The Data Protection Authority of Hamburg (HmbBfDI) announced Thursday it fined H&M Germany €35.2 million (U.S. $41.3 million) for violations of the EU’s General Data Protection Regulation (GDPR) for the excessive monitoring of several hundred employees by one of the clothing retailer’s German subsidiaries.

“This case documents a serious disregard for employee data protection at the H&M site in Nuremberg,” said Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information. “The amount of the fine imposed is, therefore, adequate and effective to deter companies from violating the privacy of their employees.”

Some supervisors acquired broad knowledge of employees’ private lives through one-on-one conversations that included discussions about “family issues and religious beliefs,” HmbBfDI said.

The GDPR fine against H&M is among the largest ever. Last year, France’s data protection watchdog fined Google €50 million (U.S. $57 million) for GDPR violations. In another case, British Airways was hit with an original fine of $230 million but said in late July it may qualify for a nearly 90 percent reduction, bringing it down to $26 million.

Also pending in the United Kingdom is a £99 million (U.S. $124 million) fine against Marriott.

According to HmbBfDI, “Since at least 2014, parts of the [H&M Germany] workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive.” After employee absences, including vacations and sick leave, supervising team leaders would conduct so-called “Welcome Back Talks” with the employees, and then would record details of those conversations that included their holiday experiences, symptoms of illness, and diagnoses.

In addition, some supervisors acquired broad knowledge of employees’ private lives through one-on-one conversations that included discussions about “family issues and religious beliefs,” HmbBfDI said. Some of this data was recorded, digitally stored, and accessible by up to 50 other managers throughout the company.

“In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment,” HmbBfDI said. “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

Discovery of the data collection activities surfaced in October 2019, when such data became accessible company-wide for several hours due to a configuration error. “The breach was related to storage of employees’ personal data at the service center, and H&M reported it immediately to the data protection authority in Hamburg,” the company said. “H&M has fully cooperated with the authority during the process.”

H&M’s response

H&M said it will now review the decision carefully. “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” the company stated. “H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg.”

Since initial discovery and reporting of the incident, H&M said it immediately made several improvements at the Nuremberg service center. “A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment, and continue to train and educate both staff and leaders in this area,” the company said.

Among the specific actions H&M has implemented include:

  • Personnel changes at management level at the service center in Nuremberg;
  • Additional training for leaders in relation to data privacy and labor law;
  • Revised instructions for managers;
  • Creation of a new role with specific responsibilities to audit, follow up, educate, and continuously improve data privacy processes;
  • Enhanced data cleansing processes; and
  • Improved IT solutions supporting compliant storage of personal data, training, and leadership.

“In addition, H&M has decided that all currently employed at the service center, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation,” the company said.

Post-pandemic implications

“The investigation here was into data collected before the current pandemic,” a client alert from law firm Cordery noted. “In our view, however, it is unlikely that the DPA would have been more sympathetic to the collection of additional data without credible justification even now.”

According to the client alert, more than 40 DPAs have issued guidance on the collection of extra data during the pandemic—including health data, data on holiday travel, and domestic arrangements. “We’re also seeing a significant rise in data protection requests and complaints, especially from employees who have been furloughed or let go, and so the 2020 situation is likely to be even more challenging than the situation H&M faced in 2019,” the client alert stated.

“In addition, we have seen some employers using so-called ‘productivity tools’ to collect data on employees while they work from home,” it added. Such data-collection practices, Cordery said, are under investigation in at least one case involving Barclays Bank.