01 October, 2020
It has been reported today that the Swedish clothing retailer, H&M has been fined 35.3 million euros ($41 million) by the German data protection supervisory authority, after it was found to have spied on some of its employees in Germany.
The national supervisory authority based in Hamburg has confirmed that private information "ranging from rather harmless details to family issues and religious beliefs" about employees at its customer service centre in Nuremberg, was recorded on a network drive and accessible by up to 50 managers and "used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment."
The combination of collecting private information and the recording of employees' activities was found by the supervisory authority to have caused a serious infringement on the employees' civil rights. The infringement came to light after the data briefly became visible to all people on the company network, which resulted in media reports about the information gathering.
The news of this enforcement action will be of interest to organisations currently considering how to monitor employee performance in light of the Covid-19 pandemic. With more employees working remotely, the management of home and agile workers can be challenging due to the lack of visibility of their activity and their potentially different working schedules. Whilst organisations will have several reasons for wanting to know what its remote workers are doing and how they are doing it, this enforcement action by the German supervisory authority will be a reminder to those organisations that there is a balance to be struck between the legitimate business interests of an organisation and employees' right to privacy. Monitoring of employees is not prohibited either by the GDPR or the Data Protection Act 2018 but it is important for organisations to assess whether the benefit it can gain from the monitoring it proposes is sufficient to justify the intrusion into the private life or communications of their employees.
The ruling along with the imposition of a fine in excess of the 20 million euro threshold is a stark reminder to organisations about the importance of collecting and storing private data and whether this data is being used for the purpose for which it is being collected.
If your organisation or business needs assistance in reviewing its current policies and practices in relation to the collection and storing of personal data, please do get in touch with our expert data protection lawyer, Bethany Paliga, who can advise you on the same.
Monitoring employees and the data protection implications are discussed further in 'Covid-19, Homeworking and the Law - The Essential Guide to Employment and GDPR Issues' by Forbes Solicitors. A copy is available to buy here - http://www.lawbriefpublishing.com/product/covid-19andhomeworkinglaw/
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.