Recently, a data protection regulator in Germany fined the retail giant H&M €35.3 million (£32 million) ($40 million) – the second biggest fine under the GDPR to date. What did H&M do to deserve such an eye-watering fine? Did they lose a lot of personal data? No! Were they hacked? No! In fact, this wasn’t about a data security breach at all – it was for the excessive and unlawful collection of employee data.
The regulator discovered that H&M had been collecting and maintaining excessive details about employees’ private lives since 2014. What was happening was that after absences from work, e.g. for holidays and sick leave, supervising team leaders conducted so-called ‘Welcome Back Talks’ with employees.
After these talks, comprehensive details of the employee’s holiday or, (in the case of sickness absence), illness and diagnosis, would be recorded. In addition, some supervisors recorded details of family issues and religious beliefs obtained through casual and informal conversations with employees, including chats in corridors. The recorded information, about 60 gigabytes worth of data, was made accessible to up to 50 managers throughout the company.
This all came to light when a configuration error meant that the data became accessible company-wide for several hours, as a result of which the press became aware and the regulator was informed.
The GDPR applies to the processing of an individual’s personal data for business purposes. That individual can be anyone – including an employee. In this instance, H&M were processing personal data relating to employees and using it to create a detailed profile of individual employees and sometimes to make employment-related decisions – all without the employees realising it.
Data protection is about ensuring people can trust their personal data will be used data fairly and responsibly. That isn’t ‘just’ a noble aim – it’s the law. The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
As the ICO says “These principles should lie at the heart of [any organisation’s] approach to processing personal data”. Compliance with these principles is a fundamental building block for good data protection practice. It is also key to compliance with the detailed provisions of the GDPR.
Fairness and transparency mean that personal data must be used in a way that is not unduly detrimental, unexpected or misleading to the individuals concerned. It also means that those individuals have the right to be informed about the collection and use of their personal data.
But H&M did the exact opposite. Why? Although it’s a matter of speculation, it seems it may be because the individuals concerned were employees. Unfortunately, many organisations seem to think that, when it comes to data protection, employees are ‘second class citizens’ – they are being paid by an employer, so why shouldn’t that employer be able to do more or less what it wants with their personal information in the context of the workplace?
This decision has several ‘takeaways’ for employers, including:
- Significant fines are not only reserved for security incidents;
- Make sure that your HR personnel are properly trained in data protection issues;
- Respect the privacy of your employees
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.