Hamburg's DPA slaps €35 million fine on Hennes & Mauritz for unlawful employee monitoring



The fine, issued on 1 October on H&M Hennes & Mauritz Online Shop A.B. & Co KG, relates to serious breaches of employees’ privacy. The Hamburg DPA found that the workforce has, since 2014, been subject to extensive recording of details about their private lives.

The so-called Welcome Back Talks with employees, conducted after a sick leave or a vacation, in many cases resulted in recording employees' vacation experiences, but also symptoms of illness and diagnoses. ‘In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company,’ the DPA says in a press release.

The level of the fine shows how seriously the DPA takes this breach given that it at the same time recognises H&M’s actions to rectify the situation.

‘The company management has not only expressly apologized to those affected, it has also followed the suggestion to pay the employees considerable compensation. This is an unprecedented acknowledgement of corporate responsibility following a data protection incident,’ the DPA says.

H&M says that it has started to make several improvements at its service centre in Nuremberg. This includes improving internal auditing practices, strengthening leadership knowledge and continuing to train and educate both staff and managers.

Starting on 28 October, Privacy Law & Business, in cooperation with Covington LLP, has organised a series of five weekly data protection webinars on German data protection law, including enforcement and fines. Speakers include four German DPA authorities, a judge, and three Covington lawyers. Register today to secure your place.

See: