The fashion retailer H&M was fined over €35 million by a German data protection authority for data protection violations in a service centre
In the opinion of the data protection authorities, the combination of researching their private lives and the ongoing recording of what they were doing led to a particularly intensive encroachment on the rights of those affected. Against this background, the Hamburg Commissioner for Data Protection issued a fine of €35,258,707.95 which seems to be based on violations of art. 5 and 6 GDPR for the violation of which the highest threat of fines under art. 83 para. 5 GDPR applies. As a mitigating circumstance for the fine, the authority has taken into account that during the data protection proceedings and the processing of the events, the company management expressly apologized to those affected and paid the employees a considerable amount of compensation. In addition, a new data protection concept was introduced and further data protection measures implemented.
The amount of the fine, apparently calculated to the cent, indicates that the calculation of the fine was based on the calculation concept developed by the German data protection authorities for the calculation of GDPR fines. According to this concept, five steps are necessary to calculate a fine. The starting point for the calculation of the fine is the turnover of a company and certain factors that are intended to determine the severity of the infringement. According to our observation, the introduction of this concept has led to higher penalties being imposed in Germany as a matter of principle, at least for companies with high annual sales. Even though this is currently only a purely German concept, it has been introduced and discussed at a European level as part of the harmonization efforts. It remains to be seen whether this or a comparable approach will also become established at European level in the other member states. As far as can be seen, a similar approach already exists in the Netherlands.
The H&M matter further underlines the trend that data protection violations (whether negligent or intentional) are now also punished by the German data protection authorities with severe fines. It remains to be seen whether the fine will be imposed finally or whether H&M will appeal against it.
Orfanidou 2 , Thessaloniki, PC 546 26
Τ. (+30)2310 277 077
M. (+30)6978 188 463
F. (+30)2310 277 087
Zalokosta 44, Chalandri
Τ. (+30)2316 019 734
M. (+30)6948 053 377
Member of HIBA - Hellenic Insurance Brokers's AssociationΠολιτική ασφάλειας πληροφοριών