H&M Hit with a Hefty GDPR Fine – Cautionary Tale about Employee Monitoring

So far, our experience has shown that lots of employers are collecting an overwhelming amount of employee personal data, as well as that the company’s activities are often violating the principles of personal data protection. Employers are often indifferent towards provisions of the law regarding employee personal data protection, so they do not even fulfill the basic obligations which still go unnoticed by the employees since they are not informed well enough.

A huge mistake was made by a fashion retailer, H&M (Hennes & Mauritz) who have violated employee right to privacy. The Hamburg Commissioner for Data Protection and Freedom of Information (hereinafter: the Commissioner), has issued a fine to H&M at the beginning of October for unlawful collection of employee personal data. The fine amounting to 35,3 million euros that H&M has to pay is the second-largest fine for breach of GDPR policies, immediately following the fine issued to Google in 2019, of which we have previously written.

This example should serve as a cautionary tale to employers in Serbia, since the Law on Personal Data Protection has begun with the application in August 2019, and is to a great extent a replica of the EU General Data Protection Regulation (GDPR). The new Law sets a high standard of personal data protection which must be adhered to by all employers in relation to the data they collect from employees, same as employers in the EU framework (i.e. EEA [1]). Thus, if domestic employers repeat H&M’s mistakes, or waive the obligations provided by the Law, this shall lead to sanctioning the company and compromising its reputation.

As it is better to learn from the mistakes of others, we believe that the example of the current situation that H&M is dealing with teaches an important lesson to employers in Serbia.

H&M’s violation of GDPR in Germany

What employee data did H&M collect?

The results of the investigation conducted by the Commissioner are dismaying: it was confirmed that over the years, H&M has collected numerous personal data of hundreds of employees in the main H&M service center in Nuremberg. In addition, it was established that this company has kept records of the personal lives of employees in its database: about employee’s family status, religious beliefs, holidays, and even history of illness and diagnoses. Not even details about their travel adventures or symptoms of illness have gone unnoticed, but rather, they were noted ’just in case’. Moreover, records about certain data were kept continuously and were updated with new information from time to time, following the development of living situations of certain employees.

The information was most often collected during the so-called, ’welcome back talks’ which were organized by managing personnel upon employee’s return from sick leave or annual leave. Besides that, the employees had provided a great deal of personal information about themselves as well as their families during everyday chit-chat with their superiors, but what they were not aware of was that this information was noted and kept in electronic form on H&M’s cloud server. Over 50 managers within the company had access to such databases.

How was is established what data H&M collects?

breach of data protection laws, violation of gdpr

Unlawful behavior of the second-largest clothes manufacturer in the world was discovered in October 2019, after the data has been out in the public for several hours, the reason being a configuration error in H&M’s system. After discovering that confidential information was released to the public, the Commissioner has issued a command to ’freeze’ the company’s electronic database, after which it was demanded that the company deliver all information from its database to the Commissioner for analysis. The analysis of over 60 gigabytes of data that were delivered has lasted for almost a year, and based on the results, it was concluded that H&M has kept a huge record of employee’s personal lives from 2014, by which they have violently invaded their privacy.

Still, it is not hard to imagine that information about H&M’s wrongdoings could have been easily leaked to the public in a different manner. Employees who have knowledge about employer’s unlawful actions often disclose that information to the competent authorities (acting as a whistleblower) or they seek the protection of their rights in a court proceeding acting as a plaintiff. Not long ago, the Labor Court of Düsseldorf ordered an employer to pay its employee 5,000 euros for the employer’s tardiness and omission to grant employees access to their data at the employer in accordance with the GDPR. [2]

How has H&M used employee personal data?

Based on the personal information which the H&M executives have acquired over time, including extensive work evaluation of certain employees, as well as their profiling. An incredibly alarming fact is that the data obtained has directly influenced the decision of employee work relations, and has potentially led to the establishment of different measures directed towards employees.

What are the consequences that H&M shall bear?

