Major retailer, H&M, fined €35.3 million for breach of GDPR.
H&M, which has its headquarters in Hamburg, runs a service centre in Nuremberg where, since at least 2014, extensive records of personal information on the living circumstances of some employees have been kept permanently.
In addition, even after short absences, team leads conducted ‘Welcome Back Talks’ with employees in which, in several cases, holiday experiences as well as diagnosis of diseases and symptoms were recorded.
Furthermore, several H&M supervisors acquired detailed knowledge about the private lives of their employees through individual talks and informal corridor talks, ranging from harmless details to family problems and religious confessions.
The collected information, which was accessible by up to 50 further managers, was used to assess the individual performance at work and to create profiles of employees that could be used with regards to measures and decisions affecting the employment relationship.
In response to these breaches of the GDPR the company management presented a comprehensive concept on how data protection should be implemented at the Nuremberg office in the future, including a newly appointed DPO and monthly data protection status updates.
The extraordinary facts of this case are matched by its consequences, the major retailer having been fined €35.3 million: H&M have apologised to the affected employees and agreed to pay them “a considerable amount of (undisclosed) damages”. This is an unprecedented commitment to corporate responsibility following a data protection breach.