HmbBfDI (Hamburg) - H&M

From GDPRhub
HmbBfDI - H&M
LogoDE-HH.png
Authority: HmbBfDI (Hamburg)
Jurisdiction: Germany
Relevant Law: Article 5 GDPR
Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 01.10.2020
Fine: 35258708 EUR
Parties: H&M Hennes & Mauritz Online Shop A.B. & Co. KG
National Case Number/Name: H&M
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): German
Original Source: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (in DE)
Initial Contributor: n/a

The Data Protection Authority of Hamburg fined H&M with €35,258,708 for processing data concerning the private life of employees, making them available to up to 50 managers and making employment related decisions on these data.

English Summary

Facts

H&M with seat in Hamburg operates a service center in Nuremberg. Since at least 2014, issues concerning the private life of employees have been comprehensively recorded and stored. E.g. after absence due to illness or because of vacation, the respective teamleader conducted a "Welcome Back Talk". Detailed information, e.g. information on the symptoms of illness and diagnoses of the employees, has been noted and stored. Moreover, some supervisors also used information that they heard by accident, for example about family problems and religious beliefs in order to store them on the network drive, which could be accessed by up to 50 managers of the company. This network drive was used to evaluate the performance of the employees and to make employment decisions.

This data collection became public due to a technical configuration error in October 2019. The data stored on the network drive could be seen company-wide for hours.

Dispute

What kind of data has been collected and stored regarding the employees of H&M in Nuremberg?

Holding

H&M is fined in the amount of EUR 35 258 708 for processing data concerning the private life of employees, making them available to up to 50 managers and making employment related decisions on these data. Therefore, H&M has to introduce corrective measures, provide employees with damages and an apology.

Comment

This summary is based on a press release.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

35.3 million Euro fine for data protection violations in H&M's service centre
01.10.2020 - H&M

In the case of the monitoring of several hundred employees of the H&M service centre in Nuremberg by the centre management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 euros against H&M Hennes & Mauritz Online Shop A.B. & Co. KG.

The company is based in Hamburg and operates a service centre in Nuremberg. At least since 2014, some of the employees have been subject to extensive recording of their private circumstances. Corresponding notes were permanently stored on a network drive. After holiday and sick leave - even short absences - the supervising team leaders conducted a so-called Welcome Back Talk. After these talks, in many cases not only the employees' concrete holiday experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through individual and corridor discussions, ranging from rather harmless details to family problems and religious beliefs. The findings were partly recorded, digitally stored and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made in great detail and updated over time. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship. The combination of researching their private lives and the ongoing recording of the activities they were engaged in led to a particularly intensive intervention in the rights of those affected.

The data collection became known when, as a result of a configuration error, the notes were accessible company-wide for a few hours in October 2019. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection by press reports, he first ordered the contents of the network drive to be completely "frozen" and then demanded that it be handed over. The company complied and submitted a data set of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analysis of the data.

The discovery of the serious violations prompted those responsible to take various remedial measures. The HmbBfDI was presented with a comprehensive concept for how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with past events, the management has not only expressly apologised to those affected. It has also followed the suggestion to pay the employees a considerable amount of unbureaucratic compensation. In this respect, this is an unprecedented commitment to corporate responsibility following a data protection violation. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, more strongly communicated whistleblower protection and a consistent information concept.

Prof. Dr. Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, comments: "The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees.

Management's efforts to compensate those affected on site and to restore confidence in the company as an employer are to be seen in a very positive light. The transparent information provided by those responsible and the guarantee of financial compensation show the will to give those affected the respect and appreciation they deserve as dependent employees in their daily work for their company.