Regulator issues €35.3m fine against H&M for data protection violation

The Hamburg Commissioner for Data Protection and Freedom of Information (the "Regulator") has issued a €35.3m fine against H&M for data protection violations. The fine is largest financial penalty imposed in Germany under the GDPR (and the second largest ever imposed under the GDPR). H&M is registered in Hamburg and operates a service centre in Nuremburg. The case concerned the monitoring of hundreds of employees in the Nuremberg service centre.

 In October 2019, H&M identified a security breach at the service centre which resulted in personal data becoming available to whole company for several hours. H&M reported this breach to the Regulator. This led the Regulator to launch an investigation into H&M's service centre. The investigation involved an analysis of 60GB of data, witness interviews, and a review of H&M's policies.

The Regulator found that since at least 2014, H&M had been collecting and storing extensive personal data about its employee's personal lives. This included information relating to employee's vacation experiences, symptoms of illness, diagnoses, family issues and religious beliefs. This data was collected via "Welcome Back Talks" after an employee was absent (even for short absences), and informal talks with supervisors. The data was then recorded (in a high level of detail) onto H&M's computer system where it was accessible by up to 50 managers. The data was kept up to date over a long period of time showing the development of the relevant issues for each employee. The data was used for evaluation of employees and to obtain a detailed profile of employees for measures and decisions regarding their employment.

 The Regulator noted in its press release, that "the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees' civil rights." H&M took responsibility for the data breach, worked with the Regulator and apologised to its employees. H&M also reports that it has implemented a comprehensive action plan including:

• "Personnel changes at management level at the service centre in Nuremberg

• Additional training for leaders in relation to data privacy and labour law

• Revised instructions for managers

• Creation of a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes

• Enhanced data cleansing processes

• Improved IT solutions supporting compliant storage of personal data, training and leadership."

In addition, H&M is compensating all of the employees currently based at the service centre and all those who were employed for at least one month since May 2018 when GDPR came into force. The Regulator noted that H&M's decision to "follow the suggestion to pay the employees a considerable compensation... is an unprecedented acknowledgement of corporate responsibility following a data protection incident.

This enforcement action emphasises that all companies in all sectors have considerable GDPR enforcement risk, it is not limited to those sectors perceived as being of high risk of enforcement (such as technology and travel).