H&M has been slapped with a €35.26 million ($41.56 million) “record breaking” fine in connection with its pattern of illegally surveilling employees in Germany. According to a recently-issued decision from the Hamburg Data Protection Commission, the Swedish fast fashion behemoth is on the hook for monitoring several hundred employees at its service center in Nuremberg, with some of the employees being subject to extensive recording of information related to their private lives since at least 2014, all of which was uncovered in conjunction with a security breach that took place a year ago.
A breach that took place in October 2019 at its service center in Nuremberg, Germany shed light on H&M’s ongoing practice to collecting and storing information about employees that violated at least a couple provisions of the General Data Protection Regulation (“GDPR”), the European Union-wide regulation on data protection and privacy, namely Article 5, which governs to the processing of personal data, and Article 6, which sets out the specific bases for the lawful processing of data.
“After absences, such as vacations and sick leave, [H&M’s] supervising team leaders conducted so-called ‘Welcome Back Talks’ with their employees,” according to the Hamburg Data Protection Commission’s decision, which was handed down on October 1. “After these talks, in many cases not only the employees’ concrete vacation experiences were recorded” by H&M’s senior staff, the Data Protection Commission states, “but also symptoms of illness and diagnoses.”
In some cases, the employee data was updated on an a regular basis, and supplemented other information about their private lives. “Some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs,” which was recorded, the Hamburg Data Protection Commission revealed. As for the records, they were made available to up 50 managers throughout the company, and were used to make various employment-related decisions.
In its opinion, the Hamburg Data Protection Commission found that the extensive – and ongoing – data collection about employees’ private lives amounts to “a serious disregard for employee data protection,” and against that background, Hamburg Commissioner for Data Protection Prof. Dr. Johannes Caspar levied the €35.26 million fine on H&M.
Given the seriousness of the offense, the fine – which is the highest penalty to be ordered in Germany under the GDPR since its implementation in May 2018, per Forbes, and the second highest in the whole of the European Union (Google was fined €50 million by French regulators in 2019) – “is adequate and effective to deter companies from violating the privacy of their employees,” according to Prof. Dr. Caspar.
The fine, itself, was calculated in accordance with a concept developed by the German data protection authority for the calculation of GDPR fines, and takes into account the revenue generated by the company at issue, among other things. “The introduction of this specific calculation concept has led to higher penalties being imposed in Germany as a matter of principle, at least for companies with high annual sales,” such as H&M, Clyde & Co LLP attorneys Amrei Zürn, Henning Schaloske and Paul Malek note. (The H&M Group generated $24.3 billion in revenue for the 2019 fiscal year). “Even though this is currently only a purely German concept, it has been introduced and discussed at a European level as part of the harmonization efforts.”
They say that “it remains to be seen whether this or a comparable approach will also become established at European level in the other member states,” but either way, the H&M matter demonstrates a larger pattern in which “data protection violations (whether negligent or intentional) are now also punished by the German data protection authorities with severe fines.”
It is not yet clear whether H&M plans to appeal the decision of the Hamburg Data Protection Commission. The Swedish apparel giant did, however, assert in a statement in connection with the fine that it “strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards,” asserting that since the October 2019 breach, it has adopted a “comprehensive action plan to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area.”