H&M hit with €35.3 million fine for GDPR violations

H&M was hit earlier this month with the second-largest fine under the GDPR to date after a series of data protection failings relating to its employment practices at its Nuremberg service centre were investigated by the State Data Protection Commissioner in Hamburg.

Facts

Since 2014, H&M had operated a range of intrusive practices in relation to employees for the purposes of building highly-detailed profiles on them. Such profiles were then used to make important decisions regarding the individual’s employment (for example, whether or not they were suitable for promotion etc.).

H&M’s practices included:

• “Return to work” conversations by which supervisors would set up meetings with their employees following any period of absence, including holidays and short sickness absences, to discuss their experience. Details of the employee’s experience, such as holiday activities or symptoms and diagnoses, would then be recorded and stored in the company’s HR system.
• H&M’s supervisors would also acquire knowledge in relation to employees’ private lives through informal discussions. Subsequently the supervisor would record relevant details in the company’s HR system. Whilst much of the information obtained through these informal discussion could be categorised as being relatively innocuous, some of the information related to highly personal matters such as political opinions and information regarding an employee’s religion, both of which are classified as “special category data” under the GDPR.

The details as to employees’ personal lives acquired in the manner set out above could be accessed by up to 50 members of H&M’s management once recorded in the system.

H&M’s practices only came to light as a result of a security glitch which meant that all employees at the company were able to access the information for a number of hours in October 2019. This glitch resulted in the company being investigated by the Commissioner.

Take home points

We set out below some of the key points which can be taken from H&M’s failings in this matter which will apply to UK fashion businesses as well as those based in the EU:

• The GDPR applies equally to businesses operating in the fashion sector as it does to any other sector. It is often considered that GDPR compliance applies to certain sectors, such as marketing and IT, more than others. It is not sector limited or sector specific! Instead, the reality is that if you hold data relating to individuals – which almost all companies do – you need to comply with the rules in the same way that any other company would.
• Extra care needs to be taken when collecting “special category data” (such as health data and data revealing political opinions and religion) from individuals. There are limited grounds upon which organisations can process this data under the GDPR and businesses should ensure that they can lawfully collect this data prior to doing so.
• The data protection principles are essential to ensuring compliance. Aside from the data security breach, H&M’s shady employment practices appear to have contravened a number of the GDPR’s principles, including data minimisation (only collecting data that is relevant and limited to the purpose for which it is collected), purpose limitation (collecting data only for legitimate purposes) and lawfulness, fairness and transparency (making sure that individuals are aware of the data which you are collecting and storing).
• The fine imposed on H&M is the second largest to date under the GDPR and is likely to represent a sign of things to come. The GDPR has now been in force for a significant period of time and whilst regulators across the EU and in the UK may have taken an “understanding” approach in the immediate aftermath following its introduction, it is reasonable to expect that such an approach will not last. Regulators will continue to flex their muscles for significant violations in future.
• The Information Commissioner’s Office (https://ico.org.uk/) has already shown its determination to pursue businesses – small and big – which infringe the GDPR and the UK’s Data Protection Act 2018.
• Security incidents appear to be hot on the agenda of the European and UK data protection regulators (in addition to the H&M fine, both British Airways and Marriott have been heavily sanctioned for data breaches). In this regard, it is worth noting that earlier this month the British Retail Consortium launched a Cyber Resilience Toolkit for retailers to counter cyber attacks.

If you have not yet carried out a GDPR compliance programme, or your programme is simply in need of a refresh, there are 35 million reasons why now would be a good time.