H&M logo on glass windows of store in New York City.
Image: © Mariakray/Stock.adobe.com

H&M faces €35m fine for storing data on staff health and religious beliefs

6 Oct 2020

The retailer has been given Europe’s second highest GDPR fine to date after details of employees’ health, family issues, religious beliefs and more were exposed to the entire company.

Swedish clothing company H&M has been dealt a massive fine for breaching GDPR rules by placing its employees under surveillance. The fine amounted to more than €35m and was instigated by a data protection watchdog in Germany, which said this amount should “deter companies from violating the privacy of their employees”.

A H&M service centre in Nuremberg had been monitoring several hundred employees since 2014, the Hamburg Commissioner for Data Protection said. According to the watchdog, there had been “extensive recording of details about the private lives” of some staff. A configuration error at the centre last October made those details visible to the entire company for several hours.

An ‘adequate and effective’ fine

Hamburg’s data protection authority announced the fine last Thursday (1 October). It explained that after employees in H&M Nuremberg returned from holidays and sick leave, they were asked to take part in “welcome-back talks” with supervisors.

‘The amount of the fine imposed is adequate and effective to deter companies from violating the privacy of their employees’
– PROF JOHANNES CASPAR

“After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” it added. “In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”

Prof Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information, said the incident represents a “serious disregard for employee data protection”.

“The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees,” Casper said.

According to Forbes, the fine is the highest GDPR penalty that has been given in Germany, and the second highest in Europe, since the legislation was introduced in 2018.

H&M statement

H&M published a response to the fine on its website. It said that the company has “fully cooperated with the [data protection] authority during the process”. The statement went on to say that the data processing practices brought to light in the incident “were not in line” with the company’s guidelines.

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.

“A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area.”

Lisa Ardill
By Lisa Ardill

Lisa Ardill joined Silicon Republic as senior careers reporter in July 2019. She has a BA in neuroscience and a master’s degree in science communication. She is also a semi-published poet and a big fan of doggos. Lisa briefly served as Careers Editor at Silicon Republic before leaving the company in June 2021.

Loading now, one moment please! Loading