H&M has been fined for allegedly violating its workers’ privacy.
The Data Protection Authority of Hamburg has levied a fine of 35 million euros, or $41.1 million at current exchange, on the Swedish-based chain, which it claimed had recorded details about several hundred employees since at least 2014.
According to the German watchdog, the information included “extensive records of private living conditions,” such as medical diagnoses and religious beliefs, of the workers at the fast-fashion retailer’s service center in Nuremberg. It added that managers had used the data to evaluate work performance and make decisions about employment.
“The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg,” commissioner Dr. Johannes Caspar said in a statement. “The amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees.”
The data collection was said to have been exposed last year in October, when a configuration error led the information to become accessible across the company for several hours. It marks the second largest fine brought against a company over data breaches following the European Union’s introduction of new General Data Protection Regulation laws in 2018. (Google was hit with a fine of 50 million euros, or $57 million, in France last year.)
H&M has since apologized to the impacted staff members and shared that it had compensated them for the data breaches. In a post on its website, the company reassured customers and employees of its GDPR compliance, as well as revealed personnel changes at the Nuremberg site. It also promised additional data privacy training and appointed a data protection coordinator.
“The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards,” it wrote.
The Hamburg commissioner commended the move and said, “The efforts of the group management to compensate those affected on site and to restore trust in the company as an employer are expressly to be rated positively. The transparent information provided by those responsible and the guarantee of financial compensation clearly show the willingness to show those affected the respect and appreciation they deserve as employees in their daily work for their company.”