5 October 2020

Data Blast: H&M handed €35M fine for amassing intrusive employee files and much more…

See below for the latest Data Blast from our legal team: H&M handed €35M fine for amassing intrusive employee files; Irish regulator issues guidance on vehicle tracking by employers; Belgian authority fines electoral candidate for using council employee database for campaigning; £60K fine for UK marketer for ‘Covid hand sanitizer’ text messages; Welsh health authority addresses Covid test data breach…

H&M fined €35 million for improper profiling of employees

On October 1st, the Hamburg Data Protection Authority (DPA) announced that it had fined a German subsidiary of Swedish clothing chain H&M €35.2 million for violations of the General Data Protection Regulations (GDPR), stemming from the excessive use of employee data. The fine is the largest handed down to date against a company for GDPR violations involving the handling of employee data.

The Hamburg DPA launched an investigation into H&M’s Nuremburg Service Centre after a 2019 data breach revealed the extent to which H&M Germany was collecting data about its employees’ private lives.  During the investigation, the DPA discovered that since 2014, H&M had been collecting and storing data concerning its employees’ religious beliefs, medical and family issues, and vacation experiences. Much of the data obtained qualifies as sensitive personal data, which is afforded enhanced protections under the GDPR; this was also the case under the 1995 Data Protection Directive in force before the GDPR came into effect in May 2018.

Much of the employee data was obtained during conversations between employees and their supervisors during ‘welcome back talks’ after an employee’s absence from work. The data was made accessible to up to 50 H&M managers.

After evaluating the data H&M obtained from its employees, as well as witness evidence and H&M’s internal procedures, the Hamburg DPA ruled that ‘the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.’

H&M issued a formal apology to its employees, and confirmed that financial compensation will be given to all those employees impacted since the GDPR came into force in May 2018. The level of the fine illustrates the importance attached to a company’s cooperation with investigations conducted by a supervisory authority. The GDPR provides for fines of up to 4% of a company’s global annual turnover, and H&M’s global annual turnover for 2019 was roughly €22 billion.  Accordingly, H&M could have been subject to a considerably larger fine; the Hamburg DPA noted that H&M’s cooperation with the DPA and its promise of compensation to affect employees, were seen positively when assessing the appropriate fine to be imposed.

Irish DPA issues guidance on Employer Vehicle Tracking

The Irish Data Protection Commission (DPC) has recently issued guidance on the data protection issues surrounding employer vehicle tracking. The DPC notes that, under Article 8 of the European Convention on Human Rights, employees are entitled to a reasonable expectation of privacy, and that employer in-vehicle tracking carries a high risk of interfering with an employee’s data protection rights.

The guidance explains that under the GDPR location data qualifies as personal data any time it relates to an individual; tracking the vehicles of employees must therefore comply with data protection law. The DPC guidance notes that vehicle tracking may qualify as collecting behavioural data on employees, and that vehicle tracking should not be used for the general monitoring of staff.

The legal bases identified by the DPC for tracking include compliance with legal obligations, or an employer’s legitimate interest in locating its vehicles at all times. However, such processing must be strictly necessary and proportionate for the purpose of those interests, and the data gathered must be limited in line with the principles of purpose limitation and data minimisation.

Importantly, employee consent will only be considered as an adequate legal basis in exceptional circumstances, given the difficulty in obtaining freely given consent due to the power imbalance inherent in the employer/employee relationship. Employers implementing vehicle tracking must also comply with their GDPR transparency requirements, and ensure that they inform their employees of the proposed tracking prior to collecting such location data.

The DPC guidance recommends that employers always approach with care, the use of new technologies for monitoring employees. In addition, the DPC proposes measures to assist employers in complying with data protection law when tracking vehicles, including limiting the time and/or location when vehicle tracking takes place, and implementing opt-out measures such as the ability to switch tracking off easily.

Belgian DPA fines local election candidate for using staff list for campaigning purposes

On June 10th 2020, the Belgian Data Protection Authority (DPA) fined a candidate in local elections for using a municipal staff register to send election letters to municipal staff.

The €5,000 fine stemmed from complaints received from the municipality in question, claiming that the staff data was being used for campaigning purposes. The DPA found that the communications did not amount to normal communication from a municipal counsellor, as claimed by the defendant, but rather that the letters amounted to ‘election propaganda.’

The DPA found that, in addition to having no lawful basis for the data processing, the candidate violated the purpose limitation under the GDPR, as the staff register is not meant to be used for purposes other than internal municipality management. The DPA also noted that, given the defendant’s other public service positions, it should be expected that he would have greater respect for, and understanding of, campaigning rules.

The fine was issued in reliance on a previous similar decision by the DPA’s Litigation Chamber (previously covered here) which found that further processing of personal data gathered for municipal purposes with intent to use them for campaigning purposes violated to principles of lawful processing and purpose limitation.

UK ICO fines company £60,000 for Covid-19 related nuisance marketing texts

On September 24th, the UK Information Commissioner’s Office (ICO) issued a £60,000 fine to Digital Growth Experts Limited (DGEL) for sending thousands of nuisance texts at the height of the Covid-19 pandemic.

In an effort to profit from the pandemic, DGEL sent over 16,000 texts between February 29th and April 30th, promoting a hand sanitizer that it claimed to be ‘effective against the coronavirus.’ Recipients of the texts had not consented to receiving them.

According to the ICO, during its investigation DGEL provided unclear and inconsistent responses, and did not provide evidence that it had obtained the consent required under the Privacy and Electronic Communications Regulations (PECR). The issue was brought to the ICO’s attention when the texts were forwarded by complainants to the GSMA’s Spam Reporting Service.

The ICO stated that ‘direct marketing laws are clear and it is the responsibility of businesses to ensure they comply. Ignorance of it or attempting to rely on vague and misleading evidence in support of a marketing campaign simply does not wash…The sending of nuisance marketing texts are a significant concern to the public, and the ICO will continue to take action where our advice is not followed and where we find serious, systemic or negligent behaviour that puts people’s information rights at risk.’

DGEL has only a single company director, and under the PECR the ICO may issue a fine to a company director in his or her personal capacity, including where the company is unable or unwilling to pay a fine.

A recent similar fine of £130,000 was issued by the ICO for unsolicited marketing calls promoting pensions, which we covered here.

Public Health Wales issues statement on covid testing data breach

On September 16th, Public Health Wales (PHW) published a statement on its website announcing it had suffered a data breach involving identifiable personal data of Welsh residents who have tested positive for Covid-19.

The breach, which occurred due to human error on August 30th, involved the uploading to a public server of the personal data of 18,000 residents who had tested positive, which was searchable by anyone using the PHW website. PHW was alerted of the breach and removed the data on August 31st, but in the 20 hours it was accessible the data had been viewed 56 times.

In most cases, the personal data exposed included individuals’ initials, dates of birth, geographic area and sex, and therefore the risk of them being readily identifiable was deemed by PHW to be relatively low. However, for roughly 2,000 data subjects living in nursing homes or other supported housing, the personal data also included the name of their nursing home or housing setting, creating a greater risk of identification.

PHW stated that there was no evidence that the data had been misused, but that the ICO and the Welsh government were notified of the breach, and that an investigation had been commenced into the circumstances surrounding the breach, to be led by the Head of Information Governance at the NHS Wales.

PHW also stated that it had taken steps to prevent similar incidents happening going forward, including altering procedures so that any future data uploads are carried out by a senior member of staff.

For more information please contact Partner, James Tumbridge at