Popular fashion retailer Hennes & Mauritz Online Shop A.B. & Co KG (H&M) was fined €35.2 (US$41.1 million) by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) for violating the General Data Protection Regulation (GDPR). In an official release, HmbBfDI stated the management of the H&M Service Center in Nuremberg unauthorizedly monitored its employees’ personal information.
H&M’s data privacy violations included extensive use of its staff data, including their holiday experiences, medical symptoms, and diagnoses for illnesses. The HmbBfDI’s investigation also found that some managers of H&M also acquired employees’ private details like their informal chats, including family issues and religious beliefs by illegally recording their conversations at the workplace. It also found that the company used this private data to evaluate employees’ work performance. Besides, the illicitly obtained data became accessible company-wide for several hours in October 2019 due to misconfiguration.
“In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights,” the HmbBfDI said.
Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, said, “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees. Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”
The H&M management apologized to its staff and agreed to compensate the affected employees. This is the second largest GDPR fine imposed on a single company. Last year, the French data regulator, CNIL, fined Google €50 Mn (around US$57 million) for breaching the GDPR.
Also Read: Four Biggest GDPR Fines of 2020
Disclaimer: The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG is merely passing on what has been discovered and reported by the source mentioned in the article.