Privacy regulators in Germany have posed to H&M a fine of EUR 35.2 million for violating EU privacy laws.
The fine, issued by the Hamburg Data Protection Authority (HmbBfDI) under the EU's GDPR, represents the largest privacy fine ever issued by a German regulator. This is the second-largest fine to be levied against a single organization for violating GDPR.
The fine levied by the German regional data protection authority comes after a long-running investigation into employee-monitoring practices at H&M Hennes & Mauritz Online Shop A.B. & Co KG, a Hamburg-based subsidiary of the clothing company at which several hundred people are employed.
H&M says it ‘immediately’ reported the incident as a security breach to the regulator. ‘H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service center in Nuremberg,’ the company said in response to the German regulator's decision, adding that it ‘will now review this decision carefully.’
After receiving the security breach notification, Hamburg's privacy regulator launched an investigation, and it immediately ordered the company to freeze the database and provide it with a complete copy of the data, which was 60 GB. According to HmbBfDI, H&M fully cooperated its investigation.
H&M has pledged to financially compensate all employees who have worked for the organization for at least one month since GDPR came into full effect in May 2018.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now