...and the extent to which they engaged in covert monitoring of their employees.
In Nuremburg, H&M had a practice of requiring team leaders at one of the store's service centres to find out in-depth information about their teams.The practice dated back to around 2014. The supervisors collated that information and added it to a database which included broader information about the employee's private lives and religious beliefs - in some cases information shared in informal conversations. Experiences from holidays and symptoms of illnesses were recorded following back to work meetings after periods of annual leave and sickness absence.
The database was made digitally accessible to up to 50 managers within the Nuremburg location and the information was used to create a profile of each employee. The profiles could be used by managers when making decisions about the structures of individual stores or teams. The profiles were used to make decisions in relation to the employment relationship.
In October 2019, the database was leaked internally and a data protection complaint was subsequently made. In addition to the fine imposed for the GDPR breaches, H&M has agreed to make a compensation payment to its employees and provided additional training for leaders on data privacy and labour law.
There is a real risk of significant fines if employers are engaging in covert monitoring of this nature. If an employer does need to collate information relating to its employees, it should do so transparently. Employees should be provided with a privacy notice identifying, amongst other things, what employee personal data is processed and the sources of that data. Employers who systematically monitor their employees must carry out a Data Protection Impact Assessment (DPIA) to help identify and minimise the data protection risks of any such project. Covert monitoring is very unlikely to be lawful.