H&M Hit With € 35.3 Million GDPR Fine for Unlawful Employee Monitoring

People visit H&M fashion store at Karolinenstrasse shopping street in Nuremberg, Germany

The German data protection authority hit clothing retailer Hennes & Mauritz (H&M) with a multi-million dollar fine for its handling of employee data. Since at least 2014, H&M has been collecting privacy-sensitive information from employees who worked at the H&M service center in Nuremberg. Dozens of managers also had access to this information. The privacy violation became known in October 2019 due to a configuration error. The IT glitch made records accessible across the company for approximately two hours.

H&M Collected Extensive Information About Employees Private Lives

If you are an employee, it goes without saying that you share certain personal data with your employer. For example, your name, telephone number, residential address, social security number, and bank account number. After all, your employer needs this information, to establish your identity, communicate with you, and transfer your monthly salary.

H&M’s service center in Nuremberg, however, went one giant step further. In addition to these basic details, the branch collected very intimate and personal data from its employees, including extensive information about their private lives. During “Welcome Back Talks” after periods of sick leave or vacation, for example, H&M questioned employees about their health problems, medical history, family issues, and religious beliefs. The branch has been doing this since at least 2014.

Not only was detailed information from hundreds of employees digitally processed and stored on hard drives totaling about 60GB of data. Dozens of managers also had free access to this information. According to Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, the recordings were sometimes very detailed and recorded over greater periods of time, documenting the development of certain issues.

“Our Guidelines Have Not Been Followed”

“This case documents a serious disregard for employee data protection at the H&M site in Nuremberg”, Johannes Caspar said in a press release published on Friday. Due to the seriousness of the violation, the regulator imposed a fine of € 35.3 million ($41.4 million). The fine amount is justified, according to the commissioner. He hopes this will deter other companies and stop them from violating the privacy of their employees.

H&M acknowledges that it has fallen short. Helena Helmersson, CEO of the Swedish fashion chain, told Bloomberg that it is “very clear that the guidelines have not been followed”. She also confirmed that H&M has taken “a number of measures” to prevent a recurrence. H&M is in contact with the privacy watchdog and the penalty is being discussed internally, suggesting H&M may possibly appeal the decision.

The fine against H&M is the biggest so far in Germany and among the largest ever under the new GDPR rules (max. fine of €20 million or 4% annual global turnover). In January, the French data regulator CNIL fined Google € 50 million ($57 million) for breaching the EU’s data protection rules. British Airways is facing a £183.4 million ($230 million) fine, or 1.5% of their 2017 worldwide turnover, proposed by the UK’s Information Commissioner’s Office (ICO) over the theft of customer’s data.

Going Through Tough Times, 250 Stores to Close Their Doors

Last week, H&M presented the financial results for the third quarter. And they weren’t that great. Turnover fell by 16% in the past three months to €4.8 billion. Profits plummeted in the same period by almost 53% from €363 million to €172 million. The GDPR fine was also included in the quarterly figures.

The Covid-19 situation has seriously affecting H&M. Due to the global pandemic, the fashion chain had to temporarily close nearly 80% of its stores in most markets. To keep costs down, H&M will permanently close 250 stores (approx. 5% of their stores). This unfortunately means that there will be forced redundancies. Worldwide, H&M has more than 125,000 employees.

There is one bright spot: more and more consumers are shopping online. Online sales rose 27% in the third quarter. Approximately 26% of the group’s total sales are realized online. H&M is therefore fully committed to its webshop. H&M was launched on the e-commerce platform SSG.COM in South Korea, and Australia is scheduled to become a new online market towards the end of 2020.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using VPNOverview.com's dedicated VPN testing protocol that has been finetuned and optimized over the years.