
On 1 October 2020, the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit) of Hamburg (the DPA) imposed a fine of EUR 35.3 million under the GDPR against the German subsidiary of the fashion retailer H&M.
The German subsidiary operates a central service centre in Nuremberg. The DPA found that the company had collected extensive records relating to the private lives of several hundred employees, which included health data and sensitive data. Apparently some of the records went back as far as 2014.
The DPA also expressed concerns over personal data collected in relation to so-called “Welcome Back Talks” which followed an employee’s leave of absence. The records of these talks included not only the employees’ vacation experiences, but also symptoms of illness and diagnoses. In addition, some supervisors recorded other private information such as family problems and religious beliefs. The DPA found that some of the findings were at times available for up to 50 other supervisors in the company.
These practices became apparent through a system configuration error that occurred in October 2019 which made these records available company-wide for a few hours.
The German subsidiary implemented organisational measures to prevent similar future violations and voluntarily paid compensation to a large number of affected employees.
This case and the size of the fine is a stark reminder of the care that should be taken to ensure that businesses are aware of the limits on collecting and using employee data and regularly checking that the rules (often different between EU member states) are being followed in practice.