H&M GDPR Fine

H&M gets 35.3M euros fine for records of private living conditions of employees

Due to several hundred employees of the H&M service centre in Nuremberg were monitored by the centre management, the Hamburg representative for data protection and freedom of information (HmbBfDI) has issued a fine of 35,258,707.95 euros to the H&M Hennes & Mauritz online shop AB & Co. KG issued.

The company, based in Hamburg, operates a service centre in Nuremberg. At least since 2014, some of the employees have had extensive records of private living conditions. Corresponding notes were saved permanently on a network drive. After vacation and illness absences – even short ones – the superiors team leaders held a so-called Welcome Back Talk. After these discussions, not only were specific vacation experiences of the employees recorded, but also symptoms of illness and diagnoses. In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and corridor discussions, which ranged from harmless details to family problems and religious beliefs. The findings were partially recorded, stored digitally and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and updated over time. In addition to a meticulous evaluation of individual work performance, the data collected in this way were used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship.

The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the content of the network drive to be completely “frozen” and then requested that it be released. The company followed suit and submitted a data set of around 60 gigabytes for analysis. After analyzing the data, the interrogations of numerous witnesses confirmed the documented practices.

The discovery of the significant violations prompted those responsible to take various remedial measures. A comprehensive concept was presented to the HmbBfDI on how data protection is to be implemented at the Nuremberg location from now on. In order to come to terms with past events, the company management not only apologized expressly to those affected. It also follows the suggestion to pay the employees a considerable amount of non-bureaucratic damages. This is an unprecedented commitment to corporate responsibility after a data protection breach. Other components of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates,

Prof. Dr. Johannes Caspar, the Hamburg commissioner for data protection and freedom of information: “The present case documents a serious disregard for employee data protection at the H&M Nuremberg location. The amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees.

The efforts of the group management to compensate those affected on-site and to restore trust in the company as an employer are to be rated expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation shows the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work for their company. ”

Original article: Datenschutz-Hamburg

Latest Blog Posts