On October 1, 2020, the Data Protection Authority of Hamburg (the Hamburg DPA) announced that it had fined a German subsidiary of the clothing retailer H&M (H&M Germany) €35.2 million (approximately US $41 million at the time of writing) for data protection violations relating to the excessive monitoring of “several hundred employees”.

This fine is big news for a number of reasons:

  • It represents the largest fine for GDPR violations relating to ‘HR data’ – the size of this fine goes to show that processing of HR data does not necessarily carry a lower risk profile (as is sometimes considered to be the case by some organisations – for example, when compared to customer-related personal data).
  • The ultimate nature and scale of the processing by H&M Germany was not necessarily the intention from the outset – information initially collected in informal settings ultimately developed into rich profiles of employees that included many sensitive details about their personal lives. It is vital to implement effective technical and organisational controls and oversight to prevent such excessive processing occurring. 
  • The amount of the fine was large despite the Hamburg DPA acknowledging that H&M Germany had taken numerous corrective measures after the discovery of the violations (including paying compensation to affected employees) – this goes to show:
    • you cannot always effectively remediate non-compliance risk; and
    • it is essential to get your data collection and processing practices right from the outset to avoid sanction.
  • It is evidence that it is not only ‘big tech’ companies who are in the line of fire for regulatory enforcement under the GDPR.
  • The ‘dawn raid’ on H&M Germany that was conducted by the Hamburg DPA in this case is both:
    • a reminder of the broad investigatory powers available to supervisory authorities under the GDPR and member states’ implementing legislation; and
    • evidence of supervisory authorities’ willingness to exercise those powers when they feel it is necessary to do so.

What happened?

Starting in 2014, H&M Germany instituted a programme whereby team leaders conducted so-called “Welcome Back Talks” with employees on their return from absences (both long and short), such as vacations and sick leave. This seems to have started as a well-intentioned practice designed to improve employee experience.

However, the information collected during these informal discussions was recorded, digitally stored and accessible by a group of up to 50 managers across H&M Germany – the data points stored ranged from somewhat harmless details to far more sensitive information, often constituting Special Categories of Personal Data under the GDPR (e.g., information regarding employees’ illnesses and diagnoses, and religious beliefs).

The dataset compiled by H&M Germany in this way ended up representing a collection of detailed profiles of “several hundred” employees, their private lives and non-work-related activities.

H&M Germany then used these rich profiles about employees’ personal lives when making certain employment‑related decisions about those employees.

H&M Germany did not disclose the creation and/or use of these employee profiles to affected employees. Indeed, it appears the practice was not widely known about within H&M Germany until a data incident in October 2019 meant that the dataset became available across the company for several hours. A fact which ultimately led to the Hamburg DPA conducting a ‘dawn raid’ inspection and collecting data records of approximately 60 GB in size.

The nature and scale of these profiles, and the ways H&M Germany used them, was such that the Hamburg DPA noted it represented “a particularly intensive encroachment on employees’ civil rights”.

Co-operation won’t necessarily save you from hefty fines

It is important to get data protection and privacy compliance right from the outset. When a significant violation like this is involved, the circumstances of this enforcement action shows that accepting responsibility, taking corrective measures, and co-operating with investigators, will not necessarily enable an organisation to avoid significant financial sanction.  

It appears that H&M Germany was co-operative throughout the investigation, and made what the Hamburg DPA called “unprecedented acknowledgement of corporate responsibility following a data protection incident”.

For example, following these violations, H&M Germany both:

  • presented the Hamburg DPA with “a comprehensive concept” detailing how it would address data protection going forward in its operations – including rolling out enhanced communications relating to whistleblower protections, providing monthly data protection status updates and instituting improved data subject access rights procedures; and
  • agreed to pay affected employees considerable compensation.

Despite having taken these measures H&M Germany still received a significant administrative fine – although it bears saying that it may well have been larger without these steps having been taken.

In large part, fines of this nature are often designed to represent a deterrent against future violations of a similar nature by other organisations.

The best way to avoid a supervisory authority making an example of your organisation is to ensure your processing of personal data (including your internal processing of HR data!) is in line with the GDPR’s requirements from its inception.  



Patrick Van Eecke

Leo Spicer-Phelps

Posted by Cooley