Karen Lawrence Öqvist
H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.
Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.
It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.
It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.
Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!