H&M penalized for spying on employees: Will pay one of the highest GDPR fines

By Rahul Vaimal, Associate Editor
  • Follow author on
Representational Image

Swedish multinational clothing-retail chain Hennes & Mauritz AB (widely known as H&M) has been fined more than $41 million by the German data protection authorities for illegally surveilling on its own employees. 

German authorities charged the biggest fine since its latest data-protection legislation came into force two years ago when it found out that superiors at H&M’s Nuremberg service center went too far with their pursuit of information about their employees and collected quite personal details ranging from “trivial individual information to family problems and religious beliefs”

A statement also said that they also recorded and maintained digital copies of detailed “symptoms of illness and diagnoses.”

Hamburg Commissioner for Data Protection Johannes Caspar updated on the situation stating “The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees.”

Authorities observed that superiors at the service center organized “welcome back” talks for employees who return from illnesses or holidays. As much as 50 managers in the organization were able to access all documented information such as symptoms and diagnoses of illnesses as well as holiday experiences.

“The combination of researching their private lives and the ongoing recording of the activities they were engaged in led to a particularly intrusive violation of the rights of those affected,” the authority said.

The intrusive surveillance which is expected to have begun since at least 2014, came to light when a computer error in October 2019 made the data collected accessible to everyone with the company for a few hours.

H&M declared they would “carefully examine the decision”, adding that “practices in the processing of employee data in Nuremberg were incompatible with H&M’s policies and instructions.”

“After the incident was discovered and reported, H&M immediately initiated far-reaching measures at the Nuremberg service center,” the Swedish clothing-retail chain stated.

“H&M takes full responsibility and would like to express an unconditional apology to the Nuremberg employees.”

The penalty is one of the highest in Europe linked to the European Union’s data protection rules, known as GDPR.

The law, implemented in 2018, says that individuals must explicitly grant permission for their data to be used, and can impose fines on companies worth four percent of their worldwide annual revenue.