Record fine in Germany for data protection violations

On October 1, 2020, it was announced that the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has imposed a record fine of over 35 million euros on H&M Hennes&Mauritz Online Shop A.B.&Co.KG for serious data protection violations. The company has been spying on its employees for several years.

Since at least 2014, several hundred employees at the H&M service centre in Nuremberg have been monitored by the management. After vacation and sick leave, team-leaders held so-called Welcome Back Talks with the employees concerned. However, this was not a nice gesture on the part of the company. On the contrary, in addition to concrete vacation experiences, symptoms of illness and diagnoses were also permanently stored electronically. In one-on-one meetings, information about the employees' private life was also repeatedly requested. These findings were also recorded and could be viewed by up to 50 managers in the company. The data collected and profiles created were used primarily to assess the work performance of the employees and as a basis for measures and decisions in the employment relationship.

It was only by chance that H&M's illegal activities were discovered. Following a configuration error in October 2019, the records were accessible to all employees for a few hours. As a result, the Hamburg authorities were informed, which ordered a freezing of the network drive and demanded its surrender. The company complied with this order and submitted a record of 60! Gigabyte for further analysis. The HmbBfDI was responsible for this because H&M has its German headquarters in Hamburg. After numerous witness interviews, the suspicion of illegal practices was confirmed.

Despite H&M's cooperation with the authorities and the company's promise to initiate various remedial measures and to compensate those affected accordingly, a fine of over 35 million euros was imposed. In the opinion of the authorities, this is a particularly intensive encroachment on the rights of the persons concerned. This was also confirmed by Hamburg's head of data protection, Johannes Caspar: "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees.”

The fine imposed exceeds all previous fines imposed in Germany after the Basic Data Protection Regulation came into force in May 2018. The case also proves that the data protection authorities do not show mercy before the law despite the cooperation of the person responsible and the initiation of remedial measures. Only recently, a fine of 1.24 million euros was imposed on AOK Baden-Württemberg for a DSGVO violation. In this case, too, the AOK has cooperated with the authority from the outset and adapted its internal processes and control structures. However, it was expressly emphasized that fines under the DSGVO should be effective, proportionate, but also deterrent.

Please note: This blog merely provides general information and does not constitute legal advice of any kind from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal consultation. Binder Grösswang Rechtsanwälte GmbH assumes no liability whatsoever for the content and correctness of the blog.