High GDPR fine issued but not for a data security breach

The Hamburg data protection regulator in Germany has issued a fine of €35.3 million against retail firm H&M for breaches of the GDPR relating to the excessive and unlawful collection of employee data. Interestingly, although the fine is the highest yet levied by a German regulator, it did not relate to a data security breach, which is how we have to date seen the biggest fines originating. In comparison to multiple high profile ongoing enforcement investigations in the UK and Ireland, the investigation in Germany has also been concluded at relatively high speed, in just under a year.

Background

H&M is registered in Hamburg and operates a service centre in Nuremberg. Since at least 2014, according to the Hamburg regulator’s investigation, parts of the workforce have been subject to extensive recording of details about their private lives.

After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, comprehensive details of the employees holiday experiences or illness and diagnosis (in the case of sickness absence) would be recorded. In addition, some supervisors recorded personal information ranging from rather harmless details to family issues and religious beliefs as a result of casual and informal conversations with employees.

The recorded information was accessible by up to 50 other managers throughout the company and the information was used to create a detailed profile of individual employees and sometimes used to make employment-related decisions.

The excessive and unlawful collection of employee data came to light towards the end of October 2019 when a configuration error meant that the data became accessible company-wide for several hours. The Hamburg regulator was informed about the data collection through press reports and proactively issued an order for the contents of the network drive to be "frozen" and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation.

Despite the company’s full cooperation with the investigation, and its offer to compensate affected employees – actions which the regulator acknowledged as being an unprecedented acknowledgement of corporate responsibility following a data protection incident – the regulator considered that the seriousness of the breach warranted a significant fine (although not as significant as it appears it could have been according to the German authorities’ fine calculation model).

Practical Implications

We have set out below some key takeaways from this enforcement action:

• Be warned that significant fines are not only reserved for security incidents – there are many ‘breaches’ of the GDPR that could potentially result in a fine of up to 4% of annual worldwide turnover;
• Make sure that your HR and privacy functions are joined up and that HR personnel are properly trained in data protection issues – the HR function is a naturally data heavy part of any organisation;
• Even within the HR function itself, ensure that personal data is only accessible to personnel on a need to know basis;
• Keep the data minimisation principal front of mind and only collect data that is necessary; and
• Full cooperation with the regulator could lead to a reduced fine but will not absolve an organisation of regulatory liability.