As announced by a press release dated 1 October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of €35,258,707.95 (approx. US$41.2 million) against H&M Hennes & Mauritz Online Shop A.B. & Co KG, a Hamburg-based subsidiary of Swedish fashion and textile company H&M.

This is, so far, the apex of Germany’s participation in the ongoing race among European data protection authorities to issue higher administrative fines for violation of the EU General Data Protection Regulation 2016/679 (GDPR). GDPR has implemented a dissuasive liability regime for violations of its provisions, which may reach up to a maximum of €20,000,000 or 4 percent of the annual global turnover of a company (where a company is to be interpreted in a broad fashion, which may also include affiliated companies active in the same business).

The cause for the proceedings initiated by the HmbBfDI was the alleged conduct in a service center operated by H&M Hennes & Mauritz Online Shop A.B. & Co KG in Nuremberg, which was made public by various press reports. Allegedly, since 2014, certain managers at the Nuremberg service center had conducted on a regular basis so-called “Welcome Back” talks with their employees following their recreational or sick leaves, inquiring about, and also recording in detail, the underlying reasons for their leave, as well as their experiences. These talks provided detailed insight into the private and family lives of the employees, which were subsequently shared with other managers and used, inter alia, in employment-related decision-making processes. This practice came to light when the data, which represented around 60GB, was accidentally made available within H&M for several hours in 2019. 

In its decision, the HmbBfDI did not disclose the calculation model used for the specific fine. Nevertheless, it stated that H&M took “unprecedented corporate responsibility” when becoming aware of the violations in the Nuremberg service center, including payment of consideration to affected employees and implementing a new data protection compliance regime. Despite the nearly unprecedented violation of the private life of employees, such remediation would have materially minimized the potential amount of the fine. Indeed, while substantial, the fine probably is estimated to only represent under 1 percent of the total global turnover of H&M. However, the HmbBfDI still considered the fine of around €35 million as adequate, relying in this regard on the intention to deter other companies in the future from violating employees’ privacy. H&M now has the opportunity to appeal the decision of the HmbBfDI within 14 days after delivery of the decision. However, given the severity of the breach and the relatively low volume of the fine (at least from a percentage point of view), this appears unlikely.

Despite the major theoretical fines provided under GDPR, the decision by the HmbBfDI emphasizes again how important reactivity, cooperation with the data subjects and supervisory authority, and post-breach compliance efforts can be to effectively mitigate risk exposure.