Fashion chain H&M has been fined $35million for data protection breaches, including recording and sharing private information about hundreds of employees among managers.
Hamburg’s data protection commissioner said the company collected private information about employees at a customer service in Nuremberg.
After absences, such as vacations and sick leave, supervisors would conduct “welcome back talks” with members of staff. The data protection commissioner said: “After these talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.
“In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”
Some of this knowledge was recorded, stored and partly readable by up to 50 other managers throughout the company, the commissioner said. The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues.
“The data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment”, the commissioner said.
He added “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
In a statement, H&M said it immediately initiated measures to remedy the problem as soon it was discovered and reported.
It said: “A comprehensive action plan was put in place to improve internal audit practices, to ensure compliance with data protection regulations and to strengthen the knowledge of managers to ensure a safe and data protection-compliant work environment, as well as additional training for employees and managers in this area.”
H&M said a number of actions have been taken including personnel changes at the service centre, additional training for managers, updated data protection descriptions for HR purposes, a new data protection audit role, improved processes and improved IT.
The company has also pledged to pay compensation to employees at the centre.
The news comes as H&M announces the closure of 250 stores worldwide.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.