THE WHAT? Fashion and beauty retailer H&M has been fined €35.3m (£32.1m) for GDPR breaches after it was found to have carried out illegal surveillance on several hundred employees.
THE DETAILS According to the Data Protection Authority (DPA) of Hamburg, the Swedish company had been found to have kept ‘excessive’ records of staff, including details regarding religion, illness and families, and had been spying on them at its Nuremberg service centre.
The fine is the second largest a single company has faced under GDPR rules, with Google having been fined $50 million by French data regulator CNIL last year.
Following a year-long investigation by the Data Protection Authority of Hamburg (HmbBfDI) it was found that violations included extensive staff surveys, holidays, medical symptoms and illness diagnosis, as well as some private details garnered by managers in informal chats.
Taking to a statement, the Hamburg regulator said, “After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees.
“After these talks, in many cases, not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.
“In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”
THE WHY? Discussing the fine and flaunting of data protection rules, HmbBfDI head Johannes Caspar said, “This is a case that showed a gross disregard.”
He stated that the fine was “justified and should help to scare off companies from violating people’s privacy.”
H&M has issued an ‘unreserved apology’ to staff and intends to offer financial compensation to all staff employed at the service centre and to those employed for at least one month since May 2018.
