On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), and the second highest in Europe issued by any DPA (although other DPAs have announced their intention to issue other larger fines).

According to a statement issued by the Hamburg regulator, H&M acquired “extensive recordings of the private-life circumstances” of several hundred employees at the service center since 2014.  This information included details of employees’ holiday experiences, symptoms of illness and diagnoses, family issues and religious beliefs.  H&M recorded this information during one-on-one “Welcome Back Talks” following periods of sick leave or vacation, as well as during additional one-on-one meetings and corridor discussions.  The company permanently saved the information on a network drive that “up to 50 other managers” could access.  H&M used all of this information in “meticulous” performance evaluations; more broadly, it served to “obtain a profile of the employees for measures and decisions in the employment relationship”.

As with so many compliance failings, this issue came to light because of a security breach.  H&M discovered a security breach in October 2019 when a configuration error made the information about employees accessible, company-wide, for several hours.  On learning about the breach, the Commissioner of the Hamburg DPA ordered that the contents of the network drive be frozen and subsequently released.  The DPA then initiated an investigation.

In its announcement about the decision, the Hamburg DPA stated that the combination of research into employees’ private lives and the ongoing recording of activities led to a “particularly intensive interference” with employees’ rights.  He also added that the amount of the fine was appropriate to deter companies from similar privacy violations.

In an online statement, H&M said it will review the decision carefully.  Meanwhile, it has issued an apology to all employees affected and announced that those employed at the service center for at least one month since May 2018, when the GDPR came into force, will receive financial compensation.  We will continue to monitor developments.