H&M Fined €35m in Germany for GDPR Breaches Related to Staff Record Keeping

In Germany the data protection authority located in Hamburg has announced that H&M, the second biggest retailer in the world, is being fined €35.2 (US $41.3m) for breaching the European Union’s General Data Protection Regulation in relation to the monitoring of several hundred staff member by a German subsidiary.

The data protection authority, HmbBfDI, issued a statement on Thursday, from Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, which said: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is, therefore, adequate and effective to deter companies from violating the privacy of their employees”.

It went on: “Some supervisors acquired broad knowledge of employees’ private lives through one-on-one conversations that included discussions about “family issues and religious beliefs. Since at least 2014, parts of the [H&M Germany] workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive.”

It was revealed that employees were subject to, after a period of absence such as vacations and sick leave, a ‘Welcome Back Talk’  with supervising team leaders with the employees. These sessions were record with all details of the period away from the office put on file. Additionally, it was discovered that, in some of these sessions, supervisors recorded more in-depth details related to staff members’ private lives. A portion of this was digitally stored at a location where it was accessible by up to 50 other managers throughout the organization.

HmbBfDI said: “In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

Around a year ago this process was first identified after the data collected could be accessed for some hours following a configuration error. H&M released a statement explaining that “the breach was related to storage of employees’ personal data at the service center, and H&M reported it immediately to the data protection authority in Hamburg. H&M has fully cooperated with the authority during the process.”

The GDPR penalty if among the largest ever sanctions and H&M is now considering the next steps that it will take. A spokesperson stated: £The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions. H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg.”

Following the identification of the breach a number of remediative steps were put in place including:

Since initial discovery and reporting of the incident, H&M said it immediately made several improvements at the Nuremberg service center.

Among the specific actions H&M has implemented include:

  • Staff changes at executive at the in Nuremberg office
  • New directives for for management and more training on data privacy and labor legislation
  • Establishment of a new position to focus on audits, training and all data privacy issues/processes
  • Better data cleansing measures

H& M said: “A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment, and continue to train and educate both staff and leaders in this area. In addition, H&M has decided that all currently employed at the service center, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.”