CNIL partners with Order of Chartered Accountants to help SME to improve their compliance with the GDPR.

While many transnational companies continue to feel headache after ‘Schrems II’ hit in July, the problem for SMEs looks simpler and more trivial: they seem to be unable to meet even more general and clear data protection requirements without external help.

This can return us to early talks (they are sometimes heard now, though) that the GDPR may be too burdensome for many business actors. And we see it can really be like this.

H&M have invaded employee privacy

So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.

Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.

It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.

It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.

Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!