H&M fined $41 million for allegedly spying on employees

H&M has been fined for violating the European Union's General Data Protection Regulation (GDPR). 

The fast-fashion giant has been fined $41 million by a German privacy watchdog for violations of the GDRP for the excessive monitoring of several hundred employees at H&M’s customer service center subsidiary in Nuremberg, Germany. It is the second-largest fine to be levied to date against a single company for GDPR violations involving how employee data is handled. 

Starting in at least 2014, the Swedish fast-fashion giant collected private information about employees at a customer service center in Nuremberg that ranged from “rather harmless details to family issues and religious beliefs,” according to the Hamburg Commissioner for Data Protection and Freedom of Information. The information was recorded on a network drive accessible to up to 50 managers and used, among other things, to obtain a detailed profile of employees for managers to evaluate staffers’ work performance and make decisions about their “employment relationship,” regulators said

The data collection became public after a “configuration error” in October 2019 made the data accessible company-wide for several hours and alerted regulators to H&M’s practices, according to the watchdog. In a statement, H&M said the “incident” revealed practices for processing employees’ personal data that were not in line with the retailer’s guidelines and instructions. 

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg,” the company stated. “Since the initial discovery and reporting of the incident, H&M immediately began making several improvements at the service center in Nuremberg.”

Among other things, the retailer said it has launched a comprehensive action plan to improve the internal auditing practices to ensure data privacy compliance. It also has decided that all currently employed at the service center, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.

Other actions that H&B has taken include:

•    Personnel changes at management level at the Nuremberg service center;
•    Additional training for leaders in relation to data privacy and labor law;
•    Revised instructions for managers;
•    Creation of a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes;
•    Enhanced data cleansing processes; and
•    Improved IT solutions supporting compliant storage of personal data, training and leadership. 
 
“H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority,” the company stated. “The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.”