Yapı Kredi Plaza, Levent İstanbul

H&M was fined 35 million Euros by the Data Protection Authority

H&M was fined 35 million Euros by the Data Protection Authority


The global retail giant H&M was fined 35 million Euros by the Hamburg Data Protection Authority for keeping a comprehensive data record on the private lives of the employees.

In 2019, the Data Protection Authority launched an investigation into the processing, which was noticed after H&M employees accessed the company network for a few hours and upon determination that data including family life, religious beliefs and health conditions of employees were processed by H&M and made accessible by approximately fifty company managers, H&M was fined for processing special personal data in accordance with Article 9 of the European Union General Data Protection Regulation (“GDPR”). The Data Protection Authority also emphasized that the processing of these data on the private lives of employees is to encroach on employees’ civil rights.

Also, in terms of the Turkish Personal Data Protection Law; these data, are personal data of special nature and it is prohibited to process without the express consent of the data subject. H&M announced that they apologized for their data processing activities, compliance with the GDPR is top priority, they will make changes in the company management, and inform the managers about Data Protection Law and Labor Law. H&M also confirmed that employees who work or previously worked at the service for at least a month since the GDPR came into force in May 2018 will receive financial compensation.  It is not yet clear whether H&M will appeal the Hamburg Data Protection Authority’s fine.