Not fashionable: H&M receives highest fine ever imposed in Germany for violating employees’ privacy rights

published on 12 October 2020 | reading time approx. 3 minutes

Spying on your employees should have gone out of fashion a long time ago. Apparently not so in the fashion group H&M’s service center for email and phone order business in Nuremberg. It’s very unfashionable behavior has led the Hamburg Commissioner for Data Protection and Freedom of Information (who is the competent authority for H&M in Germany) to impose an administrative fine of approximately 35.3 million euros, which is the highest fine for data privacy violations in Germany so far.

According to the Commissioner’s press release, H&M collected and stored personal data and information about the private lives of a consistent number of employees of the H&M service center in Nuremberg since 2014. Based on so-called “Welcome Back Talks”, individual interviews or even occasional chats with the employees, the supervisors and team leaders of the service center acquired a broad knowledge of the private lives (harm­less details as well as family issues, but also information about health problems and religious beliefs) of their employees. This data, together with detailed evaluations of individual work performance, was used to obtain a detailed profile of employees in order to take measures and decisions regarding the employment relation­ship. Apparently, these data collections were made by the team leaders and supervisors at the service center, without involvement of H&M’s higher-level management.

In October 2019, the data had been made accessible to the entire company for several hours due to a con­figu­ration error in H&M’s system. After learning about the case from the media, the Hamburg Commissioner ordered the “freezing” of the contents of the affected network drive and then requested H&M to deliver a collection of about 60 gigabytes of data for his own evaluation.

The serious violations at its Nuremberg service center prompted H&M to take various corrective measures and to present to the Hamburg Commissioner for Data Protection and Freedom of Information how data protection should be implemented at the Nuremberg site from now on. Also, the company management not only apolo­gized expressly to the persons concerned, but also followed the suggestion to pay the employees involved (at least those already in force in May 2018, when the GDPR became definitively applicable) considerable compensation.

Despite the very considerable amount of the fine imposed, H&M’s efforts to overcome the consequences of this breach were not without effect. Prof. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, expressly commented in his press release that “management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial com­pen­sa­tion certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”

From a legal perspective, H&M had no legal basis to collect these data. Employers may process data according to Section 26 of the German Data Protection Act, if and as far this is necessary for the implementation of the employment relationship. Creating files and collections about employee’s private lives were obviously not nec­es­sary for that purpose. If employers wish to collect and process additional data, this requires the employee’s prior written consent (Section 26-2 German Data Protection Act). Consent would also have been required under the GDPR. The type of data collected by the service center also included details about the employees’ health and their religious beliefs, which are both special categories of data in the sense of Art. 9 (1) GDPR. Special categories of data may only be processed upon the data subject’s explicit consent, which had not been obtained (and most likely would not have been given by the data subjects anyway).

H&M has announced that data protection training for managers, data audits and/or seminars on employee rights are planned. Given that the GDPR are now in force since more than two years, this comes more than late.

As a takeaway, this case shows how important it is to build up and maintain data protection awareness in a company. It also shows the recognition of corporate liability following a data protection incident. Administrative fines are imposed on companies, not on their unruly employees. Rather than paying 35.3 million euros to the authorities, companies may want to invest a fraction of this sum in training. It pays off.