The amount is the highest fine for such breaches in Germany since its latest data-protection legislation came into force two years ago, a spokesman for Germany's watchdog for the issue told AFP, in a country known for
jealously guarding the right to privacy.
Company bosses at the group's service centre in Nuremberg were found to have delved too deeply into the private lives of their employees, acquiring information “ranging from rather harmless details to family problems and
Detailed “symptoms of illness and diagnoses” were also recorded and stored digitally, the authorities said in a statement.
“The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg,” said Johannes Caspar, the Commissioner for Data Protection in Hamburg, where H&M's German arm is based.
“The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees.”
'Incompatible' with policies
The watchdog said managers at the service centre conducted “welcome back” talks with employees after their return from illnesses or holidays.
The symptoms and diagnoses of illnesses as well as holiday experiences were documented, and were made accessible to up to 50 managers.
“The combination of researching their private lives and the ongoing recording of the activities they were engaged in led to a particularly intrusive violation of the rights of those affected,” the authority said.
The data collection had been ongoing since at least 2014, and only became known when the information became accessible company-wide for a few hours in October 2019 due to a computing error.
H&M said they would “carefully examine the decision”, adding that “practices in the processing of employee data in Nuremberg were incompatible with H&M's policies and instructions.”
“After the incident was discovered and reported, H&M immediately initiated far-reaching measures at the Nuremberg service centre,” the company said.
“H&M takes full responsibility and would like to express an unconditional apology to the Nuremberg employees.”
The fine is one of the highest in Europe linked to the European Union's data protection rules, known as GDPR.
The law, implemented in 2018, says that individuals must explicitly grant permission for their data to be used, and can impose fines on companies worth four percent of their worldwide annual revenue.
France fined Google €50 million in January 2019 for failing to provide accessible information on its data-consent policies, calling out the internet giant's use of targeted advertising.
Meanwhile in July last year, British Airways was fined 183 million pounds (€201 million), by the UK's data authorities after computer hackers stole bank details from hundreds of thousands of passengers
Germans hold privacy in high regard, as manifested in their continued high usage of banknotes and coins rather than credit cards. It is often considered to be a reaction to oppressive surveillance under the Nazis and East German Stasi.
Separately, H&M announced Thursday it will close 350 out of its 5,000 stores worldwide as the coronavirus pandemic pushes more shoppers online. The fashion chain returned to profit in its June-August quarter, having tumbled
into loss the previous three months at the worst of coronavirus lockdowns.