6th October 2020

The Swedish Retail Company H&M has been subjected to a €35 million fine by Hamburg’s Data Protection Authority, after it was found guilty of breaching the GDPR.

Since 2014, the company has been illegally and excessively monitoring Nuremberg employees’ private lives. The company held employees’ data related to inter alia the employee’s vacations, illnesses and diagnoses, family issues and religious beliefs. This data was collected and stored without the knowledge of the data subjects and without any proper basis for processing such data. Moreover, this data was accessible by many company managers.

All this was exposed in late 2019 due to a configuration error, which made the data accessible to everyone within the company for a few hours. Hamburg’s commissioner reacted to this shocking breach by imposing a substantial fine on the company. The commissioner explained that the fine is reasonable given how alarming the disregard for employee data protection is and it should serve the purpose to highlight the right to privacy as well as to deter other companies from processing personal data in such a way.

H&M’s fine is Germany’s highest fine to date and it also ranks second in the EU, given that Google was awarded a €50 million fine by France’s Data Protection Authority in 2018. It ranks 4th in Europe following the UK’s fines of €204.6 million and €110.4 million to British Airways and Marriott International Inc. respectively.

Besides, issuing a formal apology to H&M’s employees in Nuremberg, H&M has already started carrying out the necessary actions to amend the situation. It has identified inconsistencies with practices and H&M’s policies and guidelines and it instituted an action plan aimed at improving internal auditing, privacy compliance and awareness of data protection law, including data subject’s rights and data controller’s and data processor’s obligations.

This case should make companies more aware of their data protection obligations and the hefty repercussions should these obligations not be properly implemented. Proper training and knowledge in data protection law is fundamental and companies should always act in the best interest of the data subject.