H&M fined by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), over 35M Euro for data protection breaches.
H&M has been fined by the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). H&M (Hennes & Mauritz), the popular clothing company, registered in Hamburg with a service center in Nuremberg and stores all over Europe and North America, has become the center of a security breach controversy. This has cost the brand a fine of over 35 million euros, as reported by the EDPB.
H&M interviewed their workforce about their personal lives, recording and storing excessive amounts of personal data.
The H&M Company has been operating this way for more than 6 years to this date in their service center in Nuremberg. They interviewed their employees extensively about their personal lives, recording everything, and storing all this information in their inside networks. Particularly following absences such as vacations and sick leave – even short absences, they would conduct long chats called “Welcome Back Talks”. In those meetings, they would investigate every detail concerning the activities of the employees during the absence. The supervisors recorded extensive data including vacation experiences, but also symptoms of illness and diagnoses.
In addition to what was collected or recorded during those welcome back talks, the information the supervisors got out of their employees included information from casual hall conversations ranging from information on personal family issues to personal, political and religious beliefs. Some of this information would be used for evaluation of the development of the employee within the workplace, as well as to evaluate their efficiency.
This practice, which put the employees’ privacy at great risk came to light when the data became accessible company-wide for several hours in October 2019 due to a configuration error.
In October 2019, the details of these documents with personal information on individual employees became accessible for several hours. This was due to an internal error on the configuration of the company’s network. This event directly violates the employee’s civil rights by putting their personal and private information at risk. The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), upon becoming aware of the data breach through press reports, took this matter into their hands, and demanded that the contents of the network drive be frozen and subsequently handed over, and interviewed witnesses to confirm the company’s practices. H&M’s records consisted of around 60 gigabytes of data which they submitted for evaluation.
Following the hefty fine, H&M has taken full responsibility for the incident, apologized and is taking corrective measures.
The company was issued a fine of 35,258,707.95 Euros for the violation of Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, comments: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”This should also serve as an example for other companies in how to operate and safeguard their employees’ private information if they wish to avoid similar situations.
The company presented HmbBfDI with a comprehensive concept of how data protection is to be implemented at the Nuremberg site from now on. Management has also expressly apologized to those affected, and offered employees considerable compensation for the breach. The newly introduced data protection concept includes a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.
“Data processing should be always subject to the existence of at least one lawful basis of those laid down in Article 6 GDPR. Records on religious beliefs and diagnoses merit even higher protection because they are special categories of data with restricted processing. This fine should serve as an example for other companies and it shows that no personal data processing is exempt from complying with the data protection regulation, including those operations that are limited to the internal networks” comments Cristina Contero Almagro, Partner in Aphaia.