Skip to Content Skip to Navigation

At what point does data collection become surveillance? While many popular social media apps have been accused of digital surveillance, companies that collect and store employee information are not immune to the General Data Protection Regulation (GDPR).

Just recently, H&M was fined $41.3 million for illegally collecting mass amounts of personal information about employees – but where exactly did the company go wrong?

Fail #1: Collecting sensitive personal data without a legal basis

According to an investigation conducted by the Hamburg data protection authority (DPA), H&M collected a range of sensitive personal data from hundreds of workers employed at a German customer service centre. This included information about their medical history, family, vacations, and religious beliefs, which the clothing company allegedly used to build detailed profiles of employees and inform performance reviews.

In addition to the intrusive nature of these questions, H&M didn’t have a legal basis for collecting this data.

Given the risks associated with exposing such sensitive information, the GDPR “strictly prohibits” organisations from processing certain categories of data unless they satisfy one of the special grounds for processing outlined in Article 9 of the legislation.

Fail #2: Poor data security standards

The entire H&M privacy scandal came about due to a data breach of the company’s database in October 2019. At the time of the breach, the database contained at least five years’ worth of employee data and could be accessed by 50 other managers throughout the company.

For several hours, this information was made accessible to the entire company’s internal network.

Besides breaching the trust and privacy of employees who reportedly shared personal information in one-on-one conversations with their supervisors, H&M failed to put in adequate data security measures to ensure only authorised parties could access this information.

What can businesses learn from the H&M scandal?

Perhaps the most important takeaway from this latest privacy scandal is the importance of data minimisation.

In Article 5 of the GDPR, the law states that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

That is, your business should only collect as much information about your employees as is necessary and relevant for a given purpose. Asking for and recording excessive amounts of personal data on your employees isn’t just intrusive – it may be unnecessary and therefore unlawful for you to do so.

As more of the modern workforce turns to remote working in the ongoing COVID-19 pandemic, many businesses are increasingly monitoring employees via routine health check-ins and online communications.

To avoid falling afoul of the GDPR, however, businesses must take care to limit how much data they collect about employees or, at the very least, put in adequate data security measures to protect their information.

Create a GDPR privacy policy for your business

Our website privacy policy generator is trusted by thousands of small businesses around the world. Generate your GDPR-ready privacy policy with