On 2nd October 2020, the clothing retail company, H&M, were fined €35 million after monitoring and recording “extensive details about their [employees’] private lives” in Nuremburg. HRreview asks professionals how employers can ensure they do not breach the General Data Protection Regulation (GDPR).

H&M were hit with a €35 million fine after a German data protection watchdog found that, in Nuremberg, the retailer had monitored hundreds of employees since at least 2014.

The Hamburg Commission for Data Protection and the Freedom of Information stated that:

Corresponding notes [linked to the monitoring] were permanently stored on a network drive.

After absences such as vacations and sick leave, the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases, not only the employees’ concrete vacation experiences were recorded but also symptoms of illness and diagnoses.

In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.

The Commission also found that some of these issues were updated on the network drive over longer periods of time as H&M received more information.

This data was able to be partly read by up to 50 managers after it was digitally stored. According to the report, this data was “used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment.”

This breach of data became public after an internal error in October 2019 leaked the data company-wide.

H&M issued a public statement in its June to August earnings report, stating:

The regional data protection authority in Hamburg has imposed an administrative fine of 35 million euros. The H&M group admits shortcomings at the service centre and has taken forceful measures to correct this.

In addition, the company agreed to pay out compensation to employees who have worked at that site for at least a month since May 2018. It has also stressed that it has carried out “additional training for leaders in relation to data privacy and labour law”.

Dr. Francis Gaffney, director of threat intelligence at Mimecast, a cyber security specialist company, said:

GDPR is not just something else an organisation needs to comply with, but rather benefit from the behaviours GDPR is designed to encourage. Organisations shouldn’t view regulation such as this as a burden and start to view it through the lens of their customers, partners, or employees. If someone trusts you with their data, you owe it to them to be completely honest about what data you are collecting and to protect it, know exactly how (and where) it is stored, and who can access that data.

Because GDPR focuses on the protection of personal data, and not just data privacy, compliance requires a more rigorous approach. To remain GDPR-compliant, organisations must demonstrate GDPR compliance across organisational and technological operations, including specific requirements for data processors and data controllers. It is also necessary for organisations to establish a legal basis for processing personal data, must be able to defend the method of processing, and comply with any request to stop processing when consent is withdrawn or was found to never have been given. Implementing archiving technology can also help organisations remain compliant, especially if they ever go through an audit process.

Emma Erskine-Fox, associate at UK law firm TLT, said:

Employee monitoring is very privacy-intrusive and requires a robust justification to demonstrate that it is proportionate, considering the impact on employees’ privacy. Employers should always consider less intrusive ways to achieve the purpose of any proposed monitoring before proceeding, and monitoring on a “blanket” basis will generally be difficult to justify.

Transparency is also key; covert monitoring is unlikely to meet the GDPR requirements except in very exceptional circumstances.

It is crucial that employers carry out a thorough data protection impact assessment to fully assess the risks of any proposed monitoring and ensure that their approach is proportionate and justified.