H&M Group has been fined €35.3m (£32.1m) by an information commissioner in Germany for intrusive data collection and analysis of the activities of hundreds of employees.
It is the largest fine issued for an employment-related privacy breach since the General Data Protection Regulation (GDPR) came into force across the EU in 2018.
Since 2014, team leaders at a service centre in Nuremberg would conduct back-to-work style interviews or informal chats following sickness absence and holidays, even when the employee was off for a short period. The information recorded ranged from details about illnesses and diagnoses, to what they had done on holiday, specific family problems and their religious beliefs.
This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy” – Hamburg information commissioner
Not only did managers build up a “broad knowledge” of their staff’s private lives, the information was updated regularly and stored digitally where it could be accessed by as many as 50 other managers throughout the company.
The data was then used alongside “meticulous” analysis of individuals’ performance at work to create “profiles” of employees that would help direct employment decisions.
Prof Johannes Caspar, the Hamburg commissioner for data protection and freedom of information, said: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy.”
The commissioner added that the combination of researching private lives, and the ongoing recording of what activity individuals were engaged in, led to a “particularly intensive interference with the rights” of those affected.
H&M’s activities only came to light when an IT error led to the employee records becoming accessible across the company for a few hours in October 2019.
H&M Group said: “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions.
“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.”
Under GDPR, firms can be fine of €20m (£18.2 million) or 4% of annual global turnover – whichever is greater – for infringements.
H&M said it was reviewing the commissioner’s fine “carefully”, adding that since the breach was discovered, it immediately began making several data-related improvements at the Nuremberg service centre. Measures included introducing internal audits to ensure data compliance, strengthening leadership knowledge to assure a safe and compliant work environment and continuing to train and educate staff.
In addition, H&M has decided that all staff currently employed at the service centre and who were employed for at least one month since May 2018 when the GDPR came into force, will receive financial compensation.
Prof Caspar added: “The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation show the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work for their company.”
Piers Dryden, partner and head of the technology sector at law firm Brabners, said: “The regulator is clearly using H&M to send out a message. Such a big fine against a big-name brand is a statement of intent that GDPR will come down hard on businesses that flout the data rights of their employees. Businesses can no longer plead ignorance when it comes to data protection and must have a complete understanding of the employee information they process, why they process it and what appropriate legal basis they have for doing so.”
He said other businesses should take notice of this, learn from H&M’s mistakes and implement the retrospective steps taken by the retailer now, before a breach occurs. To its credit, he added, H&M had put in place a solid action plan to address the breach once alerted to it.
“The fine levied against H&M is a reminder to all businesses that they need to establish a comprehensive approach to organisational compliance and data protection governance,” added Dryden. “Two years on from the initial implementation of GDPR and is the ideal time to conduct an independent audit and assess whether those processes are still fit for purpose today.”
The fashion group, whose other brands include Cos, & Other Stories and Arket, said in a statement: “H&M Group wants to emphasise its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority.”
Only one GDPR fine has been larger. Google was fined £44m last year for a “lack of transparency, inadequate information and lack of valid consent” regarding the personalisation of adverts displayed to its users.