H&M Fined $41.3m for Employee Surveillance in Violation of GDPR

October 09, 2020

The Data Protection Authority of Hamburg announced a record-setting fine of €35.2m (U.S. $41.3m) on H&M for "extensive recording of details about [employees’] private lives" in violation of the EU’s General Data Protection Regulation.

The Hamburg data protection authority (DPA) conducted a year-long investigation following a data breach that unveiled the data H&M had been collecting about the private lives of several hundred of its employees in a service center in Nuremberg.  The data protection authority’s fine is the largest for a violation involving employee data and the second largest fine levied under the GDPR. 

“The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights,” the DPA said in a statement

"After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees.  After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” the DPA said.

“In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.  Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company.” 

Meanwhile, a ruling by the EU’s top court has imperiled the flow of data, including employee data, from the EU to the UK.  The ruling makes it all but certain the EU Commission will be unable to sign off on an adequacy decision for the UK, which would allow such transfers under the GDPR.  You can read more in this week's BEERG Global Labor Newsletter

In the United States, California Governor Gavin Newsom signed legislation extending the California Consumer Privacy Acts’ employee data exemption until January 1, 2022.  However, the legislation will only take effect if California voters do not approve a ballot initiative expanding the CCPA and extending the employee data exemption until January 1, 2023. 

Outlook:  As companies rely more on data to manage employees, the collection and use of employee personal data may come under greater scrutiny.  In the EU, more than 40 data protection authorities have issued guidance on the collection of data during the pandemic, and the use of employee monitoring tools has piqued the interest of regulators.  Such tools are under investigation in at least one case involving Barclays Bank.