The German regulator has fined H&M 35 million euros for systematic violations of the General Data Protection Regulation (AVG). H&M recorded special personal data of hundreds of employees who had been temporarily absent.
When employees at the retail chain's service center in Nuremberg had been sick, on vacation or just off for a (short) time, managers at H&M's service center organized what were called "Welcome Back Talks. During these talks, they noted what employees had done during their absence, what symptoms of illness and diagnoses they received. Notes were also kept with information about employees' family circumstances or religious beliefs. These notes were then stored on an online accessible network drive to which 50 other executives had access. Since 2014, the notes were frequently updated to monitor developments in employees' private lives. Subsequently, this information was used by H&M to conduct evaluations on employees.
In October 2019, this data collection came to light because, for several hours, the network drive was accessible to all employees due to a configuration error. When the German supervisor in Hamburg was informed of this, H&M was instructed to transfer all data on the network drive. All the files on it totaled sixty gigabytes of employees' personal data.
H&M has since apologized and will pay compensation to the employees. In addition, a new personal data protection plan has been introduced, consisting of a data protection officer, monthly updates on the status of personal data protection, improved protection for whistleblowers and a consistent policy on employees' right to inspection.
The fine amount for H&M is the highest fine amount handed out in Germany for a violation of the AVG. In Europe, it ranks second behind the €50 million fine handed out to Google.
Read the press release from the Hamburg regulator here .
More articles by Kennedy Van der Laan
