Hamburg’s data protection watchdog has fined a Hennes&Mauritz (H&M) subsidiary $41.4 million for violating stipulations of the European Union General Data Protection Regulation (GDPR).
According to the Hamburg Data Protection Authority (HmbBfDI), the penalty was levied for excessive use of employee data collected and stored on company networks.
Violations of employee privacy started as early as 2014 after HmbBfDI discovered that the company was storing extensive confidential information, including medical records, financial and social media data.
“Since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives,” HmbBfDI said in a press release. “Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave – even short absences – the supervising team leaders conducted so-called Welcome Back Talks with their employees.”
Large volumes of information appeared to have also been gathered during private conversations between managers and employees. Data concerning holiday experiences, family issues, religious beliefs, and symptoms of illnesses were also collected and accessed by up to 50 other managers.
“The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues,” HmbBfDI added.
“In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
To restore confidence within the company, H&M said it will compensate affected employees and implement new data protection measures, including a newly appointed data protection coordinator.