author photo
By Bruce Sussman
Thu | Oct 8, 2020 | 1:55 PM PDT

You come back from vacation and your boss asks about the trip. That's pretty nice.

And when you come back from being out sick, your supervisor schedules a "welcome back" meeting with you to see how you are feeling and what was wrong. That sounds thoughtful.

And then one day something happens at your office: you and your coworkers accidentally discover that the information from your chats with the boss are recorded in a corporate database.

And as it turns out, that information factors into employment decisions and opportunities for you at the company.

Operating like this is now costing clothing retailer H&M $42,000,000 in fines.

H&M fines for violating employee privacy rights 

This case is unfolding in Germany, where the Hamburg Commissioner for Data Protection and Freedom of Information just leveled that $42M fine against H&M. 

Here are some details from the Commission report. This might be a good time to make sure your organization is not doing something like this:

"The company, based in Hamburg, operates a service center in Nuremberg. Since at least 2014, some of the employees have had extensive records of private living conditions. Corresponding notes were saved permanently on a network drive.

After vacation and illness absences—even short ones—the superiors team leaders held a so-called Welcome Back Talk. After these discussions, not only were specific vacation experiences of the employees recorded in a number of cases, but also symptoms of illness and diagnoses. In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and floor-to-floor discussions, ranging from harmless details to family problems and religious beliefs."

And it wasn't just your supervisor storing details about your private life. No, it went well beyond that.

The Commissioner's report found that lots of H&M supervisors could read what your boss was writing about you. And that information was sometimes used to change your career track.

"The findings were partially recorded, stored digitally and were sometimes readable by up to 50 other managers throughout the company... In addition to a meticulous evaluation of individual work performance, the data collected in this way were used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship. 

The combination of research into private life and the ongoing recording of what activity they were engaged in led to a particularly intensive interference with the rights of those affected."

Making a privacy example out of H&M to send a message

A $42 million fine is significant. And that was intentional.

Prof. Dr. Johannes Caspar, Hamburg's representative for data protection and freedom of information, puts it like this:

"The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is accordingly appropriate and suitable to deter companies from violating the privacy of their employees."

Misconfiguration sets the table for huge privacy fine

Are you wondering how this employee tracking came to light? It turns out, someone in IT goofed. And that led to something like a snowball rolling downhill.

"The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019.

After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the content of the network drive to be completely 'frozen' and then requested that it be released.

The company followed suit and submitted a data set of around 60 gigabytes for analysis. After analyzing the data, interrogations of numerous witnesses confirmed the documented practices."

What is H&M doing about its privacy practices?

H&M says this practice was isolated to one particular service center and not in keeping with its focus on following GDPR.

It has announced a number of changes:

•  Personnel changes at management level at the service centre in Nuremberg.

•  Additional training for leaders in relation to data privacy and labour law

•  Revised instructions for managers

•  Creation of a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes

•  Enhanced data cleansing processes

•  Improved IT solutions supporting compliant storage of personal data, training and leadership.

In addition, H&M is giving some sort of financial compensation to most employees at the service center that was at the center of the investigation.

How does your organization stack up on the bullet points above? Something to consider.

In the meantime, if you have the time, read H&M's full statement.

Tags: Privacy, GDPR,
Comments