The Hamburg Commissioner for Data Protection and Freedom of Information fined H&M €35 Million for GDPR violation. This is the biggest GDPR fine of 2020 and overall 4th after Google's €50 Million fine.

H&M collected extensive details on employees of Nuremberg site including health information, details on private life and religious belief amongst others. This came into light in October 2019 when a configuration error made this data available to everyone in the company. This violated data protection rights of employees and led to a fine of €35 Million on H&M.

What is GDPR?

GDPR stands for General Data Protection Regulation which came into effect on 25th May 2018. GDPR makes companies liable on the use of personal data & gives consumers rights over their personal data. GDPR is the strictest data protection regime across the world, applies to private & government entities, and is applicable to both EU & Non- EU organizations. GDPR applies only in the context of personal data & anonymized data is out of the scope of GDPR. We covered GDPR in detail in our post on, What is GDPR?

Details on GDPR Violation by H&M

H&M recorded details on employees as far as from 2014, including their leave data, health data(illness), personal life details picked from conversations on the floor including family issues and religious beliefs. Under GDPR health data, religious beliefs are considered as special category data and require strong protection.

However, for H&M these details were accessible by 50 managers. Also, this data along with work performance was used to create a profile of employees used for decisions regarding their employment.

As an aftermath of this incident, H&M has given compensation to affected employees. They have also added a Data Protection Coordinator and strengthened processes around data subject's rights of access. These initiatives were appreciated by the Data Protection Authority:

Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company

We will add more details to this post as we hear more from the DPA.

Also, Watch the Top 10 Biggest GDPR Fines in 2020