The fine, the fourth highest ever issued under the General Data Protection Regulation (GDPR), shows how substantial penalties can be imposed for privacy violations by employers. They are not reserved solely for high-profile security breaches, such as the sky-high fines imposed on British Airways by the Information Commissioner’s Office (ICO) or large-scale misuse of consumer data (such as last year’s €50m fine against Google in France).
The employer in this case was the fashion chain H&M, whose service centre in Nuremberg was fined by the Hamburg Commissioner for Data Protection and Freedom of Information (the Hamburg DPA) for extensively recording details about its employees’ personal lives.
Following holidays and sickness absences, H&M’s management would conduct “Welcome Back Talks” with its employees and permanently record notes from those conversations on a network drive accessible by up to 50 H&M managers. The information in the notes from the talks ranged from details of holiday experiences to illness symptoms and diagnoses (such as bladder weakness and cancer diagnoses), family issues and religious beliefs. The notes contained a high level of detail and covered long periods of time, which meant that employees’ personal issues could be tracked as they developed.
The scale of this monitoring was widely made known when the network drive was briefly accessible company-wide in October 2019. The Hamburg DPA was informed and commenced a year-long investigation. During this, it was uncovered that the level of detail recorded from the Welcome Back Talks gave H&M’s management intimate profiles of hundreds of employees’ private lives. These were used, in conjunction with meticulous work-performance evaluations, to make employment decisions about those individuals. The database of notes dated back to 2014.
Why was the monitoring unlawful?
The Hamburg DPA has not published details of the legal basis for this fine, but it is likely that the breaches relate to the processing of personal data, including special category data, without a lawful basis. GDPR principles relating to transparency, fairness, data minimisation, storage limitation and confidentiality are also likely to have been contravened.
The GDPR is clear that it is lawful for employers to process personal data, including special category data such as health information, where it is necessary for the purposes of carrying out obligations and exercising specific rights under employment laws. For example, employers can lawfully record information about an employee’s health condition to prevent disability discrimination and to comply with health and safety obligations. In this case, however, it appears that H&M’s monitoring of employee information far exceeded what was necessary and proportionate.
A record-breaking fine
The fine is extraordinary and surprising considering the level of cooperation that H&M offered during the investigation, including voluntary payment of compensation to the affected employees, and the fact that the conduct only appears to have affected several hundred data subjects.
Unlike the ICO, which enforces data protection laws nationally across the UK, German data protection laws are enforced by multiple state-based regulators. Recent actions and guidance by the data protection authorities in Germany range from:
- The good: The Baden-Württemberg data protection authority issued pragmatic guidance on how it will approach enforcement of the European Court of Justice’s recent Schrems II decision.
- The bad:The Hamburg DPA’s record-breaking fine against H&M, discussed above, which is likely to be viewed as overly punitive.
- And the ugly: The Berlin Commissioner for Data Protection, in the aftermath of the Schrems II judgment, made sweeping statements about data transfers to the US being no longer permitted…
It remains to be seen whether the Hamburg DPA’s record breaking fine turns out to be a one-off, or whether we will see future fines of this scale in Germany or other jurisdictions.
Impact of this fine on UK employers
The magnitude of the fine should raise employers’ eyebrows in the UK. While German attitudes towards monitoring are generally far stricter than in the UK, the GDPR obligations from which this fine arose apply equally to employers in the UK and will continue to do so following the end of the Brexit transition period. The fine creates a precedent for possible multi-million-pound fines in the UK for excessive employment record keeping, which may mean UK businesses need to review their practices and adjust them as necessary to reduce the risk of a compliance breach.
It is common in the UK for employers to obtain information about their employees following brief or extended absences from work. A manager might discover personal details about an employee during an informal social chat following a holiday. More formally, return-to-work interviews are a core and often mandatory feature of many employers’ absence management procedures. An employer may, for example, need specifically to ask an employee for details about their sickness or injury absence to make sure they are not subjected to a substantial disadvantage because of a disability related to the absence.
While the H&M fine should not deter UK employers from following such commendable and necessary practices and procedures, it is nonetheless a warning for them to be vigilant to the risk of information gathering and record keeping becoming an excessive and unwarranted intrusion into their employees’ private lives.