Tag: Hamburg DPA

H&M receives record-breaking 35 Mio Euro GDPR Fine in Germany

21. October 2020

In the beginning of October, the Hamburg Data Protection Commissioner (“HmbBfDI”) imposed a record-breaking 35,258,707.95 Euro GDPR fine on the German branch of the Swedish clothing-retail giant H&M. It is the highest fine, based on a GDPR violation, a German Data Protection Authority has ever issued.

Since 2014, the management of the H&M service centre in Nuremberg extensively monitored the private lives of their employees in various ways. Following holidays and sick leaves of employees, team leaders would conduct so-called “Welcome Back Talks” in which they recorded employees’ holiday experiences, symptoms of illnesses and medical diagnoses. Some H&M supervisors gathered a broad data base of their employees’ private lives as they recorded details on family issues and religious beliefs from one-on-one talks and even corridor conversations. The recordings had a high level of detail and were updated over time and in some cases were shared with up to 50 other managers throughout the whole company. The H&M supervisors also used this Personal Data to create profiles of their employees and to base future employment decisions and measures on this information. The clandestine data collection only became known as a result of a configuration error in 2019 when the notes were accessible company-wide for a few hours.

After the discovery, the H&M executives presented the HmbBfDI a comprehensive concept on improving Data Protection at their Nuremberg sub-branch. This includes newly appointing a Data Protection coordinator, monthly Data Protection status updates, more strongly communicated whistleblower protection and a consistent process for granting data subject rights. Furthermore, H&M has apologised to their employees and paid the affected people a considerable compensation.

With their secret monitoring system at the service centre in Nuremberg, H&M severely violated the GDPR principles of lawfulness, fairness, and transparency of processing pursuant to Art. 5 no. 1 lit. a) and Art. 6 GDPR because they did not have a legal basis for collecting these Personal Data from their employees. The HmbBfDI commented in his statement on the magnitude of the fine saying that “the size of the fine imposed is appropriate and suitable to deter companies from violating the privacy of their employees”.

Category: Data Breach · GDPR · General · General Data Protection Regulation · German Law · Personal Data · Privacy policy
Tags: , , , , , , , , , , , ,

Hamburg Data Protection Commissioner issues statement on the data exchange between Facebook and WhatsApp

27. September 2016

Today, the Hamburg Data Protection Commissioner (DPA) issued a press release announcing an administrative order that aims at prohibiting the data exchange between Facebook and WhatsApp.

The critical opinion of the Hamburg DPA is based on the following arguments:

  • Facebook and WhatsApp are legally independent companies, each of which has its own service terms and conditions.
  • This data exchange infringes German Data Protection Law, as a legal basis for the collection and processing of personal data is required. In this case, the Hamburg DPA does not identify a legal basis for this data exchange.
  • The legal basis is neither based on the user’s consent because Facebook has not obtained the effective consent of WhatsApp’s users.
  • The ECJ has recently ruled that if a subsidiary processes personal data on behalf of its mother company, the national data protection laws are applicable. Facebook has its subsidiary for German speaking countries in Hamburg. According to this ruling, German data protection law is applicable in this case.

Johannes Caspar, Commissioner of the Hamburg DPA, has remarked that the administrative order protects personal data of around 35 million WhatsApp users in Germany, who have not given their consent for the processing of their personal data by Facebook. Upon this data exchange Facebook would receive personal data of WhatsApp users that do not even have a Facebook account.

Category: German Law · Personal Data
Tags: , ,