fbpx

H&M Fined for GDPR Violation

Written by: Charles R. Langhorne IV, Esq.

On October 1, 2020, the Data Protection Authority of Hamburg (“DPA”), announced a fine of €35.3 million ($41.3 million) against multinational retail company H&M. The fine is based on excessive monitoring of H&M employees in Germany in violation of GDPR. This is the second-largest fine a single company has faced for a GDPR violation.

The violations stem from H&M’s recording of private details about their employees. For example, the DPA found:

“[a]fter absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” the DPA said.

This information was used in conjunction with work performance evaluations to develop in-depth profiles of employees, in what amounted to “particularly intensive interference with the rights of those affected.” The practice became widely known in October 2019 when a technical error caused these profiles to be available company-wide for a short period of time. A DPA representative stated the practices demonstrated “”a clear disregard for employee data protection” and that “the amount of the fine imposed [was] accordingly appropriate and suitable in order to deter companies from violating the privacy of their employees.”