The Commissioner of Hamburg announced in the official press release that collection of employee personal data together with their record documenting and keeping represents a serious invasion of the rights of parties to whom the data refers to. According to the Commissioner, the H&M case has been an unprecedented example of the company’s actions, which as a consequence created an incident in the field of personal data protection.

The Commissioner believes that the fine imposed is adequate and fitting, with the goal to prevent companies in the future to act in the same way in relation to the breach of GDPR regulations.

Alongside a huge fine, H&M has gotten a comprehensive instruction from the Commissioner about the additional efforts that should be taken in order to coordinate their business in accordance with the GDPR regulations.

Besides the measures listed, the new concept of personal data protection shall include:

  • replacement of personnel on executive positions,
  • enforcement of additional employee training in the field of personal data protection,
  • revision of personal data protection acts, upgrade of the IT systems that the company uses, all with the purpose of pointing out the importance of adequate collecting and keeping of personal data.

Additionally, the changes within the company shall include:

Besides all the consequences listed, the damage to H&M (regarding employees as well as consumers) is currently immense.

On its website, H&M has publicly accepted responsibility for the observed unlawfulness and has announced to the public the specific actions they have taken regarding this violation. H&M has shown that they are aware of the seriousness of this situation and have accepted the Commissioner’s instructions to compensate all employees who have been employed at H&M for at least a month since May 2018, when GDPR came into force.

What is the lesson for employers in Serbia?

H&M has breached several basic principles of GDPR, and for which they are responsible as data handlers:

1) the principle of lawfulness, fairness, and transparency,

2) purpose limitation,

3) data minimization,

4) storage limitation

The same principles (among other things) are prescribed by the Law on Personal Data Protection, which applies to employers in Serbia.

Although in this case, a fine was issued to H&M in particular, the problematic doings of this company are not an isolated instance. It is certain that many other employers breach the regulations regarding employee data protection in their established practice. Often, a breach occurs by the use of new technology and social media, and the unlawful activities most often seen in practice are the following:

  • omission to duly notify the employees about all manners of personal data processing
  • unlawful monitoring of employee’s official e-mails and monitoring of internet pages which the employees search during work hours,
  • recording phone conversations made from the official phone,
  • the misuse of BYOD (Bring Your Own Device) policy,
  • video surveillance in the workplace, without legitimate legal basis, or without prescribed documentation which has to accompany this kind of surveillance,
  • improper application of legal provisions about the employee’s consent for data collection and processing of their personal data,
  • excessive collection of personal data of job applicants (the so-called “background checks”).

If one is not informed well-enough regarding personal data protection at the workplace, it can lead to the violation of employee rights. Thus, it is necessary to inform oneself on time, in order to avoid H&M’s unfortunate fate.

A few of the basic obligations of employers are:

  • Data mappingthe process of identifying all types of data being processed, the purpose for its processing, and establishing legal bases for the processing.
  • Complete revision of potentially problematic data processing and adapting/imposing procedures.
  • Adequate notification to employees about data being collected, manner of processing, purpose, legal basis, the period of data storage, parties with whom the data is shared, and all other mandatory information.
  • Periodically organizing HR and management staff training on the Law on Personal Data Protection compliance.
  • Establishing strict rules on control of access to employee personal data.
  • Clear distinction of private employee activities from business ones.

Employers must have in mind that the COVID-19 pandemic does not allow the possibility to introduce limitations to rights on privacy or to ignore their obligations provided by the Law, about which we have previously written.

In the end, personal data protection must become one of the essential principles on which every employer’s company rests upon. Besides the multiple consequences which we have analyzed in detail in our blog  “Violation of the Law on Personal Data Protection in Serbia – 5 consequences”, building a successful company that hires a qualified and ambitious team does not correlate with the gross violation of employee rights.

[1] To clarify, GDPR applies to 28 Member States of the EU, but also Members of the European Economic Area (EEA), including Iceland, Norway, and Liechtenstein.
[2] The court in Düsseldorf, Decision no. 9 Ca 6557/18.

Latest Post

STAY TUNED

Stay in the loop with the most important updates

NOVI SAD

BELGRADE

NOVI SAD

BELGRADE