Data protection violation: H&M is expected to pay 35.3 Million Euro Fine
H&M Hennes & Mauritz Online Shop Company is registered in Hamburg and operates a service center in Nuremberg, the second largest city in the state of Bavaria, Germany. Personal data of the employees have been subject to detailed processing since 2014. Supervisors at the workplace have acquired personal data of the employees through personal and floor talks and the data have been stored on a network drive. Among the personal data of the employees that have been processed, there are special categories of personal data such as religious beliefs and family issues as well as basic details. In the meantime, vacation experiences and symptoms of illness and diagnoses of the employees have been recorded thanks to the supervising team leaders who have conducted ‘Welcome Back Talks’ with the employees after the vacations or sick leaves.
The data has been digitally stored for years in order to assess the employment of the employees and has been open to access of approximately 50 managers throughout the company. Due to all these reasons abovementioned, there is certain breach of related articles of the General Data Protection Regulation (GDPR) and the company is said to pay a fine of 35 million EUR.