H&M fined for breaking GDPR over employee surveillance
H&M has been fined €35.3m (£32.1m) for the illegal surveillance of several hundred employees.
The company kept “excessive” records on the families, religions and illnesses of its workforce at its Nuremberg service centre, the German data protection watchdog found.
The retailer has accepted full responsibility and plans to compensate employees. It is the second-largest fine a single company has faced under EU GDPR rules. Last year, the French data regulator, CNIL, fined Google €50m for breaching the General Data Protection Regulation.
H&M’s privacy violations included extensive staff surveys, with details of holidays, medical symptoms and diagnoses for illnesses, the year-long investigation by the Data Protection Authority of Hamburg (HmbBfDI) found.
Some managers also sought further private details in informal chats, including family issues or religious beliefs, which were then stored and used to evaluate work performance and make employment decisions.
“This is a case that showed a gross disregard” of data-protection rules in Germany, HmbBfDI head Johannes Caspar said. The large fine was “justified and should help to scare off companies from violating people’s privacy”, he added.
H&M made an “unreserved apology” to the service-centre staff in Nuremberg. “All currently employed at the service centre, and all who have been employed for at least one month since May 2018, when GDPR came into force, will receive financial compensation,” it said. In its third-quarter report, the retailer also said it had taken “forceful measures” to correct any related shortcomings.