H&M has to pay a fine of 35 million euros in Germany for violating the privacy of its staff. The violations took place since 2014 but continued until after the GDPR came into effect. The retail chain kept detailed information about employees.
The originally Swedish retail chain was fined by the local data protection authority in Hamburg, Germany. Hennis & Mauritz has to pay 35,258,707.95 euros for violations in its service center in Nuremberg. They took place since 2014. In the center, “comprehensive information about employees’ private lives was centrally collected,” says the Hamburg regulator. Employees who took vacation or became ill or even had short periods off were given a ‘welcome back conversation’ with their supervisor after their return. During those interviews, they recorded what the employees had done during their vacations, and what symptoms of illness and diagnoses they had received.
In other conversations too, according to the regulator, many details about the private lives of the employees were stored, such as family matters and religious beliefs. That information was stored on a network drive that at least fifty managers had access to. The information was used, among other things, to carry out work evaluations.
The data collection came to light in October last year. Due to a configuration error, the data was then available to everyone within the group for a short time. The regulator then started an investigation. H&M transferred a total of more than sixty gigabytes of information for that investigation.
H&M apologized to employees following the investigation. The company has also drawn up a new plan to better organize data protection. It states, among other things, that a new data protection coordinator will be hired, that there will be monthly status updates, and that there will be better protection for whistleblowers.
Employees are also entitled to compensation. This is paid outside of the fine. For this, employees must have been employed for at least one month since May 2018, when the European privacy law came into effect. The amount of compensation is not yet known.
The amount is the highest fine amount that has been awarded under the GDPR in Germany. In all of Europe, it is the second-highest fine, next to Google’s of 50 million.