H&M fined for violation of staff privacy

Logo on H&M store facade
Photo: Sorbis / Shutterstock.com

H&M Group is fined a record amount of 35 million euros for violating GDPR rules: the fashion player is alleged to have illegally stored private data on employees in Germany.


Holiday stories and family issues

In a H&M service centre in Nuremberg, Germany, the management kept an eye on hundreds of employees too closely. This is the verdict of the German data protection authority, which is imposing a historical fine of 35 million euros on the Swedish fashion group for unlawfully mapping employees' private lives.

Since at least 2014, details of staff's private lives have been extensively recorded, according to the watchdog. Employees who returned from holidays or sick leave had to talk to the team leaders. After these talks, in many cases illnesses and diagnoses were recorded on top of the actual holiday experiences of the employees, Forbes reported.

Some team leaders also fished into the private lives of their employees in conversations, ranging from fairly innocent details to family issues and beliefs, after which all the information was stored. The practice came to light in October 2019, when all the data was visible to everyone for several hours due to a configuration error.


To give an example

The conviction is part of European GDPR legislation, which entered into force in 2018. It is the highest GDPR fine ever in Germany and the second highest in the whole of Europe. Only Google was punished even more severely last year in France with a fine of 50 million euros. However, with the conviction, the court wants to set an example for other companies.

H&M claims to take full responsibility and wants to apologise "without reservation" to the employees of the service centre. The incident revealed practices that were not in accordance with the guidelines and instructions, according to the clothing giant. The retailer commits to a comprehensive action plan to improve internal audit practices and train managers.