On 2nd October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DP Commissioner) imposed a 35.3 million Euros fine on H&M Hennes &Mauritz for serious breaches of the General Data Protection Regulation (GDPR) at its service centre in Nuremberg. Specifically the breaches related to the covert and extensive monitoring of the personal information of several hundred employees.
The Hamburg DP Commissioner is one of the 16 state Data Protection Commissioners in Germany. Details of the infringement and the fine were posted on the European Data Protection Board’s news feed.
H&M had been collecting and recording extensive information about the private lives of its employees since at least 2014. The information was collected by supervisor during “Welcome Back Talks” which took place with employees after absences due to holidays or sickness; even after relatively short absences. Notes of the meetings were stored on a network drive. These included details of the employee’s vacation experiences, or details of their symptoms of illness and diagnosis if they had been taking sick leave. In some cases, supervisors had even obtained and recorded broader information about employees’ private lives such as details of family issues and religious beliefs. Some of the information that was recorded was highly detailed and recorded over extensive periods of time documenting the development of issues.
The information was digitally stored and partly readable by up to fifty other managers throughout the company. The company used this information to meticulously evaluate individual work performance and to obtain a detailed profile of employees for measures and decisions regarding their employment.
Employees were unaware that all this was happening until the data became accessible company-wide for several hours in October 2019 due to a configuration error.
The Hamburg Data Protection Commissioner became aware of this from press reports.
His first action was to order the company to” freeze” the network drive and then hand it over. The company submitted a data record of around 60 gigabytes for evaluation. Evidence from numerous witnesses confirmed the practice of collecting and recording this data.
The Breaches and the Fine
The details of this case are quite shocking both in terms of the volume and type of information that was collected and recorded; the way in which it was done covertly; and the fact that the company used the information to evaluate its employees. The collection and recording of such ‘private information’ for monitoring purposes certainly breached the first three data protection principles in GDPR Article 5. The employees were not aware this was happening; so this was clearly neither fair nor transparent and they were therefore unable to exercise any rights in respect of this data. It is difficult to see what legal basis the company could have used to collect much of this information under both Articles 6 and 9 (the latter for the Special Category Data that was involved). The company collected far more information than was necessary and for much longer than necessary. It also appears that the company was conducting profiling of employees without employees knowledge, thus preventing them from exercising their rights under GDPR Article 22. There was no lawful basis for sharing very privet personal information with over 50 managers. In addition the activities of the company almost certainly breached the employee’s rights under Article 8 of the European Convention of Human Rights.
As the Hamburg Commissioner stated, this was a case of a serious disregard for the rights of the company’s employees.
What steps does H&M have to take now?
Based on the information reported by the European Data Protection Board it appears that the company has put forward a comprehensive plan of how it will take corrective action. The steps include the appointment of a “data protection coordinator” (It is unclear whether this is to be a Data Protection Officer); monthly data protection status updates and more protection for whistle-blowers. This seems to suggest the plan has come from the company rather than the Commissioner and it is not clear whether the Commissioner has used his regulatory powers to enforce this. In the UK the Information Commissioner could enforce these corrective actions by serving an Enforcement Notice under S.149 Data Protection Act 2018.
In addition the company has agreed to pay the employees “considerable compensation” as well as apologising. GDPR Article 82 provides that data subjects who have suffered material or non-material damage as a result of an infringement of the GDPR “shall have the right” to receive compensation from the Data Controller in respect of the damage suffered. According to the EDPB news post this is “an unprecedented acknowledgement of corporate responsibility following a data protection incident”. Whether or not it is unprecedented, it certainly is pragmatic given that the company avoids any protracted legal actions and the further adverse media attention that litigation would inevitably attract.
Readers may be interested in our blogs on GDPR and Employee Surveillance. These and other GDPR developments will be discussed in detail by Ibrahim Hasan in our forthcoming online GDPR update workshop. Why not use the time working from home to achieve a GDPR qualification? Our next online GDPR Practitioner Certificate course is fully booked. There are a few places remaining on the courses following.