H&M has breached several basic principles of GDPR, and for which they are responsible as data handlers:
1) the principle of lawfulness, fairness, and transparency,
2) purpose limitation,
3) data minimization,
4) storage limitation
The same principles (among other things) are prescribed by the Law on Personal Data Protection, which applies to employers in Serbia.
Although in this case, a fine was issued to H&M in particular, the problematic doings of this company are not an isolated instance. It is certain that many other employers breach the regulations regarding employee data protection in their established practice. Often, a breach occurs by the use of new technology and social media, and the unlawful activities most often seen in practice are the following:
- omission to duly notify the employees about all manners of personal data processing
- unlawful monitoring of employee’s official e-mails and monitoring of internet pages which the employees search during work hours,
- recording phone conversations made from the official phone,
- the misuse of BYOD (Bring Your Own Device) policy,
- video surveillance in the workplace, without legitimate legal basis, or without prescribed documentation which has to accompany this kind of surveillance,
- improper application of legal provisions about the employee’s consent for data collection and processing of their personal data,
- excessive collection of personal data of job applicants (the so-called “background checks”).
If one is not informed well-enough regarding personal data protection at the workplace, it can lead to the violation of employee rights. Thus, it is necessary to inform oneself on time, in order to avoid H&M’s unfortunate fate.
A few of the basic obligations of employers are:
- Data mapping – the process of identifying all types of data being processed, the purpose for its processing, and establishing legal bases for the processing.
- Complete revision of potentially problematic data processing and adapting/imposing procedures.
- Adequate notification to employees about data being collected, manner of processing, purpose, legal basis, the period of data storage, parties with whom the data is shared, and all other mandatory information.
- Periodically organizing HR and management staff training on the Law on Personal Data Protection compliance.
- Establishing strict rules on control of access to employee personal data.
- Clear distinction of private employee activities from business ones.
Employers must have in mind that the COVID-19 pandemic does not allow the possibility to introduce limitations to rights on privacy or to ignore their obligations provided by the Law, about which we have previously written.
In the end, personal data protection must become one of the essential principles on which every employer’s company rests upon. Besides the multiple consequences which we have analyzed in detail in our blog “Violation of the Law on Personal Data Protection in Serbia – 5 consequences”, building a successful company that hires a qualified and ambitious team does not correlate with the gross violation of employee rights.