The German subsidiary of H&M has received a €35,258,707.95 (about £31.9 million) fine from the Hamburg Data Protection Authority for violating the GDPR (General Data Protection Regulation).
The infringement relates to a 2019 data breach that revealed that H&M was gathering excessive personal data on its employees.
The fashion retailer had been collecting and storing information about its employees’ private lives, including their holiday experiences, family issues, religious beliefs and symptoms of illness and diagnoses.
The information was collected during one-to-one conversations between employees and their supervisors as part of a “welcome back talk” when employees took time off work.
Some of the data was accessible by up to 50 other managers.
It’s the largest ever fine under the GDPR for a violation concerning data use – and given the sensitive nature of the data and how irrelevant it seems to be, it’s not a surprise.
After evaluating 60 GB of H&M data and reviewing witness evidence and the organisation’s internal procedures, the Hamburg Data Protection Authority ruled that the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.
H&M has since apologised to its employees, and confirmed that everyone who had been working at the company since the GDPR took effect on 25 May 2018 would receive financial compensation.
However, this will probably be of little comfort for employees, particularly when you factor the long-term repercussions for its employer, as it now has to pay compensation and a regulatory penalty in the middle of the ongoing financial effects of COVID-19.
Indeed, news of the fine coincided with H&M announcing plans to close 250 stores globally next year. The organisation said that the closures have been driven by customers’ preference for shopping online.
GDPR compliance support with GRCI Law
Are you concerned that data protection practices compliance obligations? If so, our Privacy as a Service solution might be ideal.
Our team of experienced lawyers, barristers, and information and cyber security experts will work with you to help you achieve regulatory success.
This includes help with compliance monitoring, breach notification processes and data privacy management, and support completing DSARs (data subject access requests).