How did H&M’s internal data collection processes land it with the second largest fine in data breach history?

The key takeaway

Despite the catastrophic financial impact of COVID-19, the Hamburg State Commissioner for Data Protection and Freedom of Information (HmbBfDI) showed no signs of leniency in issuing H&M with the second largest fine ever to be handed to a single company for breach of the GDPR.

The background

The HmbBfDI announced on 1 October 2020 that it had fined the German subsidiary of fashion retailer H&M €35.3 million for the unlawful monitoring of employees in its centrally operated service centre in Nuremberg. On the same day, H&M announced it was to close 250 of its stores globally.

The details

Having evaluated over 60GB of company data, the HmbBfDI found that H&M’s service centre in Nuremberg had held extensive permanent records of personal information on the private lives of employees since at least 2014. The HmbBfDI noted that even after short absences of employees, team leaders conducted “Welcome Back Talks” in which holiday experiences and symptoms and diagnoses of diseases were recorded. Furthermore, the HmbBfDI found that supervisors acquired detailed knowledge about the private lives of their employees through informal corridor talks, which often revealed family issues and religious beliefs. It came to light that the recorded personal information was then used to measure employee performance and to create profiles which would then form a framework on which to base general employment decisions.

The issues came to light following a configuration error which allowed data stored on the network drive to be accessible company-wide for several hours in October 2019. In their assessment, the HmbBfDI evaluated how accessible the information was, how the information was recorded and stored as well as how detailed and organised the information was.

In response to the fine, H&M issued a statement assuring staff changes at management level in its Nuremberg service centre, and that managers would get additional training on data protection and employment law. Furthermore, the company stated it would introduce new roles with specific proficiencies in assessing, investigating, and increasing privacy processes, improved data-retention and data-deletion processes, as well as implementing IT systems incorporating increased data protection measures. Finally, H&M announced that employees that are working or have been working at the Nuremberg service centre for at least one month since the GDPR entered into force will receive compensation.

Why is this important?

The size of the fine issued to H&M and accompanying detail emphasizes just how important an appreciation of the GDPR is at all levels of a business in order to avoid similar financial and reputational damage. However, those responsible for managing HR play a particularly important role in mitigating against these inherent risks. Whilst “Welcome Back Talks” with employees can be positive from an employee welfare perspective, HR must approach such talks with caution and avoid questions that may lead to responses including special category data, such as data concerning health or data revealing religious or philosophical beliefs. Additionally, HR should be trained on what data is recorded from the responses, what captured data is used for, how long that data stored and who has access to it. Managers should be cautious about the way in which they incorporate employee profiles into their assessment of employee performance and other decisions around employment. Particularly in light of the pandemic-induced shift to working from home, businesses should approach the use of employee monitoring tools with caution and with transparency at the heart of all personal data collection processes.

Any practical tips?

GDPR and the risks associated with the processing of personal data require that both a top-down and bottom-up approach is taken to managing those risks. In practice, management should be trained extensively and have a sufficient understanding of the issues in order to carefully navigate those risks. Employees should also have an understanding of just how sensitive what they say in formal or informal talks with supervisors might be. In this way, there exists a collective responsibility across the entire cross-section of a business to ensure overall GDPR compliance. As a response to the fine, H&M introduced a suite of new data protection measures including a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access. It is crucial that all businesses learn from lessons arising out of this judgment and review their current data protection practices, implementing more robust processes where necessary. This is particularly critical given the impact COVID-19 is having on organisations having to furlough or lay off staff and the consequent potential rise in data subject access requests and general complaints received from those former employees.