Germans issue 27th GDPR fine as H&M is hit for €35m

germany_1The German data protection authorities have shown the benefits of Teutonic efficiency after dispatching the country’s 27th fine under the GDPR regime, whacking Swedish retail group H&M with a €35m (£31.9m) penalty.

The incident first emerged in January, when the company admitted it had inadvertently leaked the highly confidential data of hundreds of employees working at its Nuremburg customer services contact centre.

At the time, it was reported that the information had been gathered from personnel interviews between employees and managers, and included health data and details about employees’ private lives. The confidential files should only have been accessible by managers, but, it seems, other H&M staff could also access them too.

The breach, which had occurred in October last year, reportedly affected “several hundred” employees, but the company insisted the files were deleted as soon as the incident had been discovered.

Now, in H&M’s June-August earnings report, the company has stated: “The regional data protection authority in Hamburg has imposed an administrative fine of €35m. The H&M group admits shortcomings at the service centre and has taken forceful measures to correct this.”

The fine is the highest issued in Germany to date, ahead of a €14.5m penalty for Deutsche Wohnen SE for non-compliance with data processing principles, and a €9.55m fine for 1&1 Telecom for lax information security measures.

But the swiftness of the enforcement action will not be lost on critics of both the UK Information Commissioner’s Office and the Irish Data Protection Commission.

Many claim the ICO appears more concerned with new technology, regulatory sandboxes, data ethics and politics than with enforcing the data protection law.

Meanwhile, Germany’s federal data commissioner Ulrich Kelber recently likened Ireland’s approach with the go-slow stance of Germany’s automotive regulator on diesel emissions fraud. He added that Ireland’s inaction was “unbearable”, and called for a new EU-wide data authority to replace the “one-stop shop”.

Both the ICO and Irish DPC have issued just one fine each since May 2018, but have scores of cases under investigation.

Related stories
Where’s Wylie? H&M faces Nuremberg data leak trial
Group seeks €10bn pay-out over adtech GDPR breach
Privacy groups hit out at fresh delay to adtech probe
ICO strikes back at claims it has shut down all cases
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch
Irish data regulator ‘go-slow’ triggers judicial review
Google must ditch ‘forced consent’, French court rules
Irish data regulator issues first GDPR ruling in two years
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise