20 October, 2020
It has been reported earlier this month that the Swedish clothing retailer, H&M has been fined more than €35 million by the German data protection authority, after it was found to have unlawfully collected employee data of some of its employees in Germany. This is the highest level of fine issued by the German data protection authority for a breach of the GDPR.
The German data protection authority based in Hamburg has confirmed that H&M had engaged in "extensive recording of details about employees' private lives". This included collecting private information "ranging from rather harmless details to family issues and religious beliefs" about employees at its customer service centre in Nuremberg. This private information was recorded on a network drive and accessible by up to 50 managers and "used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment."
This extensive employee data collection was discovered after the information became temporarily accessible to all staff for several hours in October 2019, prompting the German data protection authority to open an investigation after the incident was reported in local media. When announcing the fine, the German data protection authority stated that "The combination of collecting details about [employees] private lives and the recording of their activities led to a particularly intensive encroachment on employees' civil rights."
H&M has apologised to its employees for the breach of the GDPR and confirmed that all affected employees will receive financial compensation as an acknowledgement of the distress caused by their employer's use of their personal information. The company has also committed to improving its data protection compliance and providing additional data protection training to managers.
The news of this enforcement action will be of interest to RPs currently considering how to monitor employee performance in light of the Covid-19 pandemic. With more employees working remotely, the management of home and agile workers can be challenging due to the lack of visibility of employees' activity and their potentially different working schedules. Whilst RPs will have several reasons for wanting to know what its remote workers are doing and how they are doing it, this enforcement action by the German data protection authority will be a reminder to RPs that there is a balance to be struck between the legitimate business interests of the RPs and its employees' right to privacy. Monitoring of employees is not prohibited either by the GDPR or the Data Protection Act 2018 but it is important for RPs to assess whether the benefit it can gain from the monitoring it proposes is sufficient to justify the intrusion into the private life or communications of their employees.
Monitoring employees and the data protection implications are discussed further in 'Covid-19, Homeworking and the Law - The Essential Guide to Employment and GDPR Issues' by Forbes Solicitors. A copy is available to buy here - http://www.lawbriefpublishing.com/product/covid-19andhomeworkinglaw/
For more information contact Bethany Paliga in our Housing & Regeneration department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.