Hamburg’s data protection commissioner Johannes Casper has imposed a fine of EUR 35.3 million on the fashion chain H&M. The Nuremberg branch of the fashion chain had been systematically spying on the private lives of employees for years.
It had already become known in October 2019 that managers at the Nuremberg branch of H&M had held so-called ‘Welcome Back’ Talks with employees returning from vacation or illness. Among other things, details of illnesses ranging from bladder weakness to cancer, as well as other insights into employees’ private lives (e.g. family problems and religious beliefs) had apparently been recorded for years. The findings were recorded and could be accessed by up to 50 managers. Together with a detailed evaluation of work performance, they were used to create an employee profile that served as a basis for decisions on personnel measures.
The fine is the highest amount ever imposed by a German data protection authority under the GDPR. The second largest was EUR 14.5 million imposed on Deutsche Wohnen, based in Berlin, for storing tenant data for too long and too extensive a period despite a previous warning from the authority. The H&M fine was imposed at this level despite the fact that the fashion chain had cooperated with the data protection authority after the original discovery in autumn 2019 and despite the fact that it had announced compensation payments to the affected employees*. The Hamburg authority is responsible because that is where H&M’s German headquarters are located.
The decision is not yet legally binding. The fashion chain has announced it will now carefully examine the decision, according to a statement by the H&M Group on 1 October 2020.