Hamburg Commissioner Fines H&M 35.3 Million Euro for Data Protection Violations in Service Centre

You must ensure the personal data you are processing is:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.


The pandemic has created a huge surge in organisations having to safely process large amounts of sensitive information quickly. The GDPR reforms were first mentioned in 2012 and businesses were given ample time to prepare for their arrival. However, we are still seeing breaches as businesses continue to make seemingly avoidable mistakes.

Unfortunately, for many organisations, track and trace requirements and internal policies have meant that sensitive information has been flowing in a less than optimum format. We have all seen a list of names when we walk into restaurants/pubs with contact details clearly visible. Although this is a small example and the business is trying to comply with relevant obligations, this is a breach of the GDPR.

The Data Protection Commissioners have, rightly so, been cracking down on GDPR breaches and a recent ruling in Germany has seen international retailer, H&M, fined 35 million Euros.

Whilst not COVID specific, the Hamburg Commissioner for Data Protection and Freedom of Information in Germany (the “Commissioner”) issued the 35.3 million Euro fine as the retailer had severe failures in monitoring and processing the personal data of several hundred employees at their Nuremberg site. This decision highlights the ‘data minimisation’ principle contained in the GDPR, where it is unlawful to collect and keep excessive amounts of personal data.


For around 6 years, the retailer subjected its Nuremburg employees to extensive digital storage of information relating to their personal lives Including symptoms of health issues, religious beliefs and family issues. This information was then stored on an internal system and around 50 people were given access to it.

An IT error left the information accessible by all of the retailer’s German based employees, for a few hours in October of 2019. The Commissioner was made aware of the breach and was forced to give the Commissioner all of the information in question.

Unsurprisingly, the Commissioner ruled that the information was not securely stored and issued a fine to H&M. 

The retailer then confirmed it would give financial compensation to any individual who was employed at the site for over one month since May 2018. This was in an attempt to save employee relations, although the level of compensation has not been revealed. The retailer then committed to increasing its digital security and providing more in-depth training for employees with access to sensitive information.

Conclusion and Forethought

The Commissioner reminded everyone that despite the difficulties brought about by the pandemic, the GDPR still stands firm and breaches will result in sanctions. These sanctions will not only bring about financial repercussions, but also reputational ones.

It should be noted by all that although this was not a decision from the UK’s GDPR regulator, from past precedent, they would likely take the same view in relation to severe collection and subsequent breaches of sensitive employee information.

The pandemic will see many organisations collecting sensitive medical details about their employees. Please note the implications of GDPR breaches when thinking about your own security. Businesses must take positive and appropriate steps to process any sensitive data is processed and stored in line with the GDPR. 

If in doubt about what to consider when using personal data in line with COVID related recovery plans, consider the following advice from the Information Commissioner’s Office:

  1. Only collect and use what’s necessary;
  2. Keep it to a minimum;
  3. Be clear, open and honest with staff about their data;
  4. Treat people fairly;
  5. Keep people’s information secure; and
  6. Staff must be able to exercise their information rights.

If you have any concerns about how, when and why to store sensitive data then please reach out to us and seek legal advice as fines are becoming commonplace and are easily avoidable.