H&M fined £32 million for intrusive employee surveillance

German wing of the fashion retailer violated GDPR by chronicling and sharing employee holiday experiences

Fashion giant H&M has been issued a €35 million fine (roughly £31.9 million) by a German data regulator for violating the privacy of its employees by exploiting their personal data.

Employees working at a Nuremberg-based operations centre, belonging to a German branch of H&M, were subject to the extensive recording of details about their private lives since 2014, actions that have been found in breach of GDPR.

Those who had taken a leave of absence, regardless of its length, were subject to routine ‘welcome back’ meetings during which holiday experiences, as well as symptoms of illnesses and diagnoses, were recorded by the company.

Some supervisors were said to have gained a broad knowledge of their workers’ private lives through personal discussions among themselves, including details on workers’ home lives, serious family issues, and even their private religious beliefs.

Much of this information was stored digitally and was readable, in part, by up to 50 other managers throughout the branch of the company.

These details were gathered and used to build a comprehensive profile of individuals, which also included meticulous evaluations of work performance. These profiles ultimately informed decision-making around their employment status.

"This case documents a serious disregard for employee data protection at the H&M site in Nuremberg,” said Hamburg commissioner for data protection and freedom of information, Prof Dr Johannes Casper. “The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.

“Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”

The regulator was made aware of this practice in October 2019 after a configuration error made the 60GB dataset available to the entire company. The organisation ordered the contents of the network drive to be frozen, and for the data to be handed over in full for evaluation.

Managers at the company explained to the regulator that the data collection was done to improve the way staff profiles are constructed, and to help with "measures and decisions regarding their employment".

Related Resource

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The €35,258,707.95 fine issued under GDPR is likely one that H&M may have a right to appeal. If so, this may mean the figure could be reduced in future.

The Information Commissioner’s Office (ICO), for instance, has yet to collect the £183 million and £99 million ‘fines’ levied against BA and Marriott in 2019; instead issuing at the time a “notice of intent” to fine the companies. IT Pro has sought clarity on this point.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020
ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
How to wipe a laptop easily and securely
Security

How to wipe a laptop easily and securely

5 Oct 2020