A German Data Protection Authority Imposes the Largest GDPR Fine for Mishandling Employee Data
A German subsidiary of a Swedish multinational retail company H&M was fined over €35 million ($41.3 million) by the Hamburg Commissioner for Data Protection and Freedom of Information (DPA) for its excessive use of employee data. This is the largest fine imposed under the GDPR for mishandling of employee data. In addition, the fine is the highest GDPR penalty levied in Germany, and the second highest GDPR fine overall after the €50 million fine imposed on Google (and not counting proposed fines on British Airways and Marriott).
Since at least 2014, the company has collected, recorded, and stored a vast amount of information about hundreds of its employees’ personal lives. After employees returned from vacations and sick leaves, their supervisors conducted interviews with the employees and then recorded their notes which included descriptions of vacation experiences as well as details about symptoms of illness and diagnoses. In addition, some supervisors acquired broad knowledge of their employees’ private lives, including details about family issues and religious beliefs, through various in-person conversations. Some of this information was recorded, digitally stored, and partly readable by up to 50 other managers throughout the company. Furthermore, some data was collected over a period of time and reflected developments in the employees’ personal lives. The collected data was used to evaluate employees’ performance and to develop their detailed profile for measurement purposes and decisions regarding employment.
The extensive data collection became known in October of 2019 as a result of a data breach when the stored data became accessible company-wide for several hours. According to the DPA, “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
In addition to the record fine, the company has issued an apology to the affected employees and intends to compensate them. As part of its new data protection program, the company appointed a data protection coordinator, will issue monthly data protection status updates, increase protection for the whistleblowers, and streamline its dealing with the data subjects’ access requests.
Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653