H&M fined EUR 35 mil in Germany

On 01/Oct/2020, H&M Hennes & Mauritz Online Shop A.B. & Co. KG. received a privacy fine of EUR 35,258,707. The enforcement authority () has cited these legal provisions in imposing the fine on H&M Hennes & Mauritz Online Shop A.B. & Co. KG.: GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Germany Flag for Germany, which is the jurisdiction taking enforcement action EUR 35,258,707 (US$41,700,000)
Defendant company or entity: Industry segment:
H&M Hennes & Mauritz Online Shop A.B. & Co. KG. Retail /

Case summary

In the case of the monitoring of several hundred employees of the H&M service centre in Nuremberg by the centre management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 euros against H&M Hennes & Mauritz Online Shop A.B. & Co. KG.

The company is based in Hamburg and operates a service centre in Nuremberg. At least since 2014, some of the employees have been subject to extensive recording of their private circumstances. Corresponding notes were permanently stored on a network drive. After holiday and sick leave – even short absences – the supervising team leaders conducted a so-called Welcome Back Talk. After these talks, in many cases not only the employees’ concrete holiday experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees’ private lives through individual and corridor discussions, ranging from rather harmless details to family problems and religious beliefs. The findings were partly recorded, digitally stored and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made in great detail and updated over time. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship. The combination of researching their private lives and the ongoing recording of the activities they were engaged in led to a particularly intensive intervention in the rights of those affected.

The data collection became known when, as a result of a configuration error, the notes were accessible company-wide for a few hours in October 2019. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection by press reports, he first ordered the contents of the network drive to be completely “frozen” and then demanded that it be handed over. The company complied and submitted a data set of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analysis of the data.

The discovery of the serious violations prompted those responsible to take various remedial measures. The HmbBfDI was presented with a comprehensive concept for how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with past events, the management has not only expressly apologised to those affected. It has also followed the suggestion to pay the employees a considerable amount of unbureaucratic compensation. In this respect, this is an unprecedented commitment to corporate responsibility following a data protection violation. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, more strongly communicated whistleblower protection and a consistent information concept.

Prof. Dr. Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, comments: “The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees.

Management’s efforts to compensate those affected on site and to restore confidence in the company as an employer are to be seen in a very positive light. The transparent information provided by those responsible and the guarantee of financial compensation show the will to give those affected the respect and appreciation they deserve as dependent employees in their daily work for their company.

(Hamburg DPA)

Applicable legal provisions


Enforcement information

Enforcement authority: Type of enforcement action:
Flag for Germany, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

Cite this fine in your work

Data Privacy Fines Index. (2020-10-01 03:32) H&M fined EUR 35 mil in Germany. dataprivacyfines.com. Retrieved from https://privacyfines.com/fine/h-and-m-fined-eur-35-mil/

Entry last updated: 2020-11-06 03:40 GMT.