The multinational clothing retailer H&M has been fined £32.1million (€35.3million) for the illegal surveillance of some of its employees in Germany – BBC reported.
According to the publication, the German data protection watchdog found that the firm kept “excessive” records on the families, religions and illnesses of staff members at its Nuremberg service centre.
H&M has since made an “unreserved apology" to staff based at the Nuremberg service centre.
The statement, which was published to its site, read: "The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions. H&M takes full responsibility and wishes to make an unreserved apology to the employees at the service centre in Nuremberg.
“...All currently employed at the service centre, and all who have been employed for at least one month since May 2018, when GDPR came into force, will receive financial compensation."
In addition, the firm said it would review the fine that has been issued – the Independent reported.
The year-long investigation carried out by the Data Protection Authority of Hamburg (HmbBfDl) found that the retailer’s privacy violations included extensive staff surveys which had details of medical symptoms and diagnoses for illnesses, as well as holiday details.
It was also reported that some managers also sought after details in private chats such as religious beliefs or family issues, which where then kept and used to evaluate workplace performance and as a way to make employment-related decisions.
HmbBfDL Head Johannes Caspar said that this case highlighted “gross disregard” of data protection rules in Germany.
Caspar added that the hefty fine was "justified and should help to scare off companies from violating people's privacy."
This is said to be the second-largest fine a single organisation has faced under EU GDPR rules.
According to GDPR.EU, GDPR is the toughest privacy and security law in the world. The regulation came into effect on May, 25, 2018.
While this case took place in Germany, there are key teachings for the HR function and employers regarding the surveillance of staff members in the workplace.
Phil Pepper, Head of Employment at law firm Shakespeare Martineau, spoke to HR Grapevine about whether, under UK laws, it is legal to ‘spy’ on staff in the workplace.
He said: “In the UK, electronic forms of monitoring involve the processing of personal information, which are regulated by GPDR. As monitoring is regulated in the UK, the Information Commissioner has issued the Employment Practices code, which sets out the steps that should be followed to monitor employees.
“There is also other legislation such as the Investigatory Powers Act 2016 and the Investigatory Powers (interception by Businesses etc for Monitoring and Record-keeping Purposes) Regulations 2018. These make it a criminal offence to intercept certain communications,” Pepper explained.
In brief, he explained that it isn’t illegal to monitor employees – whether this be through phone calls, internet use, emails or CCTV – yet, the legal expert said that there are several protocols that should be followed including impact assessment and informing employees that the surveillance is taking place.
Pepper added: “Covert recording is only permitted in very exceptional circumstances, such as where criminal offences (or something similarly serious) are occurring, and even then, only for short periods of time.
“CCTV monitoring should only be carried out where privacy is low and is not usually permitted in probate areas such as changing room or toilets. Employees should be informed of such monitoring, but again the exception is serious criminal activity.
“Lots of employers monitor telephone calls, but usually employees are informed and so are callers. This is the usual message that is heard when an individual calls a call centre.
“Employers also periodically monitor emails and internet activity, but caution needs to be undertaken not to read private messages,” he added.
The legal expert also pointed towards Article 8 of the Convention of Human Rights which he said protects an individual’s right to privacy.
“This is not an absolute right and employers can often justifiably breach this right, but there does need to be very good reasons, such as criminal activity taking place,” Pepper added.
The impact on company culture
Workplace surveillance can have a huge impact on some of the things that the HR function is tasked with looking after – such as employee wellbeing, productivity, motivation and company culture.
”There is an implied term of trust and confidence which is implied into every contract, and employers who unjustifiably monitor employees and/or act unreasonably, risk breaching that term, potentially allowing employees to bring claims for constructive or unfair dismissal,” Pepper concluded.