H&M Group has found itself on the receiving end of a hefty GDPR fine.
The Swedish clothing juggernaut has been ordered to 35.3 million euros ($41.4 million) by the Hamburg Data Protection Authority for the excessive monitoring and surveillance of several hundred employees at its customer service center in Nuremberg, Germany, marking one of the largest violations of the European Union’s Global Data Protection Regulation.
The fast-fashion retailer acknowledged in a statement that it takes full responsibility. The company said it “wishes to make an unreserved apology to the employees at the service center in Nuremberg” and that it will review the fine imposition carefully. H&M says it has fully cooperated with the authority during the process.
H&M Group said it discovered a local security breach related to storage of employees’ personal data at the service center in October of last year and reported it immediately to the data protection authority. The data became accessible companywide for several hours that month due to an IT glitch that resulted in a configuration error.
The watchdog found that going as far back as 2014, parts of the H&M workforce have been subject to extensive recording of details about their private lives, with some supervisors acquiring a broad knowledge of the specifics through personal and floor talks, ranging from “rather harmless details to family issues and religious beliefs.”
Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company.
Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave—even short absences—the supervising team leaders conducted “welcome back talks” with their employees. After these talks, in many cases not only were the employees’ concrete vacation experiences recorded, but also symptoms of illness and diagnoses, according to the data protection authority.
While the data collected was used to make a meticulous evaluation of individual work performance, it was also leveraged to obtain a detailed profile of employees for measures and decisions regarding their employment, the watchdog said.
After Dr. Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information, was informed about the data collection through press reports, he ordered the contents of the network drive to be “frozen” and then demanded the retailer hand in the drive. H&M complied and submitted a data record of approximately 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.
Under GDPR rules, data protection authorities have the power to order a data controller or data processor to provide any information it requires, obtain access to all personal data including “all information necessary for the performance of its tasks” and access premises and equipment.
Upon the initial discovery and forfeiture of the data, H&M said it immediately began making several improvements at the Nuremberg center, starting with the launch of a comprehensive action plan, which the watchdog confirmed it had received. The plan was aimed at improving the internal auditing practices to ensure data privacy compliance, strengthening leadership knowledge to assure a safe and compliant work environment and further training and educating both staff and leaders in data privacy and labor law.
The retailer says there have been personnel changes at management within the service center, but did not reveal details regarding the changes or the number of employees affected.
Additionally, the clothing company says it has created a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes, revised instructions for managers, enhanced its data cleansing processes and improved IT solutions supporting compliant storage of personal data, training and leadership.
In addition, H&M has decided that all staff currently employed at the service center, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation. GDPR was designed to give consumers an unprecedented level of control over their own information and force businesses to adhere to strict privacy provisions, or else the businesses would subject themselves to major fines.
Caspar said that the amount of the fine imposed is adequate and effective to deter companies from violating the privacy of their employees due to the serious disregard for employee data protection at the H&M site.
However, the watchdog did also point out in H&M’s favor that the acknowledgement of corporate responsibility following a data protection incident was “unprecedented.”
“Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively,” Caspar said in a statement. “The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”
In its own statement, H&M Group emphasized its commitment to GDPR compliance and sought to reassure its customers and employees that it makes privacy and the protection of all personal data its top priority.
The news came as H&M announced it would close 250 stores worldwide next year, or 5 percent of approximately 5,000 global locations, as it continues to shift toward more digital investments. Net sales in the retailer’s third quarter fell 16 percent in local currencies to 50.87 billion Swedish krona ($5.71 billion), while net income for the quarter, after taxes, was significantly stronger than expected, at 1.82 billion Swedish krona ($204.4 million), or 1.10 (12 cents) per share.