The processing and movement of personal data are regulated at the European Union level by the General Data Protection Regulation - GDPR (Regulation N. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC), which is directly applicable since 25 May 2018. The regulation addresses the treatment of data by organisations in the EU or that use data related to EU citizens. Its application is monitored by a national supervisory authority. According to articles 77-84 of the GDPR, penalties in case of violation can be imposed as “every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation”.

From employers’ perspective, such a strict and detailed regulation raised challenges in terms of compliance. At the time of adoption, BusinessEurope Director General Markus J. Beyrer commented that: “Businesses are highly concerned with GDPR compliance. We need national authorities to explain how they will apply these rules and how this will impact businesses' day-to-day operations. As many have been preparing tirelessly, we now expect that administrations pragmatically cooperate with businesses, in order to bring this data protection sea change into reality”.

Cases of infringement may occur, even for data treatment related to employment and employees.

Recently, a case of GDPR violation gained traction in the media. H&M received a decision from the regional Data protection authority in Hamburg to impose an administrative fine of 35 million euros. Following this decision, the authority stated in a press release that “the company management not only apologized expressly to those affected. It also followed the suggestion to pay the employees unbureaucratic damages in a considerable amount. This is an unprecedented commitment to corporate responsibility after a data protection breach. Other components of the newly introduced data protection concept include a newly appointed data protection coordinator and monthly data protection status updates”.

H&M has fully cooperated with the authority during the entire process. In a press release the Company stated that “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions. H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg. Since the initial discovery and reporting of the incident, H&M immediately began making several improvements at the service centre in Nuremberg. A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area”.

It concluded that “H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority”.

After carefully reviewing the decision from the Data Protection Authority in Hamburg, H&M Group has decided not to appeal.