Keeping employee records is clearly necessary and during the pandemic, it may have become justifiable to monitor employee productivity when working from home using software tools. But the recent fine of €35.2m imposed on clothing retailer H&M by the Data Protection Authority of Hamburg last week was deliberately “adequate to deter companies from violating the privacy of their employees”.
What were H& M recording?
H&M’s managers at the H&M service centre based in Nuremberg had been recording personal, medical and family information about their employees as a matter of course, since 2014. After employee absences, or holidays, supervisors would hold ‘welcome back talks’ and enquire as to the holidays, family lives or the sickness leave and diagnoses. Notes of these conversations were kept on file and enabled detailed pictures of employees’ personal lives to be built up – such digital records were accessible to up to 50 managers at H&M and, alongside performance data, were referred to when making decisions regarding their employment.
Why is this a problem?
The General Data Protection Act 2016/679 (GDPR) which governs the collection of personal data (which is defined as any data that identifies a living individual) is very specific about how personal data may be collected from or about an individual. Employee records are also governed by the GDPR.
Why is this deemed to be excessive?
The fundamental tenet of the GDPR is that any personal data collected must be lawful and fair and transparent. The type of data collected must be adequate (sufficient to properly fulfil your stated purpose), relevant (has a rational link to that purpose), and limited to what is necessary (you do not hold more than you need for that purpose).
In this situation, the employees did not realise that their welcome back talks were being used as a way to find out about their religions, family culture and practices and other aspects of their private lives, in order for those details to be included on their employment records. The collection of personal data in this way was not transparent or fair (and therefore also not lawful).
Additionally, it is clearly not necessary for an employer to log such personal data about the private lives of their employees. It would be usual to collect sufficient employee data to perform the employer’s part of the employment contract with the employee, including their address and bank details, their tax codes, their next of kin in the event of accident – and perhaps (depending on the benefits provided) information relating to health insurance, pension of company cars.
It cannot be said to be necessary for an employer to record and retain records of where the employee goes on holiday, with whom, and what religious festival they may have participated in outside of work. Such information has no bearing on the employment.
What action has H& M taken as a result?
The recording of this data relating to the employees’ private lives came to light when there was a computer blip in October 2019, allowing the data to be accessible companywide (instead of only to the managers normally authorised). H&M correctly reported this data breach relating to hundreds of employees and has been investigated by the Data Authority of Hamburg, co-operating fully with the investigation.
The data breach and subsequent investigation revealed that there were practices in place that were contrary to H&M’s privacy policy. H&M have taken responsibility for the breach and apologised to the employees concerned, offering the individuals compensation (in addition to the fine imposed by the Data Protection Authority).
H&M have also made “personnel changes” at management level at their Nuremberg service centre and invested in staff training on data protection and management. They have appointed a data protection manager to oversee privacy and compliance with data protection and taken other IT measures to improve the security of computer systems and prevent similar breaches of personal data in the future.
