H&M is a Swedish multinational retail company. It has been banged by an enormous $35 Million GDPR fine for coming under the unlawful scrutiny of employees. The Hamburg Commissioner for Data Protection and Freedom of Information imposed the fine. It basically focuses on fast fashion clothing. The company is registered in Hamburg and it operates in Nuremberg.
What is the Hamburg Commissioner for Data Protection and Freedom of Information?
The Hamburg DPA (Hamburgische Beauftragte für Datenschutz und Informationsfreiheit) is the state Data Protection Authority for the German state of Hamburg. It is in charge of enforcing GDPR in the private sector, within the German state of Hamburg. Therefore, HmbDSG makes complementary arrangements to the GDPR and regulates specific situations of data processing for which the GDPR is not applicable. So the GDPR is the applicable law if there is no more specific rule in the HmbDSG or the German Federal Data Protection Act. It got penalized at the earliest.
How did H & M got penalized?
The authority has imposed a fine on the company saying that it has extravagant records of employees having details about their private lives. It is monitored in the Nuremberg service center. The whole incident came to light in October 2019. Hence, a configuration made the whole data available to each and everyone in the company.
H&M has committed privacy violations. H & M were conducting Welcome Back Talks with the employees. Once the talks were over there were some cases where the vacation experiences, as well as the symptoms of illness, were also being recorded. The recording was conducted in detail at a high level. So this is against privacy.
Additionally, the huge data collection was exposed and it was available company-wide for several hours as it was a configuration error. It shows the serious disregard related to employee data protection. The amount of penalty prescribed is therefore adequate and efficient. It determined the companies from violating the privacy policy of the employees.
The fine was imposed as the highest collected amount in Germany. Throughout the continent, it is the second-largest continent. The main aspect of General Data Protection Authority is to safeguard the overall understanding of the company. Its related to the safeguard the lack of transparency, as well as the privacy data. Its related to the overall understanding of the privacy data policy as a whole.
Key Takeaways
In the H&M GDPR case it was observed that there was no breach that took place. The fine imposed on the company is related to the overall compliance issue. The another important point that shall be kept in mind is regarding the information that is safeguarded of the employees of the company. It shall ensure the lawful basis is being used in the different type of process activities.
Each and every company or organization shall revise the data retention policy that is implemented. It is done to store the personal information to accomplish the motive. H&M stored the personal information for an indefinite period of time. As the amount of fines are implemented by General Data Protection Rules (GDPR) it must counterbalance the overall risk pf fines associated against the privacy compliance program.
The Aftermath of the case
Hennes & Mauritz (H&M) after hearing the statement of the regulatory authority, made an acknowledgment to all the employees and the service staff in Nuremberg. They said that it will provide compensation to the affected employees.
Recently after this investigation, they have also added the Data Protection Co-ordinator as well as strengthened processes related to privacy and safeguarding the employee data. It won’t be made publicly available to others.
To look after the privacy data a broader action plan was initiated. Its also going to educate and train the employee and the staff in this area.