H&M has been fined for storing details of its employees’ personal lives, including religious beliefs, symptoms of illness and diagnoses and family issues.
In a case concerning the monitoring of several hundred employees at a H&M Service Centre in Nuremberg, by its management, the company has been fined €35.3m (£32.1m) by The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI).
The watchdog said parts of the workforce have been subject to extensive recording of details about their private lives, from at least 2014 - with the details permanently stored on a network drive.
After absences such as vacations and sick leave - even short absences - the supervising team leaders conducted “so-called Welcome Back Talks” with their employees. After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.
In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company.
The HmbBfDI said: “The recordings were sometimes made with a high level of detail and recorded over great periods of time documenting the development of these issues. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment.
“The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
The watchdog was informed following a configuration error in October 2019, when the data became accessible company-wide for several hours. H&M were then ordered to freeze the contents of the network drive and hand it over to the HmbBfDI.
Following analysis of the 60 gigabytes of data handed over, and interrogations of numerous witnesses, the violations were confirmed. Since then, those responsible at the company have:
The HmbBfDI said: “This is an unprecedented acknowledgement of corporate responsibility following a data protection incident.”