Multinational retail giant H&M has been fined more than €35 million by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) for keeping detailed records of the private lives of hundreds of employees who worked at the company's service center in Nuremberg.
The massive fine was issued under the General Data Protection Regulation (GDPR) after the data protection authority confirmed that the H&M senior management kept detailed notes about the private lives of employees without informing them about such activities.
According to the authority, senior employees at the H&M service center in Nuremberg gained a lot of information about employees' private lives via informal "one-on-one and corridor discussions". The information gathered from employees included details of family problems, religious beliefs, specific vacation experiences of employees, and also symptoms of illness and diagnoses.
The information-gathering exercise was in action since at least 2014 and all information gathered from unsuspecting employees was stored by the H&M senior management on a network drive with limited access. "The findings were partially recorded, stored digitally, and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and updated over time," the Hamburg Commissioner for Data Protection and Freedom of Information said.
"In addition to a meticulous analysis of individual work performance, the data collected in this way were used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship. The combination of researching private life and the ongoing recording of what activity they were engaged in led to a particularly intensive interference with the rights of those affected," it added.
The illegal and hush-hush collection of data about the private lives of employees came to light in October 2019 when an internal configuration error resulted in the network drive becoming accessible to all employees at H&M for a few hours. Within no time, alarmed employees notified the Hamburg Commissioner about the privacy breach, resulting in an in-depth investigation.
"The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees," said Johannes Caspar, the Commissioner for Data Protection in Hamburg.
According to German news site The Local, H&M said in response to the massive GDPR fine that the "practices in the processing of employee data in Nuremberg were incompatible with H&M's policies and instructions."
"After the incident was discovered and reported, H&M immediately initiated far-reaching measures at the Nuremberg service centre. H&M takes full responsibility and would like to express an unconditional apology to the Nuremberg employees," it said. The company has also promised to financially compensate employees whose private details were collected between 2014 and 2019.
"The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation show the willingness to show those affected the respect and appreciation they deserve as employees in their daily work for their company," Mr. Caspar added.
This is the first time since GDPR came into force that a corporation has been found liable for carrying out unauthorised surveillance of employees. It is a known fact that organisations hold a lot of sensitive data belonging to employees but the revelation that H&M did it for reasons unknown to employees indicates the issue may be more widespread across Europe than believed.