Menu Search through site content What are you looking for?
Menu

The fashion retailer H&M was fined over €35 million by a German data protection authority for data protection violations in a service centre

  • 2 October 2020 2 October 2020
  • UK & Europe

The fashion retailer H&M was fined over €35 million by a German data protection authority for data protection violations in a service centre

The cause for the fine was the monitoring of several hundred employees of the H&M Service Centre in Nuremberg by the Centre management. Since at least 2014, some of the employees have been subject to extensive recording of their private life circumstances. For example, after vacation and sick leave, the senior staff conducted a so-called "Welcome Back Talk" with the employees. In this way, information on symptoms and diagnoses of illness was obtained and stored. In some cases, these recordings were very detailed, updated on an ongoing basis, and enriched with other known information about employees' private lives, eg regarding known family problems or religious beliefs. This notes were accessible to up 50 other managers throughout the company. Among other things, the data was used to obtain a profile of the employees for measures and decisions in the employment relationship. 

In the opinion of the data protection authorities, the combination of researching their private lives and the ongoing recording of what they were doing led to a particularly intensive encroachment on the rights of those affected. Against this background, the Hamburg Commissioner for Data Protection issued a fine of €35,258,707.95 which seems to be based on violations of art. 5 and 6 GDPR for the violation of which the highest threat of fines under art. 83 para. 5 GDPR applies. As a mitigating circumstance for the fine, the authority has taken into account that during the data protection proceedings and the processing of the events, the company management expressly apologized to those affected and paid the employees a considerable amount of compensation. In addition, a new data protection concept was introduced and further data protection measures implemented.

The amount of the fine, apparently calculated to the cent, indicates that the calculation of the fine was based on the calculation concept developed by the German data protection authorities for the calculation of GDPR fines. According to this concept, five steps are necessary to calculate a fine. The starting point for the calculation of the fine is the turnover of a company and certain factors that are intended to determine the severity of the infringement. According to our observation, the introduction of this concept has led to higher penalties being imposed in Germany as a matter of principle, at least for companies with high annual sales. Even though this is currently only a purely German concept, it has been introduced and discussed at a European level as part of the harmonization efforts. It remains to be seen whether this or a comparable approach will also become established at European level in the other member states. As far as can be seen, a similar approach already exists in the Netherlands.

The H&M matter further underlines the trend that data protection violations (whether negligent or intentional) are now also punished by the German data protection authorities with severe fines. It remains to be seen whether the fine will be imposed finally or whether H&M will appeal against it.

End

Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!