Hamburg Commissioner Fines H&M 35.3 Million Euro for Data Protection Violations in Service Centre

2 October 2020

The Hamburg Commissioner for Data Protection and Freedom of Information imposes a 35.3 Million Euro Fine for Data Protection Violations in H&M's Service Center

In a case concerning the monitoring of several hundred employees of the H&M Service Center in Nuremberg by its management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 Euros against H&M Hennes & Mauritz Online Shop A.B. & Co KG.

The company is registered in Hamburg and operates a service center in Nuremberg. Since at least 2014, parts of the workforce have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive. After absences such as vacations and sick leave - even short absences - the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.

This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the contents of the network drive to be "frozen" and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analyzing the data.

The discovery of the serious violations has prompted those responsible to take various corrective measures. The HmbBfDI was presented with a comprehensive concept how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with the past events, the company management has not only expressly apologized to those affected, it has also followed the suggestion to pay the employees a considerable compensation. This is an unprecedented acknowledgement of corporate responsibility following a data protection incident. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, increasingly communicated whistleblower protection and a consistent concept for dealing with data subjects’ rights of access.

Prof. Dr. Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information, comments: "This case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore adequate and effective to deter companies
from violating the privacy of their employees.

Management's efforts to compensate those affected on site and to restore confidence in the company as an employer have to be seen expressly positively. The transparent information provided by those responsible and the guarantee of financial compensation certainly show the intention to give the employees the respect and appreciation they deserve as dependent workers in their daily work for their company.

For more information, you can go The Hamburg Commissioner for Data Protection and Freedom of Information website here, or email them at

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.