seers-logo-1.svg

H&M has been fined under GDPR, who’s next?

Fast fashion brand and retailer H&M has been fined, who’s next? The GDPR fine levied is one of the biggest so far. Will this scare organisations enough to get them to comply with the law? Let’s find out.

The brand H&M has been fined for £32.1m under GDPR. This fine is not imposed for failure to protect the customers unlike many cases in the past including Marriott and British Airways. Instead, the company has been fined for the illegal surveillance of several hundred employees.

The GDPR law places boundaries on the privacy intrusion and the right to information of companies in such cases. The company kept “excessive” records on the families, religions and illnesses of its workforce. This data was being maintained at its Nuremberg service centre; the German data protection watchdog found.

As soon as the fine was announced, the retailer accepted full responsibility and announced its plans to compensate employees. One of the key noteworthy points here is that this is by far the second-largest fine a single company has faced under EU GDPR rules.

In a similar vein, the French data and privacy watchdog, CNIL, fined Google for breaching the General Data Protection Regulation (GDPR). That was the highest fine. Although many fines may look huge, but they only make up a small fraction of the revenues of big tech and business giants.

Corporate Stalking

H&M’s privacy violations included extensive staff surveys, with details of holidays, medical symptoms and diagnoses for illnesses, the year-long investigation by the Data Protection Authority of Hamburg (HmbBfDI) found.

There was also some information on the private details collected from informal chats, including family issues or religious beliefs, which were then stored and used to evaluate work performance and make employment decisions.

“This is a case that showed a gross disregard” of data-protection rules in Germany, HmbBfDI head Johannes Caspar said. The large fine was “justified and should help to scare off companies from violating people’s privacy”, he mentioned. “The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”

H&M said it will now review the decision carefully. “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” the company stated.

“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.”Cookie_Consent_CTA