H&M fined €35,3 Million for violation of the GDPR

On October 1, 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (BfDI) issued a €35,3 (or $41,5) million fine to Swedish retail conglomerate Hennes & Mauritz – mostly known as H&M, registered in Hamburg, for the violation of the General Data Protection Regulation (GDPR).

H&M recorded sensitive personal information of employees

The H&M group currently has around 5,000 stores in 74 markets and according to their website 179,000 employees. While all organizations collect the personal data of their employees, there are certain types of data that GDPR considers to be sensitive.

In the employment sector, their processing is only allowed if it is authorized by law and necessary for carrying out the obligations related to employment, social security, and social protection law.

In all cases, the collection of sensitive data needs to be purposeful, accessible only to the essential personnel, and adequate safeguards for the protection of fundamental rights and interests of employees have to be present.  This is where H&M fell short. You can read more about sensitive personal data: 

According to the EDPB; “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

The BfDI investigation on H&M processing

According to the investigation and findings of the BfDI, H&M collected extensive sensitive personal data about their employees of the H&M Service Center in Nuremberg from as far back as 2014 (at least).

H&M collected and stored sensitive personal data via different sources, like their “Welcome Back Talk“ program where the company conducted interviews with employees who returned to work after illness or absence.

In addition, the records provided a high level of details about employees while everything that was recorded was accessible to an excessive number of managers (around 50) who used personal data to evaluate work performance and promotions.

Personal information that was collected included health records, including details about the symptoms and diagnosis of illness of several hundred employees, as well as details about their vacation and personal leave.

The personal data also leaked through small talk and whispering campaigns, where managers would acquire information about details of the personal life of employees, including religious beliefs and family life, and used that data when making employment decisions.

How was the violation discovered?

In October 2019, due to a technical error, the data on the company’s network drive was accessible to everyone in the company for a few hours. The management did acknowledge the omission and apologized offering financial compensation to their employees.

However, this news evoked a lot of media attention leading the Commissioner for Data Protection to become aware of the situation and demanding the network drive to be frozen and handed over. H&M complied and delivered 60 GB of personal data.

The Aftermath

H&M accepted the corrective data protection measures presented by the BfDI and offered apologies to the affected employees as well as generous financial compensation which is so far the first time a company acknowledged their responsibility in this way.

The company also appointed a data protection coordinator and implemented monthly data protection status updates as well as the consistent concept for data subjects’ rights of access, which was appreciated by the DPA stating: “The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive.”

H&M also issued a press statement on their official website expressing their cooperation with the Data Protection Authority so far and stated:

“H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority. The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.”

Continue reading: