H&M hit with record-breaking GDPR fine

Swedish fashion giant H&M has received a record €35m fine from the German authorities for internal data security breaches at its customer service centre in Nuremberg, the fashion retailer said on Thursday.

The group admitted shortcomings at the service centre and said it had taken “forceful measures to correct this”.

German daily Frankfurter Allgemeine Zeitung reported last year that the State Data Protection Commissioner in Hamburg had launched a probe into H&M management unlawfully sounding out workers about their personal life and storing the details.

According to the European Data Protection Board (EDPB), the records had been kept since at least 2014 and ranged from rather harmless details to family issues and religious beliefs. After absences such as vacations and sick leave, the supervising team leaders in many cases recorded details, including symptoms and diagnoses, which were stored digitally and were partly readable by up to 50 other managers throughout the company.

The data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights, noted EDPB.

This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the contents of the network drive to be “frozen” and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.

The company management has not only expressly apologised to those affected, it has also offered them a considerable compensation. “This is an unprecedented acknowledgement of corporate responsibility following a data protection incident,” noted EDPB. 

Professor Dr Johannes Caspar, Hamburg’s commissioner for Data Protection and Freedom of Information, said: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”