The Hamburg Commissioner for Data Protection and Freedom of Information imposes a 35.3 Million Euro Fine for Data Protection Violations in H&M’s Service Center
In a case concerning the monitoring of several hundred employees of the H&M Service Center in Nuremberg by its management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 Euros against H&M Hennes & Mauritz Online Shop A.B. & Co KG.
The company is registered in Hamburg and operates a service center in Nuremberg. Since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave – even short absences – the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.
This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the contents of the network drive to be “frozen” and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.
The discovery of the serious violations has prompted those responsible to take various corrective measures. The HmbBfDI was presented with a comprehensive concept how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with the past events, the company management has not only expressly apologized to those affected, it has also followed the suggestion to pay the employees a considerable compensation. This is an unprecedented acknowledgement of corporate responsibility following a data protection incident. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.
Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, comments: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies
from violating the privacy of their employees.
Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.