GDPR: EUR 35 million fine for H&M’s German service centre

At the beginning of October, the Hamburg Data Protection Authority imposed a fine of no less than EUR 35.3 million on H&M’s service centre in Nuremberg because the Swedish fashion chain had violated the privacy of its employees by storing extensive private data.

In particular, it involves a great deal of sensitive data, such as symptoms of illness or medical diagnoses, but also information relating to relationship problems and religious beliefs. This range of detailed data would be taken into account when making certain employment decisions. However, the GDPR prohibits the processing of sensitive data and always requires a legal ground  and an exception in order to do so.

Facts

H&M had the habit of organising “welcome back talks” between the employees and the team leader after each absence of an employee (holiday, illness, brief absence, etc.). In these conversations, various things were discussed, such as the cause of the absence, holiday experiences, etc. The data obtained from these conversations were stored, in whole or in part, on a digital platform to which about fifty managers had access. At least since 2014, the company has recorded extensive details about the private lives of their employees in this way. In short, the company acquired a wide range of highly sensitive data about some 700 employees. In addition, information resulting from private conversations, such as an informal chat during the lunch break, would also be kept in the file.

The stored data would be used, among other things, to form a profile of the employees on which, next to performance-related evaluations, some employment decisions would be based, such as whether or not to renew a contract.

Data leak

The fact that this data was collected was revealed when the information became unintentionally available for a few hours to all employees throughout the company as a result of a configuration error in the digital system. The Hamburg Data Protection Commissioner launched an investigation after this leak was reported.

Decision

Although H&M had always been cooperative and had announced that it would grant financial compensation to the affected employees, the Hamburg Data Protection Authority imposed a fine of EUR 35,258,707.95 on the company. According to the Commissioner, this amount is justified in view of the fact that the investigation into employees’ private lives and the constant recording and updating of these data violated the employees’ rights in a particularly far-reaching way. It is emphasised that a fine of this size is therefore appropriate and is at the same time an effective way of deterring other employers from violating the privacy of their employees.

In order to respond to its misconduct, H&M has not only apologised extensively but has also followed the suggestion of offering compensation to the affected workers who have been employed for at least one month since May 2018, when the GDPR became applicable. The latter is a novelty in this context but receives a great deal of positive support because it clearly shows the intention to give the employees the respect and recognition they deserve as workers, according to the Hamburg supervisor. In addition, the company has also launched an action plan to improve internal audit practices in order to ensure compliance with data protection rules.

As far as is known, H&M will not challenge the decision and the ruling is final.

Action point 

As the GDPR is a European legal framework, this decision is also relevant for Belgian employers. As an employer, be careful not to keep any data that is not necessary or cannot be justified in the context of the employment relationship, in particular, data that the GDPR classifies as sensitive, such as information on health data, political opinions, religious beliefs, ethnic origin,...