SWEDISH RETAILER H&M has been fined £32.1 million for keeping “excessive” records on the families, religions and illnesses of its workforce at its Nuremberg service centre in Germany.
The data protection authority of Hamburg hoped that large fine should help to ‘scare off companies’ from violating people’s privacy.
The Stockholm-based retailer, which has about 179,000 employees worldwide, has accepted full responsibility and plans to compensate employees.
The company said it will “carefully” review the watchdog’s decision and pledged to pay “financial compensation” to anyone who worked at the Nuremberg centre for at least a month since May 2018.
“The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” the fashion giant said in a statement.
“H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg.”
It is the second-largest fine a single company has faced under EU General Data Protection Regulation (GDPR) rules.
Last year, the French data regulator, CNIL, fined Google £45.5m for breaching the General Data Protection Regulation.
The GDPR is a regulation in EU law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.
The year-long investigation by the watchdog found out that some managers also sought further private details in informal chats, including family issues or religious beliefs, which were then stored and used to evaluate work performance and make employment decisions.
“This is a case that showed a gross disregard” of data-protection rules in Germany,” said Johannes Caspar, the head of the watchdog.