H&M fined 35 million euros for collecting data from employees

Clothing chain H&M has to pay a fine of 35 million euros in Germany for violating the privacy of its staff. The violations took place since 2014, but continued until after the GDPR came into effect. The retailer kept detailed information about employees, and the originally Swedish retailer was fined by the local data protection authority in Hamburg, Germany. Hennis & Mauritz has to pay 35,258,707.95 euros for violations in its service center in Nuremberg. They took place since 2014. In the center, “extensive information about employees’ private lives was centrally collected,” says the Hamburg regulator. Employees who took a holiday or became ill or even had short periods off were given a ‘welcome back conversation’ with their supervisor after their return. Those conversations recorded what the employees had done during their vacations, the symptoms of illness and diagnoses they received, and other conversations also recorded many details about the employees’ private lives, such as family matters and religious beliefs, according to the regulator. That information was stored on a network drive that at least fifty managers had access to. The information was used, among other things, to carry out work evaluations. The data collection came to light in October last year. Due to a configuration error, the data was then available to everyone within the group for a short time. The regulator then started an investigation. H&M transferred a total of more than 60 gigabytes of information for the investigation, and H&M apologized to employees following the investigation. The company has also drawn up a new plan to better organize data protection. It states, among other things, that a new data protection coordinator will be hired, that there will be monthly status updates, that there will be better protection for whistleblowers, and that employees will also be entitled to compensation. This is paid outside of the fine. For this, employees must have been employed for at least one month since May 2018, when the European privacy law came into effect. The amount of the compensation is not yet known, the amount is the highest amount of the fine that has been awarded under the GDPR in Germany. In all of Europe, it is the second highest fine, next to Google’s of 50 million.