H&M hit with fine for GDPR breach

A word of warning for any UK companies breaching GDPR rules after German retailer H&M was hit with a whopping £32million fine.

It is the second-largest fine on record for a GDPR breach, sitting only behind Google’s £45.5m penalty from the French data regulator CNIL last year.

And Johannes Caspar, head of Germany’s watchdog the Data Protection Authority of Hamburg, claimed the fine was “justified and should help to scare off companies from violating people’s privacy”.

The punishment should make companies in the UK sit up and take notice because, while Britain left the EU on January 31, companies in the UK still need to adhere to EU rules until the end of the current transition period and the Data Protection Act 2018 thereafter, which is largely similar to the GDPR if not more extensive.

Also, moving forward, any UK companies looking to do business with the EU will still need to comply with the European regulation.

After a year-long investigation, H&M was found guilty of keeping excessive records on employees’ health records, religions and family information at its Nuremberg service centre.

The violations included extensive staff surveys to unearth details of holidays, medical symptoms and diagnoses of illnesses.

Some senior staff also delved for further information in informal chats, with the details stored and then used to evaluate work performance and employment decisions.

H&M made an “unreserved apology” to the staff involved and said that all of those employed for at least a month since May 2018 – when GDPR came into force – would receive financial compensation.

It also said it had taken “forceful measures” to correct any related shortcomings.

It is a reminder that data protection legislation and consideration of this when dealing with employees must be taken seriously.

For further information or advice please contact gdpr@woodfines.co.uk

-Anastasia Whitlock 

  • This field is for validation purposes and should be left unchanged.