H&M was recently hit with a €35 million fine for unlawful surveillance of their employees. According to Hamburg’s Data Protection Authority, H&M collected and used private information about employees at a customer service centre in Nuremberg.
What information was collected?
The investigation confirmed that H&M superiors collected and stored the following information:
- Details about vacation and illness: “Welcome Back” talks were held by team leaders whenever employees came back from vacation or sick leave. This allowed them to make a note of information relating to vacation experiences. In the case of sick leaves, the leader recorded the employee’s diagnosis and symptoms of the illness.
- Family issues and religious beliefs: Based on informal conversations, managers also stored details about private information such as family issues and religious beliefs.
How was the information used?
The collected information was stored on a network drive accessible to more than 50 managers. It was also used to:
- Create a detailed profile of employees
- And make decisions about employment based on the profile
The practice was exposed in 2019 when the notes were briefly accessible to everyone in H&M due to a technical error. Following the investigation, H&M’s actions were found to be in clear violation of GDPR and they were fined 35 million euros. It is the second-highest GDPR fine till date.
Hamburg’s Commissioner for Data Protection comments,
The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employee’s civil rights.
This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.
This case is an important reminder that GDPR isn’t just about protecting the personal information of customers, it’s also about protecting employee rights.
Under GDPR, employees should:
- Be transparent and on what data they are holding and explain the purpose
- Have the required consent and legal basis to process the data
- Safeguard the data and demonstrate accountability during the data retention period
In light of the fine, H&M has taken some corrective steps to address the incident. This includes financial compensation for staff and additional training on data privacy for management.
In addition, the company will:
- Appoint a new data protection coordinator
- Issue monthly data protection status updates
- Put in place whistleblower protection
With the rise of employee surveillance practices such as remote monitoring tools, it is your responsibility to make sure your practices are GDPR compliant. Get in touch with us for a review of your data collection practices.
Here are a few takeaways going forward:
- Information from private conversations with employees cannot be used for work-related purposes.
- Processing of employee data should be limited to what is only necessary and justified.
- Access to HR data should be on a need to know basis.
- Consent and a legal basis are needed to process employee data.
As mentioned in the Hamburg Data Authority statement,
People expect that they can keep their personal lives private and that they are also entitled to a degree of privacy in the workplace.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.