*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

What can we learn from the H&M GDPR fine?


Recently, a data protection regulator in Germany fined the retail giant H&M €35.3 million (£32 million) ($40 million) – the second biggest fine under the GDPR to date. What did H&M do to deserve such an eye-watering fine? Did they lose a lot of personal data? No! Were they hacked? No! In fact, this wasn’t about a data security breach at all – it was for the excessive and unlawful collection of employee data.

The regulator discovered that H&M had been collecting and maintaining excessive details about employees’ private lives since 2014. What was happening was that after absences from work, e.g. for holidays and sick leave, supervising team leaders conducted so-called ‘Welcome Back Talks’ with employees.

After these talks, comprehensive details of the employee’s holiday or, (in the case of sickness absence), illness and diagnosis, would be recorded. In addition, some supervisors recorded details of family issues and religious beliefs obtained through casual and informal conversations with employees, including chats in corridors. The recorded information, about 60 gigabytes worth of data, was made accessible to up to 50 managers throughout the company.

This all came to light when a configuration error meant that the data became accessible company-wide for several hours, as a result of which the press became aware and the regulator was informed.

The GDPR applies to the processing of an individual’s personal data for business purposes. That individual can be anyone – including an employee. In this instance, H&M were processing personal data relating to employees and using it to create a detailed profile of individual employees and sometimes to make employment-related decisions – all without the employees realising it.

Data protection is about ensuring people can trust their personal data will be used data fairly and responsibly. That isn’t ‘just’ a noble aim – it’s the law. The GDPR sets out seven key principles:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

As the ICO says “These principles should lie at the heart of [any organisation’s] approach to processing personal data”. Compliance with these principles is a fundamental building block for good data protection practice. It is also key to compliance with the detailed provisions of the GDPR.

Fairness and transparency mean that personal data must be used in a way that is not unduly detrimental, unexpected or misleading to the individuals concerned. It also means that those individuals have the right to be informed about the collection and use of their personal data.

But H&M did the exact opposite. Why? Although it’s a matter of speculation, it seems it may be because the individuals concerned were employees. Unfortunately, many organisations seem to think that, when it comes to data protection, employees are ‘second class citizens’ – they are being paid by an employer, so why shouldn’t that employer be able to do more or less what it wants with their personal information in the context of the workplace?

This decision has several ‘takeaways’ for employers, including:

  • Significant fines are not only reserved for security incidents;
  • Make sure that your HR personnel are properly trained in data protection issues;
  • Respect the privacy of your employees

Robert Wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group