German regulator imposes €35 million fine on H&M for violation of employee privacy

On 1 October, one of the German privacy regulators (Hamburg) imposed a fine of €35 million on fashion chain H&M for systematically violating the General Data Protection Regulation (GDPR). The decision can be found here (in English) .

Why did H&M receive such a hefty fine?

At H&M’s service centre in Nuremberg, a so-called ‘Welcome Back Talk’ was organised since 2014 if employees had been sick for a period of time, on holiday or simply had time off work. During these talks, employees were asked about symptoms of illness and diagnoses or what they had done during their time of absence. Managers also kept notes on family circumstances or religious beliefs. This data was stored on an online network drive, which was accessible to 50 other managers. In the event of new developments in the employee’s private life, the online notes were updated and used in employee appraisals and evaluations.

The existence and content of the notes became known following a configuration error in 2019 that for a number of hours made the data accessible to all employees within the company. After the German regulator was informed, H&M had to transfer all data from the network disk (measuring no less than 60 GB) to the regulator.

The supervisory body then came to the conclusion that H&M’s employees had been monitored for years and that H&M was systematically processing sensitive personal data in the process. In other words, this was not just a matter of careless processing, but serious, deliberate violations of the fundamental principles of the right to data protection. That is why, according to the Supervisory body, a fine of EUR 35 million is appropriate here. Never before has such a high fine been imposed in Germany for a GDPR infringement. In this context, we refer to the article that our German Ius Laboris colleague Jessica Jacobi, a partner at KLIEMT, wrote about the fine.

Zorg er daarom als werkgever voor dat je geen bijzondere persoonsgegevens verwerkt, zonder dat hier een wettelijke basis voor bestaat.

What does this mean for you as an employer?

In the Netherlands, the AVG and the AVG Implementation Act prohibit the processing of data on health, racial or ethnic origin, political opinions, religion or biometric data. Only in case of a explicit legal exception to this, it is permitted to process these sensitive personal data. Earlier this year, the Dutch privacy watchdog also put a stop to the processing of fingerprints (= biometric data of employees) in default of a legal basis and imposed a fine of € 725,000 on Manfield. See the AP website for more information on this.

Therefore, as an employer, make sure that you do not process any sensitive personal data, without the relevant legal basis to do so.