On 1 October 2020, the Hamburg Commissioner for Data Protection and Freedom of Information (the “Commissioner”) has issued a fine of almost EUR 35.3 million against the Swedish fashion giant H&M Hennes & Mauritz Online Shop A.B. & Co KG (“H&M”) due to violation of the personal data of its employees in the Service Center in Nuremberg.

Regarding the imposed fine, the Commissioner stated in an official statement, inter alia, that since at least 2014, management of the H&M extensively collected details about private lives of several hundred employees of the Service Center in Nuremberg, from rather harmless details to family issues and religious beliefs. Some of this information was recorded and stored on a network drive that was available to the management of the H&M (up to 50 individuals) and used, inter alia, to obtain a detailed profile of employees for measures and decisions regarding their employment status. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.

This fine is the second largest fine ever imposed in Europe due to violation of the provisions of the GDPR.