H&M Hit With Record-Breaking GDPR Fine Over Illegal Employee Surveillance

Swedish multinational retail company H&M has been hit with a monumental €35 million ($41.3 million) GDPR fine for illegally surveilling employees in Germany.

The Data Protection Authority of Hamburg (HmbBfDI) announced the fine on Thursday after the company was found to have excessively monitored several hundred employees in a Nuremberg service centre. The watchdog said that since at least 2014, parts of the workforce had been subject to “extensive recording of details about their private lives”. 

“After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” HmbBfDI said.

“In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”

Also Read: Data Protection Authority GDPR: Everything You Need To Know

The extensive data collection was exposed in October 2019 when such data became accessible company-wide for several hours due to a configuration error.

In a statement, Hamburg commissioner for data protection and freedom of information, Prof Dr Johannes Casper, said the case “documents a serious disregard for employee data protection at the H&M site in Nuremberg,”

“The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”

The fine is the highest GDPR penalty levied in Germany since the legislation come into force in 2018, and the second highest of its kind throughout the continent. Last year, France’s data protection watchdog fined Google €50 million (U.S. $57 million).

H&M said it will now review the decision carefully. “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” the company stated.

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg.”

“A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment, and continue to train and educate both staff and leaders in this area,” the company said.

Also Read: The Scope Of Singapore Privacy: How We Use It In A Right Way