H&M fined 35 million euros for violating personal data protection

In October 2020, on the day H&M announced the closure of 250 stores around the world, H&M was fined 35 million euros (nearly NT$1.2 billion) by the German personal information authority for secretly collecting personal information of employees in specific regions of Germany. The second-highest fine ever imposed.

The German personal information authority found that H&M holds a large amount of personal data about the employees of its service center in Neremberg, Germany. It not only includes the information related to the employee's vacation (the reason for the vacation, what was done during the vacation, where did the vacation go, etc.), the medical record of the disease (mostly recorded by H&M's HR when talking with the employee), and even the personal relationship between the employees. Conversations (in cloisters, pantries, etc.), and these private conversations often include religion, sexuality, and family.

These data are used for big data analysis, to predict and analyze the performance of employees through personal factors such as family and religion, and to establish a mechanism for recruiting employees in the future.

H&M secretly collects personal information of employees for big data analysis. The reason for the outflow of this incident is that due to the negligence in H&M's internal processing of access to information, people who did not have permission can see the information. Correction of omissions. But the incident has prompted authorities to open an investigation.

After receiving a huge amount of fines, H&M issued a statement that it will introduce full-time personnel to be responsible for reviewing the storage and processing of data, review the privacy processing procedures, and train supervisors to have relevant knowledge of personal information protection. In the end, the damages suffered by the employees at the Neremberg Service Center in Germany will also be compensated in monetary terms.

Regarding this incident, it shows the importance of personal information protection. The purpose of collecting personal information, whether the purpose of processing personal information is the same as the purpose of collecting personal information, when using personal information for profiling (through an automated processing mechanism, processing personal data, and targeting a certain person in the evaluation of a natural person) must comply with the EU regulations on processing personal data. resources, as well as automation and profiling specifications.