GDPR non-compliance: Multinational clothes retailer fined more than €35 million 

Clothes retailer H&M has been fined more than €35 million in relation to employee record-keeping practices – the highest financial penalty imposed in Germany to-date in relation to non-compliance with the General Data Protection Regulation (GDPR).

The data protection authority for the state of Hamburg said the company had, at a service centre in Nuremberg, engaged in “extensive recording of details about [employees’] private lives”. The information collected included “concrete vacation experiences” and “symptoms of illness and diagnoses” following employee absences, as well as other information ranging from “harmless details to family issues and religious beliefs”.

The practices came to light after the information, stored on the company’s network, became temporarily accessible to staff for several hours in October 2019, prompting the Hamburg authority to open an investigation.

“In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment,” the Hamburg authority said in a statement. “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

H&M has apologised for the practices, which is said were “not in line” with its guidelines and instructions. The company said it taken a number of actions in light of the practices coming to light, including making changes in management at the service centre and providing additional training for leaders in relation to data privacy and labour law.

Employees who work or previously worked at the service for at least a month since the GDPR came into force in May 2018 will receive financial compensation, H&M also confirmed.

“H&M Group wants to emphasise its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority,” the company said in a statement. “The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.”

It is as yet unclear whether H&M will appeal against the Hamburg authority’s fine. The company said it will “now review this decision carefully”.

Professor Dr Johannes Caspar, Hamburg’s commissioner for data protection, said the level of the fine imposed was an “adequate” penalty for H&M’s actions in this case and would also be “effective” to deter other companies from violating the privacy of their employees. He said it was positive that H&M had chosen to compensate those affected by the practices at the service centre.

“The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company,” Caspar said.

Source: Pinsent Masons

---