The Swedish clothing company H&M (Hennes & Mauritz) has been fined €35.5 million by the German Data Protection Authority on the 1st of October 2020, after a data leak from a service center from Nuremberg Germany, which revealed the illegal collection of personal data of the employees by the managers.
The monitoring activity targeted several hundred employees at the service center. Since 2014, H&M managers have been gathering information related to employees’ privacy, such as medical diagnoses, family issues and religious beliefs.
The collected data was digitally recorded and stored in a system that could be accessed by 50 managers from across the company.
Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, comments: “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.
H&M admitted that there was deficiencies in the service center, claiming that they took measures to correct this situations. The company apologized to the affected employees which have been compensated as well. Moreover it implemented a data protection program for the service center in Nuremberg.
The fine applied to the Swedish Group is the largest announced so far in Germany on violating the GDPR regulations. Germany represents the main market for Hennes & Mauritz, founded in 1947 in Vasterls, Sweden.
Sovy’s GDPR Essentials can help you with each of the steps laid out above:
- Walk through a data mapping exercise and build your data inventory.
- Train your employees with industry-standard eLearning courses.
- Maintain your compliance program in the cloud
- Manage cookie consent and data rights