Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

General Data Protection RegulationGermanyRetailLatest NewsPeople analytics

GDPR: H&M fined record £32m for intrusive ‘people analytics’

by Rob Moss 6 Oct 2020
by Rob Moss 6 Oct 2020 Sorbis/Shutterstock
Sorbis/Shutterstock

H&M Group has been fined €35.3m (£32.1m) by an information commissioner in Germany for intrusive data collection and analysis of the activities of hundreds of employees.

It is the largest fine issued for an employment-related privacy breach since the General Data Protection Regulation (GDPR) came into force across the EU in 2018.

Since 2014, team leaders at a service centre in Nuremberg would conduct back-to-work style interviews or informal chats following sickness absence and holidays, even when the employee was off for a short period. The information recorded ranged from details about illnesses and diagnoses, to what they had done on holiday, specific family problems and their religious beliefs.

This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy” – Hamburg information commissioner

Not only did managers build up a “broad knowledge” of their staff’s private lives, the information was updated regularly and stored digitally where it could be accessed by as many as 50 other managers throughout the company.

The data was then used alongside “meticulous” analysis of individuals’ performance at work to create “profiles” of employees that would help direct employment decisions.

Prof Johannes Caspar, the Hamburg commissioner for data protection and freedom of information, said: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy.”

The commissioner added that the combination of researching private lives, and the ongoing recording of what activity individuals were engaged in, led to a “particularly intensive interference with the rights” of those affected.

GDPR in employment

‘All views my own’: Monitoring employees’ social media

ICO guidance on workplace coronavirus testing published

How to manage the retention of employee data under the General Data Protection Regulation (GDPR)

H&M’s activities only came to light when an IT error led to the employee records becoming accessible across the company for a few hours in October 2019.

H&M Group said: “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions.

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.”

Under GDPR, firms can be fine of €20m (£18.2 million) or 4% of annual global turnover – whichever is greater – for infringements.

H&M said it was reviewing the commissioner’s fine “carefully”, adding that since the breach was discovered, it immediately began making several data-related improvements at the Nuremberg service centre. Measures included introducing internal audits to ensure data compliance, strengthening leadership knowledge to assure a safe and compliant work environment and continuing to train and educate staff.

In addition, H&M has decided that all staff currently employed at the service centre and who were employed for at least one month since May 2018 when the GDPR came into force, will receive financial compensation.

Prof Caspar added: “The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly positive. The transparent information provided by those responsible and the guarantee of financial compensation show the willingness to show those affected the respect and appreciation that they deserve as employees in their daily work for their company.”

Piers Dryden, partner and head of the technology sector at law firm Brabners, said: “The regulator is clearly using H&M to send out a message. Such a big fine against a big-name brand is a statement of intent that GDPR will come down hard on businesses that flout the data rights of their employees. Businesses can no longer plead ignorance when it comes to data protection and must have a complete understanding of the employee information they process, why they process it and what appropriate legal basis they have for doing so.”

He said other businesses should take notice of this, learn from H&M’s mistakes and implement the retrospective steps taken by the retailer now, before a breach occurs. To its credit, he added, H&M had put in place a solid action plan to address the breach once alerted to it.

“The fine levied against H&M is a reminder to all businesses that they need to establish a comprehensive approach to organisational compliance and data protection governance,” added Dryden. “Two years on from the initial implementation of GDPR and is the ideal time to conduct an independent audit and assess whether those processes are still fit for purpose today.”

The fashion group, whose other brands include Cos, & Other Stories and Arket, said in a statement: “H&M Group wants to emphasise its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority.”

Only one GDPR fine has been larger. Google was fined £44m last year for a “lack of transparency, inadequate information and lack of valid consent” regarding the personalisation of adverts displayed to its users.

  People analytics opportunities on Personnel Today

Browse more people analytics jobs

Rob Moss
Rob Moss

Rob Moss is a business journalist with more than 25 years' experience. He has been editor of Personnel Today since 2010. He joined the publication in 2006 as online editor of the award-winning website. He specialises in labour market economics, gender diversity and family-friendly working. He has hosted hundreds of webinar and podcasts, most recently on the challenges created by the coronavirus pandemic. Before writing about HR and employment he ran news and feature desks on publications serving the global optical and eyewear market, the UK electrical industry, and electrical markets in Asia and the Middle East.

previous post
‘Psychological contract violation’ affects police mental health, study finds
next post
Febrile mood will lead to sackings, whistleblowing and disputes

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

Queen’s Speech: Exclusivity contracts for low-paid workers to...

9 May 2022

Can you reduce contractual sick pay for unvaccinated...

20 Jan 2022

Self-isolation, Covid-19 vaccinations and GDPR: employers’ questions answered

16 Aug 2021

Top 10 HR questions May 2021: Right-to-work, Covid-19...

1 Jun 2021

Top 10 HR questions April 2021: Vaccination and...

4 May 2021

Could a blockchain health record help HR handle...

15 Mar 2021

Top 10 HR questions January 2021: Home-schooling, furlough,...

1 Feb 2021

No jab, no job? Six Covid vaccination questions...

20 Jan 2021

Vaccination and data protection: What do employers need...

18 Dec 2020

Covid deaths prompt new guidance on release of...

10 Nov 2020
  • Apprenticeships are the solution to your recruitment problems PROMOTED | Apprenticeships have the pulling power...Read more
  • What it really means to be mentally fit PROMOTED | What is mental fitness...Read more
  • How music can help to ease anxiety at work PROMOTED | A lot has happened since March 2020, hasn’t it?...Read more
  • Why now is the time to plug the unhealthy gap PROMOTED | We’ve all heard the term ‘health is wealth’...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2022

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+