Multinational clothes retailer H&M has been fined €35.3m by the Hamburg data protection authority for unlawful employee-monitoring practices in breach of the EU General Data Protection Regulation (the GDPR). The fine is the second largest imposed on a single company under the GDPR to date.
Unlawful Employee-Monitoring Practices
The fine was imposed on H&M Hennes & Mauritz Online Shop A.B. & Co. KG, a German subsidiary of the Swedish fashion giant. Although registered in Hamburg, the entity operated a service centre in Nuremburg. Supervisors at the service centre had a practice of collecting detailed private information from employees returning from holidays or sick leave – even short absences – through “welcome back talks”. The information collected was often highly personal, such as details of employees’ holiday experiences and sometimes included special category personal data such as symptoms of illnesses and diagnoses. Supervisors would also record information learned from employees through informal one-on-one discussions and corridor conversations. The information gathered was summarised and saved digitally in notes which were available to key decision-makers in the company. These findings were used in conjunction with meticulous work performance evaluations to develop in-depth profiles of employees, in what the Hamburg data protection authority stated amounted to “particularly intensive interference with the rights of those affected.”
Investigation and Fine
The practices came to wider attention in October 2019 after the notes were briefly made accessible company-wide due to a technical error. The Hamburg data protection authority ordered that the dataset be frozen and surrendered to it for inspection. Then began an investigation consisting of analysis of the 60GB dataset and interviews with witnesses to the contested practices. The H&M entity responded to the revelations by taking various remedial measures, including apologising and paying compensation to the affected parties. It also presented a plan to comprehensively overhaul its data protection practices, including appointing a new data protection coordinator, issuing monthly data protection status updates and better communicating to its employees the protections in place for whistleblowers. A representative for the Hamburg data protection authority praised these efforts to compensate affected employees and to restore trust in the company as an employer, but stated that the practices demonstrated “a clear disregard for employee data protection” and that “the amount of the fine imposed accordingly appropriate and suitable in order to deter companies from violating the privacy of their employees.”
We are available to advise businesses with any data protection issues they face. Please contact any member of the Technology team or your usual William Fry contact with any queries.
Contributed by Andrew Desmond