The Hamburg data protection authority imposed a fine of EUR 35 258 707.95 on the H&M clothing chain for breaching the General Data Protection Regulation.
The investigation revealed that H&M collected and stored a large amount of data on the privacy of employees, and also stored such data on the company ‘ s internal network. When employees returned from vacation or after illness, line managers conducted so-called “Welcome Back Talk”, which asked questions about various personal issues, such as symptoms and illness, during the year. Data on employees’ private lives were collected in such informal conversations, they were asked to tell about family problems and religious beliefs. All this information was recorded and stored in digital form, and about 50 other employees of the company had access to this information.
Information about an employee’s personal life was used to create a profile of a particular employee to help the company in its employment relationship with that person.
The collection of personal data about the privacy of employees became known when such data was available to the entire company for several hours due to an information technology error. 60 GB of data were transmitted to the supervisory authority, after which the analysis revealed that the company had violated the requirements of personal data processing and employees’ right to privacy.
Representative of the Hamburg Data Protection Authority prof. Dr. Johannes Caspar stated: “This case records a serious breach of employee data protection on the H&M website in Nuremberg. The amount of the fine imposed is appropriate and to deter undertakings from infringing the privacy of their employees. ‘
The company took responsibility, apologized to the victims and undertook to compensate for the damage done.
This breach and its consequences only prove once again that the protection of personal data must also be ensured in relations with the employee. The processing of personal data in the employment relationship is regulated not only by the General Data Protection Regulation, but also by the Labor Code of the Republic of Lithuania, which stipulates that the employee’s private life must be respected. Therefore, employers do not have to collect information about an employee that they do not need to perform their functions as an employer.
Employee data, when not required to be processed by law, may only be processed on a legitimate basis (such as for communication, team building, etc.) and with prior notice to the employee. Such data must be deleted as soon as they become unnecessary for the purpose for which they were collected.
In order to comply with the accountability principle set out in the General Data Protection Regulation, companies must assess the extent and nature of the data collected on employees, have signed rules for the processing of employees’ personal data and inform employees about them.
Prepared by assistant attorney at law Brigida Bacienė