H&M will be charged €35.3 million – penalty imposed by the Data Protection Authority of Hamburg. The company, which has a service center in Nuremberg, is accused of collecting and storing private life data of its employees. H&M has allegedly been gathering too much data than it had rights to about hundreds of its employees since 2014. In the press release describing the incident it is said that lots of private details got documented by the company’s management, including information about family issues, religion, illness information and diagnoses. These records, in some cases quite elaborate and full of particularities, made for further processing and analysis were available for dozens of employees to access the information.
The arbitrariness with which the company’s managers acted collecting and recording private life data during casual talks as well as keeping a history of such details to create an illicit profile, is among the key problems which the Data Protection Authority is trying to convey by exacting the biggest ever GDPR fine within Germany so far.
The fact that the company collects private information surfaced unexpectedly in 2019 – after a configuration error in the system which spouted the data letting anyone working at the company access the information. The exposed details were available for hours.
60GB of information was provided by H&M to the DPA.
The company took many steps to recoup the level of security and transparency – the brand has reportedly contributed into compliance and launched a data protection program in Nuremberg. A new employee has been assigned to implement data protection coordinating. The new risk management framework of the affected service center included mechanisms preventing whistleblowing and updating privacy status.
It has been noted that H&M was going to reimburse the employees for major inconvenience.
Interestingly, according to Trust Anchor, the penalty considering the company’s turnover the penalty should have been two times higher – about €61 million, but thanks to the cooperation with the DPA it has been cut in half.
Subscribe to get helpful articles and white papers.
We discuss industry trends and give advice on how to deal with data leaks and cyber incidents.
SearchInform uses four types of cookies as described below. You can decide which categories of cookies you wish to accept to improve your experience on our website. To learn more about the cookies we use on our site, please read our Cookie Policy.
Necessary Cookies
Always active. These cookies are essential to our website working effectively.
Cookies does not collect personal information. You can disable the cookie files
record
on the Internet Settings tab in your browser.
Functional Cookies
These cookies allow SearchInform to provide enhanced functionality and personalization, such as remembering the language you choose to interact with the website.
Performance Cookies
These cookies enable SearchInform to understand what information is the most valuable to you, so we can improve our services and website.
Third-party Cookies
These cookies are created by other resources to allow our website to embed content from other websites, for example, images, ads, and text.
Please enable Functional Cookies
You have disabled the Functional Cookies.
To complete the form and get in touch with us, you need to enable Functional Cookies.
Otherwise the form cannot be sent to us.
Subscribe to our newsletter and receive a bright and useful tutorial Explaining Information Security in 4 steps!
Subscribe to our newsletter and receive case studies in comics!