What you should consider in your company after the GDPR infringement by H&M
© Stockwerk-Fotodesign / Adobe Stock
Share >

What you should consider in your company after the GDPR infringement by H&M

A GDPR infringement by H&M costs the company 35 million euros. What do you have to look out for in your company to act in accordance with GDPR?

The sanction against H&M is the highest fine ever imposed in Germany. The Hamburg data protection authority sanctioned the infringement. In Europe, only France has ever had a higher penalty for a company. Google had to pay 50 million euros last year. The French data protection authority imposed the record fine.

H&M’s infringement was noticed because an IT error in October last year made the data temporarily accessible to all employees in the company.

The H&M case has a signal effect. We summarise what you should know about GDPR and how you can act in your company in accordance with GDPR.

Information on the General Data Protection Regulation

Since 25 May 2018, the General Data Protection Regulation (GDPR) has imposed stricter requirements than before on how companies handle the data of their employees in the European Union.

In principle, it is a unified system for the protection of personal data. Companies in particular have far-reaching obligations under the GDPR. Infringements are subject to heavy fines. The examples of H&M or Google show that the data protection authorities take firm action against such violations.

However, the GDPR also extended consumer rights. In addition to the previous right to information and deletion of data, consumers now have a right to data transferability towards companies.

How H&M infringed the GDPR

The Hamburg data protection authority for spying on employees imposed the fine for H&M’s GDPR violation.

The company, which is based in Hamburg, operates a service centre in Nuremberg, where it carried out extensive surveys of employees‘ private circumstances. Supervisors recorded holiday and sick leave, even for a short period after returning home, in so-called „Welcome Back Talks“. There they not only recorded the employees‘ concrete holiday experiences, but also recorded symptoms of illness and diagnoses.

In addition, some supervisors acquired a broad knowledge of their employees‘ private lives through one-on-one and corridor conversations, ranging from rather harmless details to family problems and religious beliefs. The superiors recorded the information and stored it digitally. In this way, they created detailed profiles that could be viewed by up to 50 managers in the company.

The profiles served as a basis for the evaluation of individual work performance and were used for personnel decisions.

„The combination of researching their private lives and the ongoing recording of what they were doing led to a particularly intensive encroachment on the rights of the individuals concerned“. – says Prof. Dr. Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information.

GDPR-compliant action in your company

Of course, the small talk in the tea kitchen and the question about last weekend is legally unobjectionable. However, companies are not allowed to record these conversations in order to create profiles of their employees.

This is because you are not allowed to collect data of your employees that are not related to the activity agreed in the employment contract. In principle, companies can only process employee data if it is necessary for the performance of the employment relationship or if other legitimate interests of the employer argue in favour of processing. Of course, the line between malicious surveillance and documentation for quality assurance purposes is very narrow here.

Changes and obligations for companies under the GDPR

The General Data Protection Regulation makes companies more accountable. Initially, not much changed for German companies because some of the changes were already covered by the old version of the Federal Data Protection Act.

This applies for example to the appointment of a data protection officer in your company. The GDPR as well as the Federal Data Protection Act prescribe such a person for companies.

However, some changes and obligations still apply to companies under the GDPR when they collect data within the EU:

  • Scope: the GDPR will not only apply to companies established in the EU. Non-European companies operating on the European market or processing data of EU citizens also are bound by it.
  • Sanctions: Fines for non-compliance can be up to 4 percent of total annual turnover.
  • Privacy by Design: Technical measures to protect personal data should already be part of the development of processes. In this way, data protection will become the standard.
  • Privacy by Default: Default settings in companies should be data protection-friendly. Data protection is thus guaranteed from the beginning without any adjustments.
  • Obligation to report: Companies must report a breach, for example due to a data breach, within 72 hours. However, the obligation does not apply if the breach „is not likely to harm the rights and freedoms of natural persons“.

Our assessment

For most companies there is no reason to panic at first. Nevertheless, the cases of H&M or Google show that the responsible authorities take action in case of infringements.

If you need our support in implementing the GDPR in your company or if you have any doubts as to the extent to which and which personal data of your employees you are allowed to process, you can contact us at any time.

PS: Have you already obtained the consent of your employees for the birthday calendar published within the company?

Keinen Blogbeitrag mehr verpassen - hier registrieren...

Rechtsanwalt in Düsseldorf and Krefeld, Marcus Büscher
Marcus Büscher
Tel.: +49 211 – 9 0867 677

Bahar Beyaz
Bahar Beyaz
Tel.: +49 211-9 0867 676