Germany’s Hamburg Data Protection Authority (“HmbBfDI”) have imposed a €35.2 million ($41.4 million) fine on H&M, the world’s second-largest clothing retailer, for General Data Protection Regulation (“GDPR”) violations; the largest privacy fine ever issued by a German regulator. This fine is significant for a number of reasons, not least of which is that European regulators are starting to crack down on companies in a variety of industries outside of tech.
Why Was H&M Fined?
H&M operates 5,000 stores across 74 countries and employs 126,000 people, though the company has announced that over the next year it plans to close 250 stores due to the ongoing COVID-19 pandemic which has led more people to shop online. HmbBfDI’s fine was due to H&M’s employee monitoring practices, which largely disregarded GDPR data protection requirements. Since at least 2014, H&M recorded details about the private lives of their employees, stored them on a network drive, and shared those details with managers at the company.
The processing of employee data came to light in October 2019 after a configuration error made the collected data accessible to everyone inside the service center for several hours. After receiving the security breach notification, HmbBfDI launched an investigation, and it immediately ordered the company to freeze the database and provide it with a complete copy of the data.
H&M has pledged to financially compensate all employees who have worked for the organization for at least one month since GDPR came into full effect in May 2018. H&M says that when the inappropriate employee monitoring practices came to light last year, it immediately began instituting changes, including “personnel changes at management level” at the service center, additional training for managers on data protection and labor law, revised HR policies, creating a new “data protection coordinator” role, revising data-retention and data-deletion processes and investing in new technology to better protect data.
COVID-19 Implications…
LGPD vs. GDPR – A Few Key Similarities and Differences
Brazil got itself into the data privacy regulation game in September 2020 with the impleme…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
