Search

How can we help?

Icon

£32.1m fine for employee surveillance

Following an investigation by the Data Protection Authority of Hamburg, fashion retailer H&M has been fined the equivalent of £32.1m for surveillance illegally monitoring of its employees.

The German data protection watchdog discovered that the company was keeping excessive records on hundreds of employees based in their Nuremburg service centre. This included details of holidays, medical symptoms and diagnoses, family issues and religious beliefs. It has also been alleged that these intimate and highly sensitive details were, in some instances, being used by management to evaluate work performance.

In the last 12 months there have been a string of high-profile fines against companies for breaches of the legislation. Last year, Google was fined by the French data protection regulator for breaching GDPR, Marriot International were fined by our own Information Commissioner’s Office for insufficient data-security systems, and PWC were fined by the Greek data protection authority for unlawful processing of employee data. GDPR is now well into its second year yet many companies continue to give inappropriate weight to data protection and underestimate the significance of the information they process.

In the last 12 months there have been a string of high-profile fines against companies for breaches of the legislation.

The fine should come as a stark warning. Data Protection regulators are becoming more active and aggressive in their stance against data breaches. Head of the HmbBfDI, the German regulator, hopes that the size of the fine will “scare off companies from violating people’s privacy”.

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

Get in touch

+44 118 958 5321

About this article

  • Subject
    £32.1m fine for employee surveillance
  • Author
  • Expertise
    Employment
  • Published
    07 October 2020

Read, listen and watch our latest insights

art
  • 26 November 2025
  • Employment

The Data Use and Access Act 2025 – how to handle data protection complaints

This article will focus on, in particular, the requirement for data controllers to ensure that, by June 2026, appropriate complaint procedures are put in place (s 103).
art
  • 20 November 2025
  • Immigration

The Innovator Founder Visa: What It Is & How Recent Home Office Changes Empower Student Entrepreneurs

The UK’s Innovator Founder visa is designed to attract ambitious entrepreneurs who can build innovative, viable, and scalable businesses in the UK.

art
  • 18 November 2025
  • Employment

Employment Rights Bill – Enhanced protections for pregnant women and new mothers

The Employment Rights Bill will make it unlawful to dismiss pregnant women, mothers on maternity leave and mothers who return to work for at least six months after they return to work, expect for specific circumstances.
art
  • 12 November 2025
  • Employment

GDPR: Who are data controllers and processors?

Controllers and processors have a different set of responsibilities, and have various responsibilities when dealing with data breaches.
Pub
  • 11 November 2025
  • Corporate and M&A

The Autumn Budget 2025: Key considerations for business buyers and sellers

Join Stuart Mullins and Nicky Goringe Larkin as they discuss some of the likely implications of the Autumn Budget 2025 for those looking to buy and sell businesses.
art
  • 11 November 2025
  • Corporate and M&A

Directors Duties: Honesty and Goodfaith 

In June the Court of Appeal found that a director had failed to comply with their statutory duty.
See More