The Swedish company H&M was fined 35 million euros on October 1, 2020 by the Hamburg Data Protection Commissioner’s Office. It is accused of having collected and stored personal data of employees without their knowledge.

Between 2014 and 2019, managers at an H&M site in Nuremberg collected information on the personal lives of their employees. For example, when an employee was absent from work due to illness or vacation, he or she was called in for an interview by his or her manager to collect personal information such as symptoms of illness, diagnosis, family problems and religious beliefs. This information was then used to establish an “individual profile”. The company apologized to employees for this breach of the personal data protection guaranteed by the GDPR.

H&M’s sanction is now part of a trend among European data protection authorities to increasingly punish companies’ breaches of the principles of the GDPR. Considerable fines have been imposed on them: 50 million euros against Google, 183 million pounds sterling against British Airways, 27.8 million against TIM. It is therefore necessary to ensure that a rigorous and ongoing compliance program is in place to prevent the implementation of such practices.