35 million reasons to take privacy seriously: German data protection authority hits fashion store owner H&M with second-highest GDPR fine ever
Fashion retailer’s service center illegally surveilled employees and recorded 60 GB of the most intimate personal data
Hamburg, October 1st 2020: It was announced today that the Hamburg data protection authority (DPA) has imposed a fine of a whopping €35,258,707.95 on the fashion retailer H&M Hennes & Mauritz Online Shop A.B. & Co. KG, which is based in Hamburg.
The fine is the second-highest ever imposed under Europe’s GDPR privacy legislation:
Welcome back and thank you for your information
The reason for the hefty fine was the illegal surveillance of several hundred workers by team leaders at an H&M service center in Nuremberg.
Since 2014, these managers were found to have been targeting staff returning from long periods of absence due to illness or vacation—by inviting them to “welcome back” meetings or even approaching them directly during their meal breaks. These conversations were held with around 700 unsuspecting workers, many of whom shared highly personal information, which the team leaders then wrote down and stored on a central network drive. The information was evaluated and used to systematically assess the workers’ performance and create profiles, and it ultimately played a crucial role in decisions concerning pay and promotions.
Apart from covering their vacations, the records also contained
- details about when the workers were sick and when they took vacation,
- medical diagnoses such as bladder weakness and cancer,
- religious beliefs,
- rumors and
- highly private details of deaths in the family and other personal problems.
Not only was this data permanently accessible to at least 50 managers, but an IT error in October 2019 meant that for a few hours it was even available to every single employee in the entire company. This is when the data collecting came to light.
More than just a fine: Compensation of €2,500 per worker
When the issue was raised, the Hamburg DPA was quick to take action: The authority issued a freeze order to preserve evidence and ordered that the data set be handed over for inspection.
For its part, the company also reacted swiftly. It cooperated with the authorities, apologized to the workers affected, and also offered €2,500 in compensation to each of them who had been employed for at least one month.
This scramble to contain the fallout resulted in a considerably reduced fine for H&M, since the DPA’s fine is actually equivalent to less than 0.2 % of the H&M Group’s annual turnover of €21.9 billion. Considering the size of the fine, it seems that every Euro paid out to the workers is money well spent.
Standardized model for GDPR fines
Germany’s data protection authorities have published a for calculating fines. Based on this method of calculation, German privacy expert Christoph Schmidt developed the GDPR Fine Calculator. Authorities are of course free to decide independently, and on a case-by-case basis, how high fines should be, but the model can offer a reliable ballpark figure for companies and thus influence their corporate strategy.
Investigations: What resources do supervisory authorities have?
In addition, Art. 58 GDPR provides the supervisory authority with a variety of means, which it can use alternatively or cumulatively, to take action against offending companies.
Violations of the GDPR’s fundamental data protection principles of lawfulness, fairness and transparency
The Hamburg DPA found that the conduct of H&M’s managers constituted a serious disregard for the principles of European data protection law (the GDPR) and Germany’s national Federal Data Protection Act.
H&M’s data processing was found to be
- unlawful, since there is no legal basis for this type of employee surveillance,
- unfair, because the data was misused for inappropriate purposes, and
- opaque, because the data was collected in secret.
Reputation tarnished and workers’ trust destroyed
The affair has already caused considerable damage to the company’s image. Even before the fine was announced, H&M won the 2020 BigBrotherAward in the “Workplace” category. These anti-prizes are awarded annually, and this year the jury selected H&M in recognition of:
“the long-standing, devious, and illegal collecting and processing of employee data distinctly protected by privacy laws”
Meanwhile, the workers affected are particularly angry that the very team leaders who spied on them also received compensation. Perhaps unsurprisingly, many of the employees have already resigned.
The fine imposed on H&M will serve as a deterrent and send a clear signal to companies and their compliance departments: Spying on your own workers is an expensive game.