The Swedish clothing chain, H&M, has been hit with a fine of €35 million over data breach and privacy violations under the new General Data Protection Regulation (“GDPR”) laws introduced in 2018.
Several hundred employees at the H&M Service Center in Nuremberg have been under surveillance of the company. The German authorities have said that since 2014 the workforce has been subject to “extensive recording of details about their private lives“.
After a year-long investigation by the Data Protection Authority of Hamburg it was seen that H&M’s privacy violations ranged vastly from details of their employee’s family issues, vacations, religious beliefs and medical illnesses. This data was stored, made accessible to 50 managers of the company and used to make decisions related to employment.
The fact that the company had been collecting such private data of the employees came to light only after there was a configuration error in the October of 2019 which caused this data to be available on their site for several hours. The company was asked by the Hamburg Commissioner for Data Protection and Freedom of Information to freeze the data and submit the data for analysis.
Caspar, the head of the German data protection watchdog in Hamburg, called this incident as “a case that showed gross disregard” of data protection laws.
The company released a statement stating that though the policies of the outlet were not in accordance with the guidelines of the company, they take full responsibility and extended an apology to the employees. Further, it promised to give compensation to the affected employees and bring a change in their practices.
H&M has received a decision from the regional Data protection authority in Hamburg to impose an administrative fine of M Euro 35. The company will now review this decision carefully.
Since the initial discovery and reporting of the incident, H&M immediately began making several improvements at the service centre in Nuremberg. A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area.
A number of actions have been implemented which includes:
· Personnel changes at management level at the service centre in Nuremberg.
· Additional training for leaders in relation to data privacy and labour law
· Revised instructions for managers
· Creation of a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes
· Enhanced data cleansing processes
· Improved IT solutions supporting compliant storage of personal data, training and leadership.
In addition, H&M has decided that all currently employed at the service centre, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.
H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority. The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.– H&M Group Press Release, October 1, 2020
The penalty of €35 million is the largest fine of its kind imposed in Germany and the second highest in the continent after Google was fined 50 million Euros last year for the violation of GDPR. The GDPR laws have definitely been an exceptional step to secure data and privacy rights of individuals. These laws allow fines to be levied as much as 4% of the annual global sales of the company thereby acting as a major deterrent to prevent companies to violate privacy rights.
Reported by Avneet Kaur, Student Ambassador