• Careers
  • Contact Us

H&M Fined €35 Million for GDPR Breaches

on Friday, 16 October 2020.

Fashion retail company, H&M, have been fined €35 million by the Hamburg Commission for Data Protection and Freedom of Information following issues with the way they stored personal data...

...and the extent to which they engaged in covert monitoring of their employees.

In Nuremburg, H&M had a practice of requiring team leaders at one of the store's service centres to find out in-depth information about their teams.The practice dated back to around 2014. The supervisors collated that information and added it to a database which included broader information about the employee's private lives and religious beliefs - in some cases information shared in informal conversations. Experiences from holidays and symptoms of illnesses were recorded following back to work meetings after periods of annual leave and sickness absence.

The database was made digitally accessible to up to 50 managers within the Nuremburg location and the information was used to create a profile of each employee. The profiles could be used by managers when making decisions about the structures of individual stores or teams. The profiles were used to make decisions in relation to the employment relationship.

In October 2019, the database was leaked internally and a data protection complaint was subsequently made. In addition to the fine imposed for the GDPR breaches, H&M has agreed to make a compensation payment to its employees and provided additional training for leaders on data privacy and labour law.

Coronavirus guidance employers

Preventing Data Protection Risks

There is a real risk of significant fines if employers are engaging in covert monitoring of this nature. If an employer does need to collate information relating to its employees, it should do so transparently. Employees should be provided with a privacy notice identifying, amongst other things, what employee personal data is processed and the sources of that data. Employers who systematically monitor their employees must carry out a Data Protection Impact Assessment (DPIA) to help identify and minimise the data protection risks of any such project. Covert monitoring is very unlikely to be lawful.

For legal support around data protection, please contact Mark Stevens in our Employment Law team on 07909 681036, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input