Have EU Employees? Beware: H&M Slapped with Massive GDPR Fine for Wrongful Processing of Employee Data, Despite Cooperation

On October 1st, 2020, the Data Protection Authority of Hamburg (“DPA”) announced that it issued a massive EUR 35.3 million fine against the clothing company H&M Hennes & Mauritz Online Shop A.B. & Co. KG (“H&M”) for the alleged wrongful collection of data of a couple of hundred employees which related to their private life (the English press release can be accessed here). This is the highest fine that has ever been issued in Germany, sending a strong signal to companies to ensure they comply with the data protection law when they process employee data.

Background

H&M, based in Hamburg, operates a service center in Nuremberg. At least since 2014, the service center management collected data on the private life of its employees.

After vacations and sick leaves the supervising team leader would conduct a “Welcome Back Talk” with the employee after which the team leader would note the employee’s specific vacation experiences, and in relation to sick leaves, symptoms of illness and diagnoses. Some team leaders even collected data during casual talks, including information on private family issues and religious beliefs – which was sometimes highly detailed, and kept such information updated over time.

This data was stored, among other places, on a network drive that was accessible by up to 50 managers of H&M.

In addition to detailed work performance analyses, the private data was, among other uses, used to create a profile of the employee and make decisions in relation to the employee.

This data collection and use practice came to light due to a configuration error in 2019 that lead to company-wide accessibility of the private data for a few hours.

After becoming aware of this practice through the press, the DPA first issued a “freeze order” to preserve the content of the network drive and then demanded release of the information. H&M cooperated and provided the data (about 60 GB) to the DPA.

Following this leak, H&M invested in its data protection compliance and implemented a comprehensive data protection program for the service center in Nuremberg, including the appointment of a new data protection coordinator, monthly privacy status updates and a robust whistleblower protection program. The new program was presented to the DPA. H&M not only apologized to its employees for its wrongdoing, but also agreed to compensate the affected employees.

Reasoning of the Data Protection Authority

The DPA emphasized that the combination of collecting details about employees’ private lives and the ongoing recordkeeping led to a significant impact on the employees’ rights.

The DPA acknowledged that the handling of this case (apology and compensation) was an unprecedented commitment to corporate responsibility following a data protection breach and that H&M responsibly and transparently provided all necessary information.

Notwithstanding H&M’s apology and compensation, the Commissioner of the DPA concluded that, due to the seriousness of the infringement, the imposed fine was appropriate. The DPA determined that the penalty was necessary to deter other companies from violating the employees’ privacy.

Analysis

This decision and accompanying press release by the DPA are remarkable for several reasons:

  • the decision imposed the highest fine ever in Germany notwithstanding the company’s full cooperation;
  • H&M’s cooperation was taken under consideration as the fine was on the lower end of the scale taking into account H&M’s significant annual turnover;
  • the press release expressly mentioned the affected company; and
  • the press release stated that an injunction to freeze the data was issued.

This decision is in line with a noteworthy decision by the labor court in Dusseldorf, Germany, that ordered an employer to pay EUR 5,000 in damages to a former employee for the delay and insufficient grant of access to his data (decision no. 9 Ca 6557/18). It shows that data protection authorities and courts take the protection of employee data seriously and might also be minded to impose higher fines/compensation due to the imbalance of power between employer and employee in a typical employment relationship.

Arguably the H&M fine would have been significantly higher had H&M not fully cooperated. Based on the fine calculation model presented by the German DPA’s in October 2019, the fine issued by the DPA is on the lower end of the scale taking into account H&M’s total worldwide annual turnover of the preceding financial year (EUR 21.9 billion). According to the fine calculation model, H&M’s annual turnover might have resulted in a fine of up to EUR 61 million. Thus, the DPA almost halved this amount, which indicates to what extent the “degree of cooperation with the supervisory authority” (Art. 83(2)(f) GDPR) matters.

Expressly naming the fined company is rather unusual in Germany but may be explained by the fact that H&M’s practice had been broadly recognized and discussed in the press when it came to light so that, due to the circumstances, it would have been clear that H&M was the subject of the fine. It could thus well be that the DPA decided to expressly mention H&M as a well-known company to increase the dissuasive effect to other companies.

Lastly, it appears that the injunction to preserve the data was issued right after the DPA became aware of this practice by the press, which seems noteworthy to the extent that the DPA did not yet have any proof of a wrongdoing but acted upon mere news in the press. It raises the questions to what extent a degree of suspicion must be presented in order to justify such an injunction.

It will be interesting to see whether H&M appeals the fine.

Takeaways

  • Companies should invest in employee privacy compliance programs beginning with a thorough investigation of their actual data processing activities (data mapping).
  • Companies should spend significant efforts on training their workforce, in particular their HR teams, on privacy compliance.
  • Information obtained from private conversations should not be used for work-related purposes.
  • The processing of employee data should be limited to what is truly necessary and justifiable under the law.
  • Access to HR data should be limited on a need-to-know basis. It is not permissible to grant managers general access to sensitive HR data unless there is a specific, legitimate need.
  • Cooperative behavior can significantly lower fines, however, it may not be sufficient to prevent a fine.