Germany’s privacy watchdog has fined fashion retailer H&M $41 million for allegedly spying on its employees and being found in violation of the EU’s General Data Protection Regulation (GDPR).
The 35.3 million euro (USD $41 million) fine has been handed down by Hamburg’s data protection commissioner, who said that H&M was spying on its employees by collecting vast amounts of personal information that was “ranging from rather harmless details to family issues and religious beliefs.”
H&M is one of the world’s largest fashion retailers, with more than 5,000 stores worldwide, and a workforce totalling more than 126,000.
The privacy commissioner says that H&M stored private and potentially sensitive information on a drive that was accessible by up to 50 managers with access to H&M’s network. It is alleged that executives and team leaders within H&M “used among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment,” says the Hamburg privacy commissioner.
The company was found to have saved more than 60GB of data, which, according to a report from InfoSecurity Magazine was used for “one-to-one conversations between employees and their supervisors and during ‘welcome back talks’ held between employees and team leaders after an absence from work.”
The trove of data reached back as far as 2014, which the Hamburg Data Protection Authority ruled was in violation of both worker’s civil rights, as well as the European Union’s General Data Protection Regulation (GDPR) Act.
Johannes Caspar, the data protection commissioner in Hamburg said that “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
Reports state that the trove of information on H&M staff was discovered after the database was accidentally left accessible to anyone on the H&M network, rather than just privileged executive access. This led to a number of news stories and the subsequent investigation by the Hamburg privacy commissioner, who eventually handed down the heavy fine for violating the privacy rights of its employees.
The commissioner added that he hoped H&M would both pay the fine and implement new information security measures to prevent further data breaches in the future. Commissioner Caspar said ditching invasive databases and the implementation of further information security measures would “show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.”
H&M has said that the practices seen at its Hamburg operations were not representative of the company’s approach to management, and has apologised to all staff members implicated in the invasive monitoring program.
The company has said it will examine the fine handed down by the Hamburg privacy commissioner.
It’s believed that this latest fine against H&M represents one of the largest penalties ever handed out for the misuse of employee data under the General Data Protection Regulation.