H&M Group fined £32.1 million for GDPR breach

07 October 2020

Clothing company, H&M Group, has been fined €35.3 million, equivalent to £32.1 million, in relation to employment-related privacy breaches. The fine was issued by an information commissioner in Germany, and is the largest of its kind that has been issued, since the General Data Protection Regulation (GDPR) was implemented in the European Union (EU) back in 2018.

It was found that, since 2014, team leaders were holding back-to-work style interviews or informal chats after employees had a period of sickness-related absence or if they had been on holiday, even in scenarios where the period of leave was only for a short amount of time. Information from these conversations would be recorded, and would include details relating to  employee illnesses, activities they had undertaken on holiday, family issues and also the religious beliefs of members of staff. The company was fined due to the fact that it showed a serious disregard for employee data protection.

The personal information collected from employees during this time was regularly updated and digitally stored, in a location where it could be accessed by up to 50 other managers within the company. This was in addition to the fact that managers were acquiring information about the private lives of staff. The personal data was stored alongside performance evaluations in order to create “profiles” of staff, which it was hoped would steer any employment decisions that needed to be made.

The practices taking place within the company were highlighted when an IT error resulted in the records of employees becoming accessible to the whole company for a period of a few hours in October 2019.

Personnel Today reported that the Hamburg commissioner for data protection and freedom of information, Professor Johannes Caspar, said:

 “This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The fine imposed is appropriate and will deter companies from violating their employees’ privacy.”

Companies who are found to be in breach of GDPR can be issued with fines potentially reaching €20 million or 4% of their annual global turnover. The fine imposed will equate to the higher of the two amounts.

As a result of the investigation and subsequent fine, H&M has confirmed that it has already started to make various data-related improvements at its Nuremberg service centre, and has started to introduce internal audits that look at data compliance. It has also began delivering training sessions to ensure that leaders create a safe and compliant work environment. Additionally, any individuals currently employed at the service centre, and those employed for at least one month since May 2018, will receive some form of financial compensation.

H&M Group stated:

“The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions.

H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.”


Information provided in this news article may be subject to change. Please make note of the date of publication to ensure that you are viewing up to date information.