H&M Learns That Data Privacy Violations Are Never In Fashion

Germany’s  Hamburg Data Protection Authority (“HmbBfDI”) have imposed a €35.2 million ($41.4 million) fine on  H&M, the world’s second-largest clothing retailer, for violations of theGeneral Data Protection Regulation (“GDPR”); the largest privacy fine ever issued by a German regulator. This fine is significant for a number of reasons, not least of which is that European regulators are starting to crack down on companies in a variety of industries outside of tech.

Why Was H&M Fined?

H&M operates 5,000 stores across 74 countries and employs 126,000 people, though the company has announced that over the next year it plans to close 250 stores due to the ongoing COVID-19 pandemic which has led more people to shop online. HmbBfDI’s fine was due to H&M’s employee monitoring practices, which largely disregarded GDPR data protection requirements.  Since at least 2014, H&M recorded details about the private lives of their employees, stored them on a network drive, and shared those details with managers at the company. 

The processing of employee data came to light in October 2019 after a configuration error made the collected data accessible to everyone inside the service center for several hours. After receiving the security breach notification, HmbBfDI launched an investigation, and it immediately ordered the company to freeze the database and provide it with a complete copy of the data. 

H&M has pledged to financially compensate all employees who have worked for the organization for at least one month since GDPR came into full effect in May 2018. H&M says that when the inappropriate employee monitoring practices came to light last year, it immediately began instituting changes, including “personnel changes at management level” at the service center, additional training for managers on data protection and labor law, revised HR policies, creating a new “data protection coordinator” role, revising data-retention and data-deletion processes and investing in new technology to better protect data. 

COVID-19 Implications

Though H&M’s incident occurred before the COVID-19 pandemic began, data protection practices should be front of mind as companies in all industries are collecting additional personal information from their employees, especially those who have shifted a significant amount of their workforce to remote positions on either a temporary or permanent basis. Regulators are seeing a significant rise in data protection requests and complaints. 

How Can Clym Help?

Clym provides a cost-effective, scalable and flexible platform to help comply with CCPA, GDPR, and other laws as they continue to change.  Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.