German data protection authorities said Thursday they fined clothing chain H&M €35.3 million ($41.4 million) over illegal surveillance of employees, as the Swedish firm delved deeply into the private lives of its staff members.
The amount is the highest financial penalty for such breaches in Germany since the 2018 European Union legislation — General Data Protection Regulation (GDPR) — came into force and the second highest of its kind throughout the continent after French regulators fined Google €50 million last year for a GDPR violation.
Germany, following a history of widespread abuse of surveillance in Nazi Germany and the former East Germany, is known for strictly enforcing citizens' right to privacy.
The surveillance at H&M targeted several hundred workers at a service center in Nuremberg, according to a statement from Johannes Caspar, the Hamburg commissioner for data protection and freedom of information.
Read more: How sustainable are 'eco' brand high street fashions?
H&M carried out the practice from at least 2014 while H&M management acquired "extensive recordings of the private-life circumstances" of employees, the data protection service said.
"Some supervisors acquired a broad knowledge of their employees' private lives through one-on-one and water-cooler conversations, ranging from rather harmless details to family problems and religious beliefs," the statement continued.
Members of staff would be invited to "Welcome Back Talks" after periods of sick leave or vacation, after which information was often recorded and digitally saved so that "up to 50 other managers throughout the company" could be made aware of the details.
Read more: Data privacy: 'We're pretty much in the worst-case scenario,' says whistleblower
Caspar said the behavior was a "flagrant disregard of employee data protection," adding it hoped the substantial financial penalty would deter other firms from behaving in a similar fashion.
H&M has two weeks to challenge the Hamburg authority's punishment.
In a statement, the Swedish clothing outlet said, "The incident revealed practices for processing employees' personal data that were not in line with H&M's guidelines and instructions."
The company added that it "takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg."
The retailer said it has made managerial changes at the center and carried out "additional training for leaders in relation to data privacy and labor law."
Workers who have been there for at least one month since May 2018 are to receive financial compensation, the company added, without disclosing how much they would be afforded.
Caspar praised H&M for its "efforts in compensating those affected and restoring confidence in the company."
Read more: Sri Lanka's Ceylon tea workers live under a legacy of exploitation
jsi/dr (AP, AFP, dpa, Reuters)