Hamburg’s data protection officer imposed a heavy fine. The evidence against a service center of the textile company seems to be very clear. Superiors saved intimate details of their employees in drives – until everything was revealed.

M.ith the Hamburg data protection officer Johannes Caspar made the acquaintance of Facebook and Google because the diligent head of the agency saw data protection guidelines violated. Caspar is now attacking a large corporation in the textile industry – Hennes & Mauritz Online Shop AB & Co. KG, better known as H&M, is said to pay a fine of 35.3 million euros. The reason: With the monitoring of hundreds of employees at the service center in Nuremberg, the group violated data protection. The Hamburg data protection agency took action because the company’s German headquarters are in the Hanseatic city.

Specifically, the accusation of spying goes as follows: “At least since 2014, some of the employees have had extensive records of private living conditions. Corresponding notes were saved permanently on a network drive. After vacation and illness absences – even short ones – the superior team leaders held a so-called Welcome Back Talk. “After these discussions, not only specific vacation experiences of the employees were recorded in several cases, but also illness symptoms and diagnoses. “In addition, some superiors acquired a broad knowledge of the private life of their employees through one-on-one and floor-to-floor discussions, which ranged from harmless details to family problems and religious beliefs,” says a statement from Caspar. The findings were partially recorded and stored digitally and were sometimes readable for up to 50 other managers throughout the company.

The evidence seems pretty straightforward. The data collection became known because the notes were accessible company-wide for a few hours due to a configuration error in October 2019. Then there were the first press reports that alerted Caspar. He ordered the contents of the network drive to be “frozen” and then demanded that it be released. The company followed suit and submitted a data set of around 60 gigabytes for analysis. After analyzing the data, interrogations of numerous witnesses confirmed the documented practices. “The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The amount of the fine imposed is therefore appropriate and suitable for deterring companies from violating the privacy of their employees, ”says Caspar, explaining the amount of the fine. But he also praised the company, which had actively appeared at the location after the case became known, in order to compensate those affected and to regain trust.