On October 1, 2020, the Hamburg Data Protection Commissioner (“Hamburg DPA”) fined clothing retailer H&M 37.8 million dollars (EURO 35.2 million) for several violations of the GDPR.
According to the Hamburg DPA’s press release (found here), since 2014, H&M supervisors at its Nuremberg service center habitually collected personal information (including sensitive personal information) from H&M employees, and permanently stored such information in a network drive, which was accessible by other H&M managers throughout the organization. The type of personal information collected by H&M included: information about employees’ vacation experiences and activities, symptoms of illness and diagnoses, family issues, and even religious beliefs. The Hamburg DPA found that H&M used this information to “obtain a detailed profile of employees for measures and decisions regarding employment.” The Hamburg DPA was notified of H&M’s practices via a whistleblower complaint after the information became accessible company-wide, due to a technical error, for several hours in October of 2019.
After reviewing the collected information and interviewing individuals who confirmed H&M’s practices, the Hamburg DPA concluded “[t]he combination of collecting details about [employees’] private lives and the recording of their activities led to a particularly intensive encroachment on employee’s civil rights.” H&M has implemented multiple corrective measures, including, to name a few, payment to impacted employees; appointing a new data protection coordinator; monthly data protection status updates; increase awareness of whistleblower protections; and consistent processes and procedures for dealing with data subjects’ rights of access.
While it is clear that H&M’s data collection practices were overly broad, intrusive, and inconsistent with GDPR’s key principles, there are some valuable lessons and takeaways from this case. Here are our top takeaways:
Not a data breach: This fine was levied as a result of a compliance issue, not a data breach, following a complaint from an employee.
Lawful basis: If you are processing personal information—especially about your employees—you need to ensure that you have a lawful basis for each processing activity. Lawful bases include: consent, contract, legal obligation, vital interests, public task, or legitimate interests. While we do not know what lawful basis H&M cited to justify its processing of the Collected Information, it is likely that the Hamburg DPA did not agree.
Data minimization: Even if you process personal information pursuant to a lawful basis, you need to ensure such processing is “adequate, relevant, and limited to what is necessary in relation to the purposes for which [such data is] processed.” Here, even if we assume H&M had a lawful basis, it is hard to fathom a reason why H&M would need to know about an employee’s family issues or religious beliefs.
Data Retention: Organizations should revisit and revise their data retention policies to ensure that personal information is only stored as long as necessary to accomplish the purpose for which it was originally collected. Here, H&M stored the personal information for an indefinite period of time.
Amount of Fines: Since the GDPR took effect on May 25, 2018, data protection authorities have not hesitated in assessing multi-million Euro fines for GDPR violations. Organizations that are subject to the GDPR must weigh the risk of these fines against the costs of having a robust privacy compliance program.