13 October, 2020
It has been reported earlier this week that the Swedish clothing retailer, H&M has been fined more than €35 million ($41 million) by the German data protection authority, after it was found to have unlawfully collected employee data of some of its employees in Germany. This is the highest level of fine issued by the German data protection authority for a breach of the GDPR.
The German data protection authority based in Hamburg has confirmed that H&M had engaged in "extensive recording of details about employees' private lives". This included collecting private information "ranging from rather harmless details to family issues and religious beliefs" about employees at its customer service centre in Nuremberg. This private information was recorded on a network drive and accessible by up to 50 managers and "used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment."
This extensive employee data collection was discovered after the information became temporarily accessible to all staff for several hours in October 2019, prompting the German data protection authority to open an investigation after the incident was reported in local media. When announcing the fine, the German data protection authority stated that "The combination of collecting details about [employees] private lives and the recording of their activities led to a particularly intensive encroachment on employees' civil rights."
H&M has apologised to its employees for the breach of the GDPR and confirmed that all affected employees will receive financial compensation as an acknowledgement of the distress caused by their employer's use of their personal information. The company has also committed to improving its data protection compliance and providing additional data protection training to managers.
The news of this enforcement action will be of interest to organisations currently considering how to monitor employee performance in light of the Covid-19 pandemic. With more employees working remotely, the management of home and agile workers can be challenging due to the lack of visibility of employees' activity and their potentially different working schedules. Whilst organisations will have several reasons for wanting to know what its remote workers are doing and how they are doing it, this enforcement action by the German data protection authority will be a reminder to those organisations that there is a balance to be struck between the legitimate business interests of an organisation and employees' right to privacy. Monitoring of employees is not prohibited either by the GDPR or the Data Protection Act 2018 but it is important for organisations to assess whether the benefit it can gain from the monitoring it proposes is sufficient to justify the intrusion into the private life or communications of their employees.
The ruling along with the imposition of a fine in excess of the 20 million euro threshold is a stark reminder to organisations about the importance of collecting and storing personal data and whether this data is being used for the purpose for which it is being collected.
Monitoring employees and the data protection implications are discussed further in 'Covid-19, Homeworking and the Law - The Essential Guide to Employment and GDPR Issues' by Forbes Solicitors. A copy is available to buy here - http://www.lawbriefpublishing.com/product/covid-19andhomeworkinglaw/
For more information contact Bethany Paliga in our Governance, Procurement & Information department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.