H&M fined €35m under GDPR for staff surveillance

A German data protection watchdog has fined Swedish retailer H&M €35.3m (£32m) after the company was found to have 'monitored' several hundred employees in a Nuremberg service centre.

The Hamburg Commissioner for Data Protection and Freedom of Information said that since at least 2014, parts of the workforce had been subject to "extensive recording of details about their private lives".

"Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs," it stated.

Some of this information was recorded, digitally stored and partly readable by up to 50 other managers throughout the company.

The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues.

In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment.

A configuration error in October 2019 meant that the data became accessible company-wide for several hours.

Prof. Dr. Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information, said: "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.

"Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”

    Share Story:

Recent Stories


Your people and the pandemic: Are you doing enough?
Employee health, well-being and security have always been a vital part of risk management, and as organisations seek ways to ensure a smooth, successful and sustainable return to operations amid the evolving environment, careful consideration has to be given to all these areas, and quickly. Published August 2020

Responding to COVID-19: A safe and secure return to work
Learn more from the experts that worked on the recovery of the Diamond Princess. Published July 2020