The German supervisory authority has imposed a 35 million Euro fine on H&M for systematic violations of the General Data Protection Regulation. H&M registered special categories of personal data of hundreds of employees who had been temporarily absent from work.
If employees in the service centre of the store chain in Nuremberg had been (briefly) ill, on holiday, or simply off, managers in the H&M service centre would organize a so-called ‘Welcome Back Talk’. In these talks they would take notes of what the employees had done during their absence, what symptoms of illness they had had and what diagnoses they had got. Notes were also kept on the family circumstances and religious beliefs of employees. These notes were then stored on an online accessible network drive to which 50 other managers had access. Since 2014, the notes were frequently updated to monitor developments in the private lives of employees. This information was subsequently used by H&M to perform evaluations about employees.
In October 2019, this data collection came to light because the network drive could be viewed by all employees for a few hours, due to a configuration error. After the German supervisory authority in Hamburg had been informed of this, H&M was instructed to hand over all data on the network drive. All files containing personal data of employees on the drive had a total size of sixty gigabyte.
H&M has meanwhile apologized and will pay the employees damages. In addition it has introduced a new plan for the protection of personal data, consisting of a data protection officer, monthly updates about the status of the protection of personal data, improved protection of whistle-blowers, and a consistent policy for the right of the employees to access their data.
The penalty amount for H&M is the highest that was imposed in Germany for a violation of the GDPR. In Europe, this penalty comes in second after the 50 million Euro penalty that Google received.
Read the press release of the Hamburg supervisory authority here.