If you thought GDPR enforcement was slowed down due to Covid-19, think again. Swedish retail company H&M has been hit with an eye-watering €35 million ($41.3 million) fine for illegally surveilling employees in Germany.
The fine is the highest GDPR penalty levied in Germany since the legislation came into force in 2018, and the second highest of its kind, topped last year by France’s GDPR fine of Google at the tune of €50 million.
According to the Data Protection Authority of Hamburg, H&M supervisory team leaders conducted “Welcome Back Talks” with employees after they came back from vacations and sick leaves. In many cases the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses.
In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.
This sounds harmless on the surface, but H&M’s extensive data collection was exposed in October 2019 when such data became accessible company-wide for several hours due to a configuration error. Ouch.
Now this could happen to any company, which reminds us of the importance of internal auditing practices and data privacy compliance.
Let’s not forget that companies penalized for non-compliance receive significant media attention. The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves.