Swedish fashion retailer H&M has been fined €35.3m under the EU General Data Privacy Regulation (GDPR) in Germany after collecting details on the personal lives of several hundred employees.

The Hamburg Commissioner for Data Protection and Freedom of Information announced yesterday that “parts of the workforce have been subject to extensive recording of details about their private lives” since 2014.

The data protection organisation said that information about employees working at a service center in Nuremberg was stored on a network drive, including details of their private lives such as family issues, symptoms of illness and religious beliefs

This information was gathered during “Welcome Back Talks” following employee absences and through conversations with supervisors.

Some of this data was accessible by up to 50 managers and was collected in order to “obtain a detailed profile of employees for measures and decisions regarding their employment”, according to the privacy watchdog, which described the incident as “a particularly intensive encroachment on employees’ civil rights”.

H&M reported the incident to the data protection authority in October 2019 after the data became accessible company-wide for a number of hours. In a statement the company said:

“After the incident was discovered and reported, H&M immediately initiated far-reaching measures in the Nuremberg service center. To improve this, a comprehensive action plan was put in place to improve internal audit practices, to ensure compliance with data protection regulations and to strengthen the knowledge of managers to ensure a safe and data protection-compliant work environment, as well as additional training for employees and managers in this area.”

The company is also offering financial compensation to current employees and those that have worked at the Nuremberg Service Center for at least one month since GDPR came into force. It highlighted that the processing of employee data in the Nuremberg Service Center did not comply with the guidelines.

Commenting on H&M’s response to the incident, Professor Dr Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information said that “the transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve”.

Dr Francis Gaffney, Director of Threat intelligence at Mimecast said:

“GDPR is not just something else an organisation needs to comply with, but rather benefit from the behaviours GDPR is designed to encourage. Organisations shouldn’t view regulation such as this as a burden and start to view it through the lens of their customers, partners, or employees. If someone trusts you with their data, you owe it to them to be completely honest about what data you are collecting and to protect it, know exactly how (and where) it is stored, and who can access that data.

“Many organisations are having to pay penalties for such data breaches and it is only afterwards that the true cost of a breach is realised and those previously perceived potential savings from not investing in security and data management solutions is trivial compared to the significant financial penalties. Furthermore, it is often the case that the damage to the organisation’s reputation and branding dwarfs the fine imposed.”


Read more: GDPR fines: €114m so far, but far more expected.