The H&M Group was investigated and fined.

The Business Insider reported that H&M have been fined $41.1 million (£31,603.213) by a German Watchdog after H&M’s Supervisors and Managers were found to have stored information on their staff.

This information was gathered through meetings and workplace conversations and contained details such as; medical symptoms, holiday breaks, family issues and religious beliefs.

The Supervisors and Managers then used these pieces of information, as well as performance reviews, to determine a staff members employment.

Unfortunately for them, staff were made aware of the violation of their privacy when a configuration error in October 2019 allowed the data to be accessible across the entire company, for several hours.

Because if this, H&M froze their network drive and handed over 60GB of data to the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), following orders from the Watchdog.

The HmbBfDI analysed the data and interrogated the witnesses, who went on to corroborate the practices stated.

The H&M Group have apologized to the staff affected, provided them with compensation and released the following statement:

“H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority. The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.”

To demonstrate their commitment to improving the data protection of their staff, they have implemented the following measures:

  • Personnel changes at management level at the service centre in Nuremberg.
  • Additional training for leaders in relation to data privacy and labour law.
  • Revised instructions for managers.
  • Creation of a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes (A data protection coordinator).
  • Enhanced data cleansing processes.
  • Improved IT solutions supporting compliant storage of personal data, training and leadership.

What do you think of the H&M Group’s actions? Do you think enough has been done? Was the punishment fair?

At TecSec, we hope you have read this article and that it showcases the importance of data protection, privacy and retention periods.

If you would like to discuss the GDPR, data protection laws and how to ensure your staff are protected, get in touch.