The service center in Nuremberg of H&M has spied out its employees massively. Now the Swedish clothing dealer has to pay a fine of over 35.3 million euros.
Information on vacation and illness of employees
The fine imposed on Hennes & Mauritz was issued by the Hamburg data protection officer Johannes Caspar, as the Group has its headquarters there. In the fine notice, H&M is accused of serious violations of employee data protection at the Nuremberg site. The site’s call center is said to have been recording “extensive records of private life circumstances” of employees since 2014, according to data protection officer Caspar. The recordings were even stored on a network drive. Detailed vacation experiences of the employees and also symptoms of illness and the corresponding diagnoses were probably recorded. Superior team leaders even held a “Welcome Back” talk after illness or vacation.
Furthermore, information about private life, such as religion and family problems, obtained from superiors was digitally recorded and stored, according to the accusations. The responsible persons shared this information with about 50 other managers in the company. According to Caspar, “the records were sometimes made with a high level of detail and updated over time. With the information obtained, the work performance was evaluated and individual profiles for measures were created for the stored employees. “This led to a particularly serious intervention”, Johannes Caspar.
Configuration errors revealed everything
Since the file was not properly backed up, everything was discovered in October 2019. A configuration error caused that the file could be viewed for hours by everyone. By order of the data protection officer for Hamburg, the network drive was then “frozen”. Thereupon he demanded its release. The data record probably contained almost 60 gigabytes of information about the employees. Subsequently, witnesses were questioned who confirmed the practices at H&M. H&M also saw the violation of employee data protection as a reason to act. In response, the company separated from one of its senior executives and created a comprehensive data protection plan to be implemented.
Deterrence through high fines wanted
According to the information received, the amount of the fine is “appropriate and suitable to deter companies from violating the privacy of their employees,” says data protection officer Johannes Caspar. At the same time, Caspar praised “the transparent clarification by those responsible, as well as the guarantee of financial compensation”. Those responsible at H&M thus show respect for the employees concerned.
Highest fine so far
The fine imposed on H&M is the highest ever issued by the regulatory authorities. Since the DS-GVO came into force over two years ago, the record fine currently stands at 14.5 million euros. The fine was imposed on the Berlin real estate company Deutsche Wohnen. Even though the company does not yet want to recognize the decision. H&M is now examining the fine notice in detail and will then decide whether they will accept it.
H&M praises improvement and commits itself to comply with the basic data protection regulation.