As a result of the monitoring of several hundred employees at their service centre in Nuremberg, the Hamburg Data Protection Commissioner has issued an eye-watering fine of €35.25m against H&M. This is the second largest fine under the GDPR to date.
Since 2014, employees of H&M had been subject to extensive recording of data relating to their private lives including sensitive personal data (special category data). For example, after vacation and sick leave – even short absences – the team leaders conducted a so-called “welcome back talk”. After these talks, details were recorded including not only the employees’ vacation experiences, but also symptoms of illness and diagnoses. In addition, supervisors acquired a broad knowledge of their employees’ private lives through casual conversations, ranging from harmless details to family problems and religious beliefs. Some of the findings were then recorded, digitally stored and accessible by up to 50 managers throughout the company.
The data collected in this way was used, among other things, to profile the employees and to support employment decisions.
The practice came to light following a data breach in October 2019 when, as a result of a configuration error, the data became accessible company-wide for several hours.
Aside from the fine, to show its contrition, H&M has expressly apologized to the affected employees and has also agreed to pay compensation. Other measures which H&M has agreed to take include the appointment of a data protection coordinator, monthly data protection status updates and enhanced whistle-blower protection.
The case serves as a reminder that the GDPR applies equally to HR data as it does to consumer / customer data. In fact, given that HR data routinely involves processing of higher risk “special category” data, such as sickness records and details of employee personal issues, great care is needed in relation to the collection and storage of such data.
Aside from the data security breach, H&M would seem to have breached several of the data protection principles: for example, data minimisation (only collecting data that is relevant and limited to the purpose for which it is collected), purpose limitation (collecting data only for legitimate purposes) and processing data fairly and in a transparent manner, making sure that employees are aware of the data which you are collecting and storing.
If your GDPR compliance programme did not focus on HR data with at least the same rigour as other data, or needs a refresh, there are 35m reasons why now would be a good time.