The data protection authority in Hamburg, Germany imposed a €35 million fine on H&M for processing employees’ personal data in violation of the GDPR.
The authority’s investigation started after a configuration error in the company’s computers made data accessible company-wide for several hours in October 2019. The investigation then discovered that since 2014, the company collected extensive sensitive personal information of its Nuremberg service center employees, by conducting an invasive interview with every employee returning from vacation or medical leave, inquiring about their vacation and medical condition. Team leaders at the company used to also document sensitive personal information of employees that they had become aware of amid casual social conversations, including information about the employees’ religious believes and family issues. The data collected was used, among other things, to obtain a detailed profile of employees which in turn was used for decisions regarding their employment.
In addition to the regulatory fine imposed on H&M, the company was also required to implement an internal privacy protection program and to pay a sizeable compensation to the affected employees.
CLICK HEREto read the Hamburg Data Protection Authority’s press release.