September 30, 2022

Volume XII, Number 273

Advertisement

September 29, 2022

Subscribe to Latest Legal News and Analysis

September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Client Update: H&M Fined 37.8 Million Dollars for Alleged GDPR Violations

On October 1, 2020, the Hamburg Data Protection Commissioner (“Hamburg DPA”) fined clothing retailer H&M 37.8 million dollars (EURO 35.2 million) for several violations of the GDPR.

According to the Hamburg DPA’s press release (found here), since 2014, H&M supervisors at its Nuremberg service center habitually collected personal information (including sensitive personal information) from H&M employees, and permanently stored such information in a network drive, which was accessible by other H&M managers throughout the organization. The type of personal information collected by H&M included: information about employees’ vacation experiences and activities, symptoms of illness and diagnoses, family issues, and even religious beliefs. The Hamburg DPA found that H&M used this information to “obtain a detailed profile of employees for measures and decisions regarding employment.”  The Hamburg DPA was notified of H&M’s practices via a whistleblower complaint after the information became accessible company-wide, due to a technical error, for several hours in October of 2019. 

After reviewing the collected information and interviewing individuals who confirmed H&M’s practices, the Hamburg DPA concluded “[t]he combination of collecting details about [employees’] private lives and the recording of their activities led to a particularly intensive encroachment on employee’s civil rights.”  H&M has implemented multiple corrective measures, including, to name a few, payment to impacted employees; appointing a new data protection coordinator; monthly data protection status updates; increase awareness of whistleblower protections; and consistent processes and procedures for dealing with data subjects’ rights of access. 

Top Takeaways.

While it is clear that H&M’s data collection practices were overly broad, intrusive, and inconsistent with GDPR’s key principles, there are some valuable lessons and takeaways from this case. Here are our top takeaways: 

  1. Not a data breach:  This fine was levied as a result of a compliance issue, not a data breach, following a complaint from an employee.

  2. Lawful basis: If you are processing personal information—especially about your employees—you need to ensure that you have a lawful basis for each processing activity. Lawful bases include: consent, contract, legal obligation, vital interests, public task, or legitimate interests. While we do not know what lawful basis H&M cited to justify its processing of the Collected Information, it is likely that the Hamburg DPA did not agree. 

  3. Data minimization: Even if you process personal information pursuant to a lawful basis, you need to ensure such processing is “adequate, relevant, and limited to what is necessary in relation to the purposes for which [such data is] processed.”  Here, even if we assume H&M had a lawful basis, it is hard to fathom a reason why H&M would need to know about an employee’s family issues or religious beliefs. 

  4.  Data Retention: Organizations should revisit and revise their data retention policies to ensure that personal information is only stored as long as necessary to accomplish the purpose for which it was originally collected. Here, H&M stored the personal information for an indefinite period of time. 

  5. Amount of Fines: Since the GDPR took effect on May 25, 2018, data protection authorities have not hesitated in assessing multi-million Euro fines for GDPR violations. Organizations that are subject to the GDPR must weigh the risk of these fines against the costs of having a robust privacy compliance program. 

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume X, Number 286
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Shareholder

Liz is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters.  Prior to practicing in the U.S., she practiced law in the U.K. for over 10 years counseling clients on EU privacy and technology matters.

Liz’s practice involves three key areas: privacy, advertising, and technology licensing.  She has significant experience counseling clients on how to comply with their EU privacy obligations, with a particular focus on how to prepare for, respond to, and implement...

303.583.8228
Sean T. Nakamoto Privacy & Cybersecurity Attorney Polsinelli Denver, CO
Associate

As a lifelong technophile, Sean Nakamoto is committed to understanding how privacy, data security, and technology impact each client’s business model, culture, practices, and objectives. His practice focuses on regularly advising clients across a wide variety of highly-regulated and innovative industries through privacy, data security, data use, and technology matters including counseling on compliance with domestic and international privacy and data security laws and regulations. Sean also represents clients with information technology matters including licensing agreements, technology...

303-256-1972
Advertisement
Advertisement
Advertisement