H&M has been fined over €35 million for breaching EU General Data Protection Regulation (GDPR) laws in a landmark ruling.
The Swedish fashion retailer has incurred the largest fine ever to be levied against a single company over GDPR violations since the new laws were imposed in 2018.
The Hamburg Commissioner for Data Protection and Freedom of Information launched an investigation into H&M following a data breach in 2019.
This data breach, caused by a configuration error, revealed that H&M had been collecting and storing copious amounts of data on its employees since 2014.
The investigation found that H&M had been collecting in-depth personal data on its employees, including their religious beliefs, family issues, holiday experiences, illnesses and diagnoses.
This information was collected by supervisors in “welcome back talks” held by team leaders after an employee’s absence and was accessible by up to 50 managers.
The authority said “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”
Its staggering fine comes just days after H&M announced plans to close 250 stores next year as the pandemic moved more shoppers online.