The clothes company H&M is being asked to pay a 35m Euro fine, (roughly $41m), because of a GDPR violation.
Data protection watchdogs in Germany issued the 2nd largest fine under the General Data Protection Regulation earlier this Oct, fining clothing store H&M €35.2, or $41.1 million, for basically carrying out surveillance on some of its employees.
While some have wondered whether the data protection authorities are issuing sufficient credible enforcement actions, the action is a ‘wake-up call’ that GDPR fines, while perhaps not as common as the industry first expected, can still be significant.
The Hamburg Commissioner for Data Protection & Freedom of Information (HmbBfDI) handed the fine down after learning through local media reports last year that an issue at its Customer Service Centre in Nuremberg resulted in the company exposing employee data for a few hours.
When confronted for evidence of the incident, H&M supplied 60GB of files that demonstrated the company had been recording information since 2014.
According to the European Data Protection Board, supervisors at the company recorded data from 100s of employees – the regulator called the data “extensive recordings of the private-life circumstances” – while carrying out informal conversations.
Supervisors at the Customer Service Centre in Nuremberg recorded data like employee holiday experiences, illnesses, family issues & religious beliefs, & stored it in a database that was readable by up to 50 managers throughout the company.
“The recordings were sometimes made with a high level of detail & recorded over greater periods of time documenting the development of these issues” the EDPB wrote. “The combination of collecting details about their private lives & the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
Hamburg’s Data Protection Authority did not know about the data collection until a technical problem with the company’s network in Oct. 2019 made the data accessible company-wide, something that in turn led to media coverage. The authority commented it believes the amount of the fine is ‘appropriate to deter companies from similar privacy violations.’
It’s the largest GDPR fine since CNIL, France’s Data Protection Authority, fined Google 50m Euros in Jan. 2019, alleging the way the company handles ad personalisation violated GDPR.
H&M, admitted the incident shortly after it became public, apologising to its employees, & stressing that its practices for processing employees’ personal data were wrong. The company said earlier this month it was reviewing the fine ‘carefully’, adding that its since made changes as to how it handles data privacy, data cleansing, & stores personal data.
It is too early to know whether policy is actually changing around GDPR fines, but the fact that this is the 2nd highest fine imposed since the regulation’s 2018 creation shows that securing privacy of individuals, particularly employees, is still thought highly critical for regulators.