H&M Fined EUR 35 Million for Violating Employee Privacy in Germany
In early October, the Data Protection Authority in Hamburg, Germany announced that the clothing retailer H&M committed severe violations of its employees’ privacy. Because of these European General Data Protection Regulations (GDPR) violations, the retailer would pay a fine of approximately 35 million euros.
According to the announcement, H&M systematically collected information regarding the private lives of hundreds of employees of its customer service center in Nuremberg, Germany. The data was collected during informal conversations with the employees (such as “water cooler conversations”) and included information as to medical diagnoses, family issues, religious beliefs and more. The data collected served, inter alia, to create a detailed profile of the employee for the purposes of decision making regarding their employment.
This method of data collection was exposed following a technical malfunction which led to the data being available on the company’s organizational network for several hours. This resulted in media coverage of the event. After the Hamburg Data Protection Authority was made aware of these publications, it initiated an investigation of H&M. Ultimately, the Authority found that “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights”.
Following the event, H&M admitted to the existence of such data collection methods at the Nuremberg customer service center. The retailer apologized to its employees and financially compensated all of the employees employed at the customer service center since 2018, the year during which the GDPR took effect.
GDPR: The Second Highest Fine Due To GDPR Violation
This is the highest fine imposed under the GDPR due to employees’ privacy violations specifically, and the second highest fine imposed under the GDPR generally. The highest fine was a 50 million euro fine imposed last year on Google by the French Privacy Protection Authority.
The decision by the Hamburg Data Protection Authority sends out a very clear message to companies with employees. They may not collect any information they wish about their employees and make any use of it as they please.
While the GDPR’s going into effect led to companies around the world to ensure the protection of their customers’ protections, a large portion of them neglect the privacy of their employees. This stems from the view that employees would not assert their privacy rights in order not to lose their employment. The mere fact that the second highest fine imposed under the GDPR was imposed due to the violation of employees’ privacy may change this trend and constitute a warning sign for any company with employees in Europe and around the world.