Warnings over storing employee data after H&M hit with €35 million fine

-

On 2nd October 2020, the clothing retail company, H&M, were fined €35 million after monitoring and recording “extensive details about their [employees’] private lives” in Nuremburg. HRreview asks professionals how employers can ensure they do not breach the General Data Protection Regulation (GDPR).

H&M were hit with a €35 million fine after a German data protection watchdog found that, in Nuremberg, the retailer had monitored hundreds of employees since at least 2014.

The Hamburg Commission for Data Protection and the Freedom of Information stated that:

Corresponding notes [linked to the monitoring] were permanently stored on a network drive.

HRreview Logo

Get our essential weekday HR news and updates.

This field is for validation purposes and should be left unchanged.
Keep up with the latest in HR...
This field is hidden when viewing the form
This field is hidden when viewing the form
Optin_date
This field is hidden when viewing the form

 

After absences such as vacations and sick leave, the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases, not only the employees’ concrete vacation experiences were recorded but also symptoms of illness and diagnoses.

In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.

The Commission also found that some of these issues were updated on the network drive over longer periods of time as H&M received more information.

This data was able to be partly read by up to 50 managers after it was digitally stored. According to the report, this data was “used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment.”

This breach of data became public after an internal error in October 2019 leaked the data company-wide.

H&M issued a public statement in its June to August earnings report, stating:

The regional data protection authority in Hamburg has imposed an administrative fine of 35 million euros. The H&M group admits shortcomings at the service centre and has taken forceful measures to correct this.

In addition, the company agreed to pay out compensation to employees who have worked at that site for at least a month since May 2018. It has also stressed that it has carried out “additional training for leaders in relation to data privacy and labour law”.

Dr. Francis Gaffney, director of threat intelligence at Mimecast, a cyber security specialist company, said:

GDPR is not just something else an organisation needs to comply with, but rather benefit from the behaviours GDPR is designed to encourage. Organisations shouldn’t view regulation such as this as a burden and start to view it through the lens of their customers, partners, or employees. If someone trusts you with their data, you owe it to them to be completely honest about what data you are collecting and to protect it, know exactly how (and where) it is stored, and who can access that data.

Because GDPR focuses on the protection of personal data, and not just data privacy, compliance requires a more rigorous approach. To remain GDPR-compliant, organisations must demonstrate GDPR compliance across organisational and technological operations, including specific requirements for data processors and data controllers. It is also necessary for organisations to establish a legal basis for processing personal data, must be able to defend the method of processing, and comply with any request to stop processing when consent is withdrawn or was found to never have been given. Implementing archiving technology can also help organisations remain compliant, especially if they ever go through an audit process.

Emma Erskine-Fox, associate at UK law firm TLT, said:

Employee monitoring is very privacy-intrusive and requires a robust justification to demonstrate that it is proportionate, considering the impact on employees’ privacy. Employers should always consider less intrusive ways to achieve the purpose of any proposed monitoring before proceeding, and monitoring on a “blanket” basis will generally be difficult to justify.

Transparency is also key; covert monitoring is unlikely to meet the GDPR requirements except in very exceptional circumstances.

It is crucial that employers carry out a thorough data protection impact assessment to fully assess the risks of any proposed monitoring and ensure that their approach is proportionate and justified.

Monica Sharma is an English Literature graduate from the University of Warwick. As Editor for HRreview, her particular interests in HR include issues concerning diversity, employment law and wellbeing in the workplace. Alongside this, she has written for student publications in both England and Canada. Monica has also presented her academic work concerning the relationship between legal systems, sexual harassment and racism at a university conference at the University of Western Ontario, Canada.

Latest news

Russell Cowley: Gen Z – rebuilding workplace culture, break by break

Gen Z workers are taking proper breaks and in doing so, they may be fixing something the rest of us broke.

England’s overnight World Cup clash and 5am pub opening prompt CIPD advice

The CIPD is urging organisations to agree any flexibility before England's 1am World Cup last-16 tie to help minimise disruption at the start of the working week.

Fit for Work: Weekend warrior? You can still reap the health benefits

Weekend exercise can still improve long-term health, even for people who struggle to fit physical activity into the working week.

Superdry co-founder’s victim warns workplace power can silence abuse victims

A survivor's account raises questions about speaking-up cultures and accountability in organisations.
- Advertisement -

UK’s always-on work culture ‘driving employee burnout’

Nearly half of UK workers say they end most working days mentally exhausted as rising workplace pressure leaves employees and managers struggling to switch off.

Andrew Murray on why no two days look alike

A people development leader shares how travel, training and a passion for helping others shape a working day with little room for routine.

Must read

Paul Finch: From lock and key to the cloud

Not many HR managers are technology experts – and...

Nick Sutton: Delivering meaningful employee rewards in a cost-conscious climate

A well-thought-out employee rewards programme can make a significant difference when it comes to keeping employees motivated and engaged.
- Advertisement -

You might also likeRELATED
Recommended to you