Hamburg: HmbBfDI fines H&M €35.3M for unlawful employee monitoring
The Hamburg State Commissioner for Data Protection and Freedom of Information ('HmbBfDI') announced, on 1 October 2020, that it had fined H&M Hennes & Mauritz Online Shop A.B. & Co. KG €35.3 million for the unlawful monitoring of employees in the H&M service centre. In particular, the HmbBfDI highlighted that H&M, which has its headquarters in Hamburg, runs a service centre in Nuremberg where, since at least 2014, extensive records of personal information on the living circumstances of some employees have been kept permanently. In addition, the HmbBfDI noted that even after short absences of employees, team leads conducted 'Welcome Back Talks' in which, in several cases, concrete holiday experiences as well as diagnosis of diseases and symptoms were recorded. Furthermore, the HmbBfDI outlined that several supervisors acquired detailed knowledge about the private lives of their employees through individual talks and informal corridor talks, from harmless details to family problems and religious confessions.
Moreover, the HmbBfDI added that collected information was partly recorded, digitally stored, and accessible by up to 50 further managers, also noting that some of the records were kept with high amounts of detail and organised chronologically, amounting to a particularly intensive interference with the rights of the employees. Furthermore, the HmbBfDI stated that the recorded personal information was used to assess the individual performance at work and to create profiles of employees that could be used with regards to measures and decisions affecting the employment relationship, also stating that the data collection became known due to a configuration error that made records accessible across the company for two hours in October 2019.
Consequently, the HmbBfDI stated that as a response to the violations, the company management presented a comprehensive concept on how data protection should be implemented at the Nuremberg office in the future, including a newly appointed data protection officer, and monthly data protection status updates. Finally, the company management apologised to the affected data subjects and agreed to pay the employees a considerable amount of damages, noting that H&M's response constitutes an unprecedented commitment to corporate responsibility after a data protection violation.
You can read the press release, only available in German, here.
UPDATE (2 October 2020)
H&M announces measures to improve data protection
H&M issued, on 1 October 2020, a statement announcing the measures it will take to improve data protection internally. In particular, H&M stated that there will be staff changes on the manager level in the Nuremberg service centre, and that managers will get additional training with regards to data protection and labour law. Further measures will include new roles with specific competencies with regards to assessing, investigating, and increasing privacy processes, improved processes to delete personal data, as well as increased IT measures that include data protection. Finally, H&M announced that employees that are working or have been working at the Nuremberg service centre for at least one month since the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') will receive compensation.
You can read the statement, only available in German, here.