H&M fined €35m under GDPR for staff surveillance

A German data protection watchdog has fined Swedish retailer H&M €35.3m (£32m) after the company was found to have 'monitored' several hundred employees in a Nuremberg service centre.

The Hamburg Commissioner for Data Protection and Freedom of Information said that since at least 2014, parts of the workforce had been subject to "extensive recording of details about their private lives".

"Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs," it stated.

Some of this information was recorded, digitally stored and partly readable by up to 50 other managers throughout the company.

The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues.

In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment.

A configuration error in October 2019 meant that the data became accessible company-wide for several hours.

Prof. Dr. Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information, said: "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.

"Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”

    Share Story:

Recent Stories


Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021

Manufacturing: An industry at risk amid great technological change
Of the many sectors of business, manufacturing companies are among the most at risk from cyber threats. How has the sector evolved to make it so vulnerable and what does the task of managing cyber exposure in a manufacturing company look like? CIR’s latest podcast with Tokio Marine HCC sought to answer all these questions and more. Published April 2021

Advertisement