The Hamburg Commissioner for Data Protection and Freedom of Information imposed a 35.3 Million Euros Fine on H&M for illicit HR data procssing carried out in its Service Center based in Nuremberg.
Indeed, the Authority discovered that the management team carried out very intrusive monitoring activities on hundreds of employees working in the H&M Service Center in Nuremberg.
The revelation of these activities was due to a configuration error, which made the data available company-wide for several hours in October 2019.
Despite H&M offering compensation to the concerned employees and implementing corrective measures to become GDPR compliant, the Authority upheld the multi-million fine.
This decision is, therefore, a reminder that organisations’ GDPR compliance programme should also focus on HR activities and not only on the customer’s side. In practice, in big companies, many issues stem from HR and employee or former employee complaints.
The Context
In October 2019, a configuration error made HR data available company-wide and revealed that the management had been carrying out very intrusive monitoring activities on employees.
According to the Hambourg Authority that conducted an investigation, it appears that since at least 2014, the company has held extensive recording about its employees’ private lives. Indeed, the company kept corresponding notes on a network drive.
The management team mainly collected the information during what the company called Welcome Back Talks taking place following employees’ absence of any kind such as holidays or sick leave (including short one). These Welcome back talks enabled the company to record details of holidays or symptoms of illness and diagnoses.
Besides these formal talks, some supervisors digitally recorded details of their employees’ private lives heard during informal personal or floor talks with them. The type of information collected informally could include family issues or religious beliefs. In some cases, it was very detailed, and long periods of time were covered to document the development of any identified issues.
This record aimed to evaluate work performance and make decisions regarding their employment.
Procedure
Following the unwanted company-wide disclosure of the HR record for several hours in October 2019, the Hamburg Commissioner was made aware of the activities of the company through press reports.
Once aware, the Authority ordered the contents of the network drive to be “frozen” and handed over. It also interviewed numerous witnesses to confirm the practices.
Compensation / corrective measures
The persons responsible for these practices took various corrective measures, such as presenting a plan on the implementation of data protection in the Nuremberg service centre from now on. This plan includes a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection, and a consistent concept for dealing with data subjects’ rights of access.
Besides, the company management apologised to those affected and suggested to pay the employees a considerable compensation.
Despite the compensation and the data protection plan proposed by the H&M management, the supervisory authority imposed a fine of €35.3 M on H&M.
This post is also available in fr_FR.