H&M
Issued by Hamburg Commissioner for Data Protection on 2020-10-01
What happened
The Hamburg DPA fined H&M €35.3 million for extensive surveillance of its employees at its Nuremberg service center. Managers conducted detailed interviews with returning employees after absences, recording information about vacations, illnesses (including symptoms and diagnoses), family problems, and religious beliefs. This data was stored on a shared network drive accessible to over 50 managers.
Articles violated
Lessons learned
Employee monitoring must be proportionate and limited to what is necessary. Recording employees' health data, religious beliefs, and personal life details violates data minimization principles. Access controls on sensitive data must be strictly limited. Companies should implement clear policies on what employee data can and cannot be collected.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Retail
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.