The Hamburg Data Protection Authority issued their largest fine ever under the General Data Protection Regulation (GDPR) for employee-related offenses. A fine of more than €35 million was levied against Hennes and Mauritz AB (H&M), a Swedish clothing company.
According to the investigation, H&M recorded and stored gigabytes of recorded one-on-one conversations with employees. The details provided in those conversations were used in decisions regarding the employees. The Hamburg Data Protection Authority found that the personal details revealed, the recording and storage of those details, the fact that multiple managers had access to the data, and that the data were used to make work-related decisions violated the GDPR and infringed on employees’ civil rights.
According to Dr. Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information:
This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies from violating the privacy of their employees. Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.
This announcement originally appeared in JDSupra.