H&M, the second largest fashion retailer in the world, has been fined €35,258,707.95 ($41.2 million) by the Hamburg Data Protection Authority (HmbBfDI) for violations of the General Data Protection Regulation (GDPR). The financial penalty is by far the largest GDPR fine imposed to date.
The fine was imposed on a German subsidiary of Hennes & Mauritz AB over violations of the GDPR in relation to the excessive use of employee data. The violations were discovered during the investigation of a data breach experienced in October 2019, which made it clear how much data on employees had been collected. Following a configuration error at its service center in Nuremberg, the data had become available company-wide for several hours.
H&M had collected extensive personal information about its employees, including information about their religious beliefs, symptoms of illness, medical diagnoses, holiday experiences, family problems, and much more. The information had been collected in one-on-one conversations between employees and their supervisors during talks after an absence from work. The data collected in these “welcome back talks” were, in some cases, accessible to up to 50 other managers in the company.
The personal information had been recorded since at least 2014 and the data had been permanently stored on its network drives. The data was collected to compile detailed personal profiles of employees which were used to make decisions about their employment, alongside detailed evaluations of individual work performance.
According to HmbBfDI, “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
H&M has apologized to its employees and has promised to provide compensation to employees at the impacted service center who worked there from May 25, 2018, the date GDPR took effect. “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” said &M in a statement. “H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg.”