H&M hit with €35.3m GDPR fine for snooping on employees

Swedish multinational clothes retailer H&M has been fined €35.3m under the GDPR by Hamburg’s data protection commissioner for snooping and storing information on employees at one if its subsidiaries. Hamburg’s commissioner for data protection and freedom of information said the case centred around the monitoring of several hundred employees at H&M’s service centre in Nuremberg. It explained that members of the workforce were subjected to “extensive recording of details about their private lives” between 2014 and when the case came to light five years later. Following staff absences for things like holidays and sick leave, the service centre’s supervising team leaders conducted “welcome back talks” with employees. These uncovered information about vacations, symptoms of illness and diagnosis. Some supervisors also got a “broad knowledge” about their employees’ private lives through other chats, with information ranging from “rather harmless details to family issues and religious beliefs”, explained Hamburg’s watchdog. Some of this information was recorded, stored digitally and partly readable by up to 50 managers throughout H&M. The data was partly used to make employment decisions. Hamburg’s data commissioner said the combination of “collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights”. "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees,” said professor Dr Johannes Caspar, Hamburg's commissioner for data protection and freedom of information. The data breach was made public by press reports in October 2019. The commissioner then investigated about 60 gigabytes of data and interrogated witnesses before coming to its decision. The fine is one the biggest ever under the GDPR. Last year, France’s data protection regulator fined Google €50m. There are two pending fines in the UK – on Marriot Hotels of £99m and British Airways (BA) of £183.4m. However, BA expects to get a huge reduction in its penalty and has set aside just £20m. H&M said it will review the GDPR decision by Hamburg’s data regulator “carefully”. The firm stressed it has fully cooperated with the investigation and has been praised by Hamburg’s data commissioner for its response. H&M has promised financial compensation for all staff currently employed at the service centre, or anyone who has worked there for more than a month since May 2018, when the GDPR came into force. “This is an unprecedented acknowledgement of corporate responsibility following a data protection incident,” said Hamburg’s watchdog. H&M said it takes full responsibility for the breach and wishes to make an “unreserved apology” to the employees at the service centre. The company has implemented several measures since the incident was discovered, to better ensure data privacy compliance. These include personnel changes in the service centre’s management. H&M has also developed additional data privacy and labour law training for leaders. The company has revised instructions for managers and enhanced data cleansing processes. In addition, it has created a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes.

H&M hit with €35.3m GDPR fine for snooping on employees

Want to read this article?

Read Next

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Want to read this article?

Read Next

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Related Articles