H&M fined for insufficient legal basis for processing sensitive personal data Summary Our remarks Several hundred employees of an H&M Service Center • If a data controller wants to record employee data, in Nuremberg had since 2014 been subject to extensive they should ensure that they have an appropriate recording of information regarding their private lives, legal basis. This could, for example, be the including symptoms of illness, diagnoses, romantic performance of a contract between the employer relationships and religious beliefs. and employee, or compliance with a legal obligation. If data processing is not covered by The data was collected through a ‘Welcome Back Talk’ these grounds, another legal basis, such as consent for all employees returning from vacation or illness, and or legitimate interests, must be established. through office gossip. The data was permanently stored on a local network, which was accessible by up to 50 • When collecting personal data about employees managers of the company. it is important to limit any processing of special categories of personal data to a minimum. The The data was, in some cases, continuously updated data controller should ensure that they fulfill one of and used to evaluate the performance of the workers the requirements in GDPR, Article 9(2). Recording and ultimately in employment decisions. personal data about employees’ diagnoses or The affected individuals were unaware of the systemic romantic relationships qualifies as processing of recording of their personal data until it was discovered special categories of personal data. due to a technical error in October 2019. The technical • When processing and storing data concerning error made the information available company- employees, it is essential to adhere to the principles wide for hours. As a result of the incident, protective of data minimization and storage limitation, measures were introduced, and the company explicitly as well as the principles of lawfulness, fairness apologized to the affected employees. The DPA and transparency. Before processing employee suggested offering monetary compensation which was data, the employer should consider which data accepted and actioned by H&M. is necessary for the legitimate purpose of the processing, or for the fulfillment or performance of The decision of The Hamburg Commissioner a contract to which the employer is a party. This for Data Protection and Freedom of can for example be ensured by having internal Information guidelines for the collection of personal data, The DPA fined H&M 35,300,000 EUR for the following erasure policies and so forth. violations: • The Hamburg Commissioner did not specifically • Not having a legal basis for the recording of special mention compensation under GDPR, Article 82. categories of personal data H&M’s voluntary remedial actions in response demonstrate a growing awareness of corporate • Not adhering to the principles of data minimization responsibility regarding employee privacy. Similarly, and storage limitation the size of the fine highlights the employer’s Additionally, the DPA suggested remedial actions extensive responsibility in ensuring employee towards the affected employees. privacy. Published: 01-10-2020 Journal number: N/A Tags: 01 Legal basis and principles of processing, 03 Right to erasure and rectification 41