H&M GDPR Fine

H&M gets 35.3M euros fine for records of private living conditions of employees

Due to several hundred employees of the H&M service centre in Nuremberg were monitored by the centre management, the Hamburg representative for data protection and freedom of information (HmbBfDI) has issued a fine of 35,258,707.95 euros to the H&M Hennes & Mauritz online shop AB & Co. KG issued.

The company, based in Hamburg, operates a service centre in Nuremberg. At least since 2014, some of the employees have had extensive records of private living conditions. Corresponding notes were saved permanently on a network drive. After vacation and illness absences – even short ones – the superiors team leaders held a so-called Welcome Back Talk. After these discussions, not only were specific vacation experiences of the employees recorded, but also symptoms of illness and diagnoses. In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and corridor discussions, which ranged from harmless details to family problems and religious beliefs. The findings were partially recorded, stored digitally and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and updated over time. In addition to a meticulous evaluation of individual work performance, the data collected in this way were used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship.

The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the content of the network drive to be completely “frozen” and then requested that it be released. The company followed suit and submitted a data set of around 60 gigabytes for analysis. After analyzing the data, the interrogations of numerous witnesses confirmed the documented practices.

The discovery of the significant violations prompted those responsible to take various remedial measures. A comprehensive concept was presented to the HmbBfDI on how data protection is to be implemented at the Nuremberg location from now on. In order to come to terms with past events, the company management not only apologized expressly to those affected. It also follows the suggestion to pay the employees a considerable amount of non-bureaucratic damages. This is an unprecedented commitment to corporate responsibility after a data protection breach. Other components of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates,

Prof. Dr. Johannes Caspar, the Hamburg commissioner for data protection and freedom of information: “The present case documents a serious disregard for employee data protection at the H&M Nuremberg location. The amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees.

The efforts of the group management to compensate those affected on-site and to restore trust in the company as an employer are to be rated expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation shows the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work for their company. ”

Original article: Datenschutz-Hamburg

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on print
Share on email

Latest Blog Posts

dpa gdpr

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They

Read More »

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data