Breach Notification , General Data Protection Regulation (GDPR) , Governance & Risk Management

Clothing Retailer H&M Told to Wear $41 Million GDPR Fine

Employee Surveillance Violations Trigger Germany's Biggest Privacy Fine to Date
Clothing Retailer H&M Told to Wear $41 Million GDPR Fine
H&M store in Stockholm (Photo: Robert Lindholm, H&M)

Privacy regulators in Germany have slammed the world's second-largest clothing retailer, H&M, with a €35.2 million ($41.4 million) fine for violating EU privacy laws.

See Also: IT Strategy Guide to Building a Just-In-Time (JIT) Privileged Access Management (PAM) Model

The fine, issued by the Hamburg Data Protection Authority - aka HmbBfDI - under the EU's General Data Protection Regulation, represents the largest privacy fine ever issued by a German regulator. It centers on illegal workplace surveillance at a service center in Nuremberg.

This is the second-largest fine to be levied against a single organization for violating GDPR. Last year, France's privacy regulator, CNIL, hit Google with a fine of €50 million ($59 million) for failing to clearly and transparently inform users about how it handles their personal data, and for failing to properly obtain their consent for personalized ads.

Stockholm-based Hennes & Mauritz AB - better known as H&M - operates 5,000 stores across 74 countries and employs 126,000 people.

"H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg," the company said in response to the German regulator's decision, adding that it "will now review this decision carefully."

The news of the fine in Germany comes as H&M has announced that over the next year, it plans to close 250 stores - or about 5% of its locations - due to the ongoing COVID-19 pandemic leading more people to shop online.

The fine levied by the German regional data protection authority comes after a long-running investigation into employee-monitoring practices at H&M Hennes & Mauritz Online Shop A.B. & Co KG, a Hamburg-based subsidiary of the clothing giant at which several hundred people are employed.

Johannes Caspar, Hamburg's commissioner for data protection and freedom of information

"This case documents a serious disregard for employee data protection at the H&M site," says Johannes Caspar, Hamburg's commissioner for data protection and freedom of information. "The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees."

The HmbBfDI says that "since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives," with notes being "permanently stored on a network drive." Information included "welcome back talks" with employees, during which details of potential illnesses and symptoms were often recorded by managers and shared with up to 50 other managers inside the company, the HmbBfDI says.

"In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment," the regulator says. "The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees' civil rights."

The processing of employee data came to light in October 2019 after a configuration error made the collected data accessible to everyone inside the service center for several hours.

Security Breach Triggers Investigation

H&M says it "immediately" reported the incident as a security breach to the regulator.

After receiving the security breach notification, Hamburg's privacy regulator launched an investigation, and it immediately ordered the company to freeze the database and provide it with a complete copy of the data, which was 60 GB.

"It is worth remembering that in addition to having the power to levy fines, data protection authorities have the power to do other things under GDPR Article 58, including the power to order a data controller or data processor to provide any information it requires, to obtain from a controller or processor access to all personal data 'and to all information necessary for the performance of its tasks' and the power to access premises and equipment," says Jonathan Armstrong, a partner at London-based law firm Cordery.

GDPR's article 58 (excerpted here) gives supervisory authorities broad investigative powers

The HmbBfDI says H&M fully cooperated its investigation.

H&M has pledged to financially compensate all employees who have worked for the organization for at least one month since GDPR came into full effect in May 2018.

"This is an unprecedented acknowledgement of corporate responsibility following a data protection incident," the HmbBfDI says.

The H&M Group says that when the inappropriate employee monitoring practices came to light last year, it immediately began instituting changes, including "personnel changes at management level" at the service center, additional training for managers on data protection and labor law, revised HR policies, creating a new "data protection coordinator" role, revising data-retention and data-deletion processes and investing in new technology to better protect data.

"H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority," the company says in a statement. "The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities as well as the company's own high standards."

Pandemic: Employee Monitoring Caution

Although this incident occurred before the COVID-19 pandemic began, Cordery's Armstrong says it's unlikely the regulator would have viewed this situation any differently if it had begun after the outbreak.

Cordery's Jonathan Armstrong

"In our view ... it is unlikely that the DPA would have been more sympathetic to the collection of additional data without credible justification, even now," Armstrong says. "More than 40 DPAs have issued specific guidance on the collection of extra data during the pandemic - including health data, data on holiday travel and domestic arrangements - and there's a need for extra caution when processing data like that."

Data protection practices are arguably more in the spotlight now than ever before because the pandemic continues to have a wide-ranging economic impact, driving many organizations to lay off workers and others to weigh new approaches to trying to gauge remote workers' productivity.

"[We're] seeing a significant rise in data protection requests and complaints, especially from employees who have been furloughed or let go and so the 2020 situation is likely to be even more challenging than the situation H&M faced in 2019," Armstrong says.

He also cautions organizations to be careful about how they deploy employee monitoring tools - aka productivity tools or bossware - as more employees continue to work from home (see: Barclays Faces Employee Spying Probe).

"We know that these tools are under investigation in at least one case - involving Barclays Bank - and there is a special need for care when processing this type of data," he says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.