Employer fined for GDPR breach after employee surveillance
19th October, 2020
Clothing retailer H&M has been fined by a German privacy authority after data protection breaches came to light.
€35.25 million fine for monitoring employees at work
A fine of €35.25 million (approximately £32million) has been imposed, after the company was found to have been unlawfully monitoring several hundred employees at a customer service centre.
What had they been monitoring?
Management at the service centre had been collecting data on employees and their private lives since 2014. It did this by conducting “welcome back talks” following periods of annual leave or sickness absences and recording the outcomes of these talks, sometimes even including detailed information on private family issues and religious beliefs. This data was stored, among other places, on a network drive which was accessible to various management staff, and was updated over time. The private data was used to provide detailed work performance analysis and also to create a profile of and make decisions in relation to the relevant employee.
The data storage came to light after the data was briefly made visible publicly on the company network after a configuration error, following which the data protection regulator was made aware of its existence, describing the breach as a “particularly intensive encroachment on employees’ civil rights.”
H&M took full responsibility and apologised unreservedly to its employees at the service centre. It also implemented an action plan to improve its data protection policies. In addition, the company announced it would pay compensation to all those employed at the service centre since May 2018 when GDPR came into force.
The regulator took H&M’s acknowledgement of its breach and its cooperation with the regulator, as well as its corrective action, into account when deciding what action to take. Notwithstanding these factors, the regulator decided that the breach was sufficiently serious to impose a fine of €35.25m.
This case bears some similarities with previous case law. While employers are not completely precluded from monitoring and accessing employees’ electronic communications, they must ensure that they adequately protect the employees’ rights, including by informing employees of the possibility that their communications may be monitored and of the nature and extent of the potential intrusion into their private life and correspondence.
What to do now
The H&M case highlights the importance of companies having strict data protection compliance policies in place to ensure that they do not unlawfully record employee data in breach of GDPR requirements. This should include:
- ensuring that information from private conversations with employees is not used for work-related purposes;
- limiting the processing of employee data to that which is strictly necessary and justifiable under the regulations; and
- limiting access to employee data to those on a need to know basis rather than managers being granted general access.
Ward Hadaway regularly advises employers on privacy and GDPR matters. If you are a controller of personal data, incidents like this emphasise the importance of having robust data protection policies in place and ensuring that management staff are thoroughly trained in their implementation.
Our team of data protection experts are experienced in dealing with these types of issues. For more details on how we can help you, or for guidance in relation to any of the issues raised in this case, please get in touch.