M reported it immediately to the data protection authority in Hamburg. H&M has fully cooperated with the authority during the process.”

The GDPR penalty regarding this breach of privacy is among the largest ever sanctions and H&M is considering the next steps it might make. A spokesperson has stated: “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions. H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg.”

Prior to the investigation of this breach, a number of resolving steps were put in place, including – 

• Staff changes at executive at the in Nuremberg office
• New directives for for management and more training on data privacy and labor legislation
• Establishment of a new position to focus on audits, training and all data privacy issues/processes
• Better data cleansing measures

H& M said: “A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment, and continue to train and educate both staff and leaders in this area. In addition, H&M has decided that all currently employed at the service center, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.”