Skip to main content

The technological revolution has brought with its numerous advances that in many everyday scenarios that occur in the work environment bring us endless benefits since they allow us to increase productivity, make better use and allocation of resources, and make organizational decisions faster.

While it is true that these benefits are the visible face of the currency, it is also important to keep in mind the risks that entail, such as increased control and surveillance of the company, among others.

It is paradoxical to think that we live in the information society and that, however, on many occasions we are not able to manage the large amount of information we handle. There is a misconception about information that leads us to think that the more data we process the more information we will get. And that is precisely one of the main challenges we must face; understand the great distance between data and information.

In this regard, EU Regulation 679/2016, General Data Protection (hereinafter referred to as GDPR) in Article 5.1(.c) provides that the data in question must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("principle of data minimization"). In addition,  Article 25.2 GDPR states that "The controller shall apply appropriate technical and organisational measures with a view to ensuring that, by default, only personal data that are necessary for each of the specific purposes of the processing is processed. This obligation shall apply to the amount of personal data collected, the extent of its processing, its retention period and its accessibility".

On 1 October, the Hamburg Data Protection and Freedom of Information Agency fined Hennes & Mauritz Online Shop A.B. & Co KG in Nuremberg (H&M Group) a fine of EUR 35M after a security breach was discovered in its service centre. This is the largest data protection fine imposed in Germany to date, and the second at European level.

In this case, the company collected excessive data relating to the private life of its workers, including special category data (health, sexual orientation, religion, etc.), to create a detailed profile of each worker on which supervisors relied when making labor decisions.  

The importance of the principle of data minimization

The company belonging to the H&M Group, in carrying out this practice, in addition to using a position of superiority that characterizes the employer in industrial relations, seriously violates the principle of data minimization. As set out in Recital 39 GDPR "(...) Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means (...)". Therefore, the use of family details, religious beliefs or workers' health data to manage the employment relationship constitutes serious interference in their personal sphere and, in any case, an unsy fit use of the data for the purpose pursued.

We are therefore faced with an important sanction that highlights the need for private companies to wake up and allocate the resources needed to createa true business culture in dataprotection, where it is as important to implement data protection policies as it is to raise workers' awareness.
Janire Garcia , Data Protection Consultant.

Janire García, Data Protection Consultant