GDPR, H&M and excessive monitoring of employees

During the pandemic, schools are likely to be collecting more personal data on employees than before. The recent fine of €35.2m imposed on clothing retailer H&M by the Data Protection Authority of Hamburg last week is a reminder that employee data must be collected in a transparent way and only when it is necessary and lawful. The fine imposed was deliberately “adequate to deter companies from violating the privacy of their employees”.

What were H&M recording?

H&M’s managers at the H&M service centre based in Nuremberg had been recording personal, medical and family information about their employees as a matter of course since 2014. After employee absences or holidays, supervisors would hold ‘welcome back talks’ and enquire as to their holidays, family lives or their sickness leave and any diagnoses. Notes of these conversations were kept on file and enabled detailed pictures of employees’ personal lives to be built up – such digital records were accessible to up to 50 local managers at H&M and, alongside performance data, were referred to when making decisions regarding their employment.

Why is this a problem?

The General Data Protection Act 2016/679 (GDPR) which governs the collection of personal data (which is defined as any data that identifies a living individual) is very specific about how personal data may be collected from or about an individual. Employee records are also governed by the GDPR.

Why is this deemed to be excessive?

The fundamental tenet of the GDPR is that any personal data collected must be lawful and fair and transparent. The type of data collected must be:

• adequate (sufficient to properly fulfil your stated purpose)
• relevant (has a rational link to that purpose)
• limited to what is necessary (you do not hold more than you need for that purpose).

In this situation, the employees did not realise that their welcome back talks were being used as a way to find out about their religions, family culture and practices and other aspects of their private lives, in order for those details to be included on their employment records. The collection of personal data in this way was not transparent or fair (and therefore also not lawful).

Additionally, it is not normally necessary for an employer to log such personal data about the private lives of their employees. It would be usual to collect sufficient employee data to perform the employer’s part of the employment contract with the employee, including their address and bank details, their tax codes, their next of kin in the event of accident – and perhaps (depending on the benefits provided) information relating to health insurance and pensions. Absence and sickness records are also necessary but they should not be excessive.

What action has H&M taken as a result?

The recording of this data relating to the employees’ private lives came to light when there was a computer blip in October 2019, allowing the data to be accessible companywide (instead of only to the managers normally authorised). H&M correctly reported this data breach relating to hundreds of employees and has been investigated by the Data Protection Authority of Hamburg, co-operating fully with the investigation.

The data breach and subsequent investigation revealed that there were practices in place that were contrary to H&M’s privacy policy. H&M have taken responsibility for the breach and apologised to the employees concerned, offering the individuals compensation (in addition to the fine imposed by the Data Protection Authority).

H&M have also made “personnel changes” at management level at their Nuremberg service centre and invested in staff training on data protection and management. They have appointed a data protection manager to oversee privacy and compliance with data protection and taken other IT measures to improve the security of computer systems and prevent similar breaches of personal data in the future.

H&M acted appropriately in response to this data breach but the processing of employee data which was uncovered is a clear example to organisations (including schools) on what should not be done with it.