H&M Hennes & Mauritz AB
The Hamburg DPA (HmbBfDI) imposed Germany's largest-ever GDPR fine against H&M for systematically recording hundreds of employees' private life details at its Nuremberg service centre — including family matters, religious beliefs, health conditions, and personal life notes gathered during 'welcome back talks' and routine conversations — storing them in a networked file server accessible to up to 50 managers and using them to make HR decisions. The data collection had continued for years and came to light only when a configuration error temporarily made the records accessible to all company staff in October 2019. H&M acknowledged the violations and introduced remedial measures.
HAMBURG-DPA-DE
Bundesdatenschutzgesetz (Federal Data Protection Act 2018)
- Systematic recording of employees' personal life details, health information, and beliefs by managers for HR decision-making is one of the most serious possible GDPR violations — employee data protection requires strict purpose limitation and no retention of personal life information beyond what is strictly necessary for the employment relationship.