The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Employee Surveillance Tied to $41M GDPR Fine

by Chris Brook on Tuesday October 27, 2020

Contact Us
Free Demo
Chat

The apparel company H&M is being asked to pay a 35 million Euro fine, roughly $41 million dollars, stemming from a GDPR violation.

Data protection watchdogs in Germany handed down the second largest fine under the General Data Protection Regulation earlier this month, fining clothing store H&M €35.2, or $41.1 million USD, for essentially carrying out surveillance on some of its employees.

While many have lamented whether data protection authorities are issuing enough credible enforcement actions, the action is a reminder that GDPR fines, while maybe not as commonplace as the industry expected, can be significant.

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) handed the fine down after learning through local media reports last year that an issue at its customer service center in Nuremberg resulted in the company exposing employee data for a few hours. When confronted for evidence of the incident, H&M supplied 60 gigabytes of files that demonstrated the company had been recording information since 2014.

According to the European Data Protection Board, supervisors at the company recorded data from hundreds of employees – the regulator called the data “extensive recordings of the private-life circumstances” - while carrying out informal conversations. Supervisors at the customer service center in Nuremberg recorded data like employee vacation experiences, illnesses, family issues and religious beliefs - and stored it in a database that was readable by up to 50 managers throughout the company.

“The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues…” the EDPB wrote. “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

Hamburg’s data protection authority didn’t know about the data collection until a technical issue with the company's network in October 2019 made the data accessible company wide, something that in turn led to media coverage. The authority said it believes the amount of the fine is appropriate to deter companies from similar privacy violations.

It’s the largest GDPR fine since CNIL, France's data protection authority, fined Google 50 million Euros in January 2019, alleging the way the company handles ad personalization violates the GDPR.

H&M, for its part, acknowledged the incident shortly after it became public, apologizing to its employees and stressing that its practices for processing employees' personal data were out of line. The company said earlier this month it was reviewing the fine carefully, adding that its since made adjustments to how it handles data privacy, data cleansing, and stores personal data.

While it's too soon to know whether the tides are changing around GDPR fines, the fact that this is the second highest fine levied since the regulation's inception in 2018 shows that securing privacy of individuals, especially employees, is still critical for regulators.

Tags: GDPR

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.