Swedish clothing-retail company H&M is being fined €35.3 million (£32.1 million) for GDPR breaches after carrying out illegal surveillance of several hundred of its employees.
The Data Protection Authority (DPA) of Hamburg found that the firm had been spying on staff at its Nuremberg service centre.
H&M made an “unreserved apology” to its workforce, saying in a notice that all staff employed at the service centre, as well as those employed for at least one month since May 2018 “will receive financial compensation”.
The €35.3m sum is the largest financial penalty issued by a German DPA to date for a violation of GDPR rules, and the second-highest issued in Europe.
In a statement, the Hamburg regulator said: “After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees.
“After these talks, in many cases, not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.
“In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”
The data collection was revealed after notes were made accessible company-wide for a few hours due to a configuration error in October 2019.
The Hamburg regulator head Johannes Caspar said that H&M “showed a gross disregard” of data-protection rules in Germany and that the large fine was “justified and should help to scare off companies from violating people’s privacy”.
- Excel error blamed for 16,000 unreported coronavirus cases
- Fintech Scotland chief executive Ingledew to become executive chair
- Tech giant CEOs to face US senate committee over protection law
H&M is not the first company in recent weeks to have issues with illegal surveillance. Online retailer eBay was left reeling last week after it emerged that staff members had illegally spied on customers.
Four former employees of the commerce giant, including top executives, plead guilty in a US court over an intimidation campaign against a US couple after they left negative reviews on a blog site.
In August an investigation was carried out by French data privacy watchdog the Commission Nationale de l’Informatique et des Libertés (CNIL) into TikTok after concerns over private data.
The CNIL investigated after a complaint related to a request to delete a video, widening it to include various data privacy issues. The investigation now includes transparency concerns surrounding how TikTok processes user data; users’ data access rights; transfers of user data outside the EU; and how the app ensures the data of minors is protected.