Post By: Jonathan Armstrong and André Bywater
The Hamburg Data Protection Authority (HmbBfDI) has fined H&M Germany €35.2m ($41.45m) for GDPR violations relating to excessive use of employee data. This is the largest fine so far imposed by regulators for the handling of employee data.
Well known multinational clothing-retail company Hennes & Mauritz AB (H&M) ran a Service Center in Nuremberg. These operations were investigated by HmbBfDI and resulted in a German subsidiary being fined €35,258,707.95 ($41,519,100).
The regulator found that, since at least 2014, some staff had been subject to extensive recording of details about their private lives. Team leaders would hold so-called “Welcome Back Talks” with their employees after holidays and sick leave and record holiday experiences, symptoms of illness and diagnoses and other details. One-to-one conversations between supervisors and staff were also sometimes recorded on the system, including trivial details about the employee and also highly sensitive family issues and religious beliefs. Some of this data was accessible in network drives by up to 50 other managers throughout the company.
The data was used to make decisions about employees. The regulator found that “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
The extent of the data collected became known after an IT glitch in 2019 due to a configuration error. HmbBfDI picked up on press reports about the incident and launched its investigation.
What was the regulator’s reaction?
On finding out about the incident HmbBfDI ordered that the database be ‘frozen’ and handed over to them for analysis under broad enforcement powers.
Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information, said in announcing the fine:
“This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees.”
What did H&M do after the investigation?
H&M was swift to take corrective action and the HmbBfDI took this into account when setting the fine. Dr. Caspar acknowledged:
“Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”
Remedial measures included H&M issuing new company policies and monthly data protection updates, as well as an apology and compensation to those affected. It also increased whistleblower protection measures and implemented a new process to deal with data subject requests. HmbBfDI has called this “an unprecedented acknowledgement of corporate responsibility following a data protection incident”.
HR professionals and managers do sometimes store more data than is necessary. Every organization needs proper guidance on the employee data that can be stored and related training. This needs proper planning, which might include:
- Education on the 6 data processing principles under Article 5 of GDPR. This includes being transparent with employees about how their data is held, limiting the data held to what is necessary and properly securing that data through external and internal access controls on a “need to know” basis. It will be hard, for example, to justify access to medical records by 50 other employees even if they are managers in the business.
- Establishing a lawful purpose to justify the processing of all personal data (including more sensitive data types). In the employment context, consent can be tricky to rely on, therefore alternative lawful processing bases will need to be explored.
- Ensuring your HR systems are properly configured. Global HR systems can often cause GDPR issues with the wide number of fields and open access by default. Those installing or running a global HR system need to give careful thought to the data that needs to be processed (which may vary between locations or job roles), retention periods and access rights. A Data Protection Impact Assessment will almost always be necessary.
- Thinking about how you transfer employee data outside the E.U., particularly in light of the collapse of Privacy Shield in the EU and Switzerland. The use of Standard Contractual Clauses has also been limited by the European Court. Dr. Caspar has been heavily involved in data transfer cases and we’re likely to see data transfer investigations in Hamburg and across Europe.
- Being ready to deal with more subject access requests under GDPR, especially in Germany – substantial media coverage of cases like this can easily translate into employees and former employees asking to see the data you hold on them. Make sure your employees can recognize a subject access request and handle them within the short time available to respond, and allocate proper resources to locating and redacting the data.
- Being prepared to answer more general questions about how you handle data (in addition to data subject requests under GDPR). Pre-prepared FAQs may help HR teams and contact centers respond. Works councils are also likely to ask questions too.
- Taking into account the fact that class actions after data incidents are on the rise across Europe. Whilst H&M have confirmed it will compensate those affected, that might not be enough to fend off litigation.
- Keeping training refreshed. Some organizations have not trained their employees since GDPR came in. Previous regulatory guidance has said that training must be regularly refreshed, potentially once every 1 to 2 years depending on the job role, access to data etc. Your plan should include regular refreshers too and not just annual events.
- Having a plan to detect, assess and deal with security breaches quickly. H&M recently confirmed that it reported the software glitch that prompted this investigation as a data breach to the regulator.
You can read the full announcement from the Hamburg DPA here.
About the Author: Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues. This article is an edited version of a longer article that appeared on the Cordery website on 1 October 2020.