The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions. H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.
H&M has received a decision from the regional Data protection authority in Hamburg to impose an administrative fine of M Euro 35. The company will now review this decision carefully.
Since the initial discovery and reporting of the incident, H&M immediately began making several improvements at the service centre in Nuremberg. A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area.
A number of actions have been implemented which includes:
· Personnel changes at management level at the service centre in Nuremberg.
· Additional training for leaders in relation to data privacy and labour law
· Revised instructions for managers
· Creation of a new role with specific responsibilities to audit, follow up, educate and continuously improve data privacy processes
· Enhanced data cleansing processes
· Improved IT solutions supporting compliant storage of personal data, training and leadership.
In addition, H&M has decided that all currently employed at the service centre, and all who have been employed for at least one month since May 2018 when GDPR came into force, will receive financial compensation.
H&M Group wants to emphasize its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority. The H&M Group strictly adheres to laws and regulations stipulated by the relevant data protection authorities, as well as the company’s own high standards.