The Italian Data Protection Authority fines H&M for unlawful processing of employee data

Written By Luca Paleologo

In May 2022, the Italian Data Protection Authority (Garante) carried out an inspection at the headquarters of the company H&M in relation to the processing of employee data through video surveillance systems. It transpires that the company, a leader in the clothing sector, is responsible for processing the data of more than 4,000 of its employees, located in 166 shops nationwide.

As a result of the inspection, the Garante found that the company had violated Articles 5(1)(A), 88 and 114 of the EU Regulation No. 679/2016 (GDPR), which deal with the processing of data in the context of labour relations and the guarantees regarding remote monitoring. As a result of the investigation, it was found that H&M had installed and used video surveillance systems, in some of its shops, capable of filming the activities of the workers. This was carried out in the absence of a trade union agreement or authorisation issued by the labour inspectorate pursuant to Article 4 of Law no. 300 of 1970.

In fact, with reference to some of the points of sale, trade union agreements had been entered into, however, they were dated after the installation and activation of the surveillance cameras.

According to the provisions of the aforementioned law, video surveillance equipment, if it allows remote control of employees' activities, can only be used for organisational and production requirements, for work safety and for the protection of company assets. In any case, its installation must be carried out following a collective agreement with the trade union representatives or, where it was not possible to reach such an agreement, it must be preceded by the issue of a special authorisation by the Labour Inspectorate. This procedure is provided for with a view to the protection of collective and super-individual interests that must not be infringed upon by the employer and, precisely because of their nature, the aforementioned procedure is mandatory. In the present case, it appeared that the company H&M had informed its workers in advance of the installation of the video cameras, but this could not be considered an exemption from corporate liability.

H&M attempted to defend its position by claiming that it had installed the cameras in an area of transit and not of work activity, but the Regulator reiterated that even areas where employees pass or stop are subject to the full application of the rules on the protection of personal data. In the present case, moreover, the video camera systems were positioned in such a way as to film areas where employees were required to pass in order to perform their work duties.

 In addition to this, in a shop in Milan, images had been stored for longer than the time stipulated in the trade union agreement, i.e. 24 hours, with a consequent aggravation of the position of the clothing company.

For the reasons set out above, the Garante sentenced H&M to a fine of €50,000.00 for breach of Articles 5, 88 and 114 of the GDPR.

Luca Paleologo
Previous

The Italian Supreme Court rules out the Italian jurisdiction over the infringement of the German portion of an international design registration
Next

FAPAV/IPSOS SURVEY 2022