German regulator imposes €35 million fine on H&M for violation of employee privacy

23 Dec 2020

Aimée Peterse, Ilse Baijens

On 1 October, one of the German privacy authorities (Hamburg) imposed a fine of €35 million on fashion chain H&M for systematically violating the General Data Protection Regulation (GDPR). The decision can be found here.

Why did H&M receive such a hefty fine?

At H&M's service centre in Nuremberg, a so-called 'Welcome Back Talk' was organised since 2014 if employees had been sick for a period of time, on holiday or simply had time off work. During these talks, employees were asked about symptoms of illness and diagnoses or what they had done during their time of absence. Managers also kept notes on family circumstances or religious beliefs. This data was stored on an online network drive, which was accessible to 50 other managers. In the event of new developments in the employee's private life, the online notes were updated and used in employee appraisals and evaluations.

The existence and content of the notes became known following a configuration error in 2019 that for a number of hours made the data accessible to all employees within the company. After the German privacy authority was informed, H&M had to transfer all data from the network disk (measuring no less than 60 GB) to the privacy authority.

The privacy authority then came to the conclusion that H&M's employees had been monitored for years and that H&M was systematically processing sensitive personal data in the process. In other words, this was not just a matter of careless processing, but serious, deliberate violations of the fundamental principles of the right to data protection. That is why, according to the German privacy authority, a fine of EUR 35 million is appropriate here. Never before has such a high fine been imposed in Germany for a GDPR infringement. In this context, we refer to the article that our German Ius Laboris colleague Jessica Jacobi, a partner at KLIEMT, wrote about the case.   

What does this mean for you as an employer?

In the Netherlands, the GDPR and GDPR Implementation Act prohibit the processing of data on health, racial or ethnic origin, political opinions, religion or biometric data. Only in case of an explicit legal exception, it is permitted to process these sensitive personal data. Earlier this year, the Dutch privacy authority also put a stop to the processing of fingerprints (= biometric data of employees) in default of a legal basis and imposed a fine of € 725,000 on Manfield. See the website of the Dutch privacy authority for more information on this.

Therefore, as an employer, make sure that you do not process any sensitive personal data without the relevant legal basis to do so.