Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationCorporate governanceLatest NewsGermanyRetail

GDPR: H&M fined record £32m for intrusive ‘people analytics’

by Rob Moss 6 Oct 2020
by Rob Moss 6 Oct 2020 Sorbis/Shutterstock
Sorbis/Shutterstock

H&M Group has been fined €35.3m (£32.1m) by an information commissioner in Germany for intrusive data collection and analysis of the activities of hundreds of employees.

It is the largest fine issued for an employment-related privacy breach since the General Data Protection Regulation (GDPR) came into force across the EU in 2018.

Since 2014, team leaders at a service centre in Nuremberg would conduct back-to-work style interviews or informal chats following sickness absence and holidays, even when the employee was off for a short period. The information recorded ranged from details about illnesses and diagnoses, to what they had done on holiday, specific family problems and their religious beliefs.

This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy” – Hamburg information commissioner

Not only did managers build up a “broad knowledge” of their staff’s private lives, the information was updated regularly and stored digitally where it could be accessed by as many as 50 other managers throughout the company.

The data was then used alongside “meticulous” analysis of individuals’ performance at work to create “profiles” of employees that would help direct employment decisions.

Prof Johannes Caspar, the Hamburg commissioner for data protection and freedom of information, said: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy.”

The commissioner added that the combination of researching private lives, and the ongoing recording of what activity individuals were engaged in, led to a “particularly intensive interference with the rights” of those affected.

GDPR in employment

‘All views my own’: Monitoring employees’ social media

ICO guidance on workplace coronavirus testing published

How to manage the retention of employee data under the General Data Protection Regulation (GDPR)

H&M’s activities only came to light when an IT error led to the employee records becoming accessible across the company for a few hours in October 2019.

H&M Group said: “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions.

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.”

Under GDPR, firms can be fine of €20m (£18.2 million) or 4% of annual global turnover – whichever is greater – for infringements.

H&M said it was reviewing the commissioner’s fine “carefully”, adding that since the breach was discovered, it immediately began making several data-related improvements at the Nuremberg service centre. Measures included introducing internal audits to ensure data compliance, strengthening leadership knowledge to assure a safe and compliant work environment and continuing to train and educate staff.

In addition, H&M has decided that all staff currently employed at the service centre and who were employed for at least one month since May 2018 when the GDPR came into force, will receive financial compensation.

Prof Caspar added: “The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation show the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work for their company.”

Piers Dryden, partner and head of the technology sector at law firm Brabners, said: “The regulator is clearly using H&M to send out a message. Such a big fine against a big-name brand is a statement of intent that GDPR will come down hard on businesses that flout the data rights of their employees. Businesses can no longer plead ignorance when it comes to data protection and must have a complete understanding of the employee information they process, why they process it and what appropriate legal basis they have for doing so.”

He said other businesses should take notice of this, learn from H&M’s mistakes and implement the retrospective steps taken by the retailer now, before a breach occurs. To its credit, he added, H&M had put in place a solid action plan to address the breach once alerted to it.

“The fine levied against H&M is a reminder to all businesses that they need to establish a comprehensive approach to organisational compliance and data protection governance,” added Dryden. “Two years on from the initial implementation of GDPR and is the ideal time to conduct an independent audit and assess whether those processes are still fit for purpose today.”

The fashion group, whose other brands include Cos, & Other Stories and Arket, said in a statement: “H&M Group wants to emphasise its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority.”

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.

Only one GDPR fine has been larger. Google was fined £44m last year for a “lack of transparency, inadequate information and lack of valid consent” regarding the personalisation of adverts displayed to its users.

  People analytics opportunities on Personnel Today

Browse more people analytics jobs

Rob Moss

Rob Moss is a business journalist with more than 25 years' experience. He has been editor of Personnel Today since 2010. He joined the publication in 2006 as online editor of the award-winning website. Rob specialises in labour market economics, gender diversity and family-friendly working. He has hosted hundreds of webinar and podcasts. Before writing about HR and employment he ran news and feature desks on publications serving the global optical and eyewear market, the UK electrical industry, and energy markets in Asia and the Middle East.

previous post
‘Psychological contract violation’ affects police mental health, study finds
next post
Febrile mood will lead to sackings, whistleblowing and disputes

You may also like

M&S pauses hiring as it deals with cyber...

2 May 2025

Remote working may have triggered jump in employee...

17 Apr 2025

AI Act comes into force in EU: how...

2 Aug 2024

Complaints about subject access requests rise 13.5%

31 May 2024

Employee data breaches up 41%

14 May 2024

Sharing staff data in a mental health emergency

1 Mar 2024

Serco forced to stop biometric attendance monitoring

27 Feb 2024

Amazon fined €32m for ‘excessive’ employee monitoring

24 Jan 2024

NI Police Federation angered at release of staff...

9 Aug 2023

Use monitoring tech only with employees’ consent, MPs...

8 Aug 2023

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+