The weird thing about this case is that it was completely informal data collection, about employees by their mid-level managers. Doesn't even look like upper management was involved.
Very different from the usual concerns about large-scale, organized collection of data about end users.
There is nothing weird about this. If you are not allowed to collect/archive certain data, you are not allowed to do so. This is not limited to customers. And that is good.
I think that's actually excellent. It shows that any kind of data collection is subject to the GDPR. This is something I've been warning companies about for a while now, they believe - quite erroneously - that as long as the system isn't automated that they are free and clear but the GDPR doesn't say anything about automation. So even if it is informal and even if you use stone tablets you are still subject to the law.
Well, strictly speaking, automation is a key factor.
If it's automated, it's always GDPR.
If it's not automated, it's GDPR under the condition that the data is part of a filing system.
So if you order your stone tablets alphabetically by their title, it's GDPR, but jumble a sufficiently large pile of stone tablets and you're in the clear.
In practice, this means that if you have a warehouse full of unordered boxes full of unordered forms, then somebody exercising their right to be forgotten cannot force you to go through every single box to see if there is data in there.
Conversely and frustratingly, if you have one gigantic folder of digital media, then you are technically required to actually go through that data, although I've heard of cases argued with authorities where this can be forgone in cases where it would be extremely uneconomical.
I'm still anxiously waiting for the first big decision on e-mail, for example. In large-scale corporate environments, good luck identifying every email containing personal data of a particular person, should that person ever exercise their right to be forgotten.
(Edit: no idea why you got downvoted, you raise an important point)
That organizational aspect is actually not all that clear cut and I would hold off on making strong statements about what counts as a filing system. A stack of paper might qualify, ordered or not for instance when it pertains to similar data gathered on others, something that can be searched automatically would definitely qualify and so on.
Finding out where that line is is probably going to be an interesting academic exercise which will result in lots of fines that could have been avoided easily: if you don't have a right to process certain data in an automated way pretend you don't have that right at all to stay safe.
After all, once the data is sufficiently disorganized to be searched efficiently it is also sufficiently disorganized to keep it secure and a data leak of disorganized data would be just as big an issue as gathering the data itself.
I agree; what counts as a filing system remains to be seen. Hence why I used a "sufficiently large" pile of stone tablets, to put it beyond doubt that it's not organized regardless of how strict or relaxed the interpretation.
I don't recall the source at the moment, but one convincing argument I've heard was that an amount of disorganized data that you can organize given a few hours time would probably be treated as equivalent to organized data in the eyes of the authorities, otherwise you'd have a trivial loophole.
There is that and there are multiple cases where a single individual affected by a transgression already led to fines as well as the fairly low count that is used to determine if a transgression is a significant one (10!).
> The weird thing about this case is that it was completely informal data collection, about employees by their mid-level managers.
The article says that "H&M collected information on illnesses [...]".
Data concerning health is among the Article 9 special categories of personal data [1], the processing of which is generally prohibited, with only a few exceptions. I'm all but certain that a mid-level manager collecting this data does not fall under any of the exceptions.
You are most certainly right. But I think parent's point was that informal data gathering on mid manager level is a difficult thing to protect yourself from, as a large corporation. Any clueless manager can open an Excel file and type in personal information about their reports. Training and policies can help, but not completely prevent. When you build larger software systems you can have audit processes in place etc. But the informal level is tricky..
In the eyes of regulators, you're expected to clue in the clueless.
Training people in basic IT security is difficult, too, but it's still done. Of course the results aren't going to be perfect, but at least most people will then understand that writing down a password on a post-it under a keyboard is a no-no.
In this case they seem to have collected 60 GB data shared among 50 managers. It's interesting that no one raised an issue. It only became known after the network share was made visible to more people by mistake.
That clearly rises well above the level of “someone entered personal data into a spreadsheet”. At that level it is absolutely a negligent failure of the company to A. train and educate its managers, and B. audit operations to shut down activities like this.
Well, the problem is that to be consistent (and safe), you'd have to do a similar training for every possible offense. GDPR is top-of-mind for HN readers, but any large company is likely constantly violating at least dozens, if not hundreds or thousands of regulations. Ask any corporate lawyer how you could avoid violating any regulation or law, and they will just give you a blank stare, or tell you it's impossible.
Very few laws have as many teeth in them for corporations as the GDPR does, it was designed with that particular aspect in mind. The EU bureaucrats have a personal stake in the outcome so that definitely helped to focus them.
I suppose you're right that companies should weigh their efforts in favor of complying with laws that bureaucrats are personally invested in. That said, I see this as a rather sad state of affairs.
It's pretty much an as open-and-shut of a clear violation of having consent and a right to process that data as you could come up with. They got off light in my view but then again, it is a first time offense so maybe not all that light.
And the first of these exceptions is employment. That's quite reasonable because an employer keeps track of employees' absence for health reasons and will come to know some details in case of serious health problems/long absences.
In this case they collected data after sick leaves, but (a) it seems they collected quite a bit of information regarding private life, perhaps more than could be deemed reasonable and (b) the data leaked because they did not secure it properly.
This sort of files on employees used to be very common. Regulations have made them 'tricky' especially if managed "as it's always been done" without expert, up-to-date, input on what's allowed and acceptable, and how to keep it secure, which seems to have happened at H&M... So definitely a failure of the company management and I'm sure that all managers have been put through compulsory training since with a very clear message that ignoring it means instant dismissal.
an employer keeps track of employees' absence for health reasons
That works differently in Europe. Employee health is a personal matter, and the employer does not get automatic access to that information. The employer can get a dedicated physician (affiliated but not employed by your employer) to assess your illness and guide you back to work, but even then the physician's records are off-limits to the employer.
Speaking only for NL here, but I think the regulation is the same EU-wide. When you call in sick, you are not obligated to answer any questions from your employer except:
- whether the cause of the illness is (or might be) work-related
- how much time you expect to be out
- discuss a next moment of contact (phone appointment or presence in the office)
Any data regarding the illness itself is off-limits for the employer, you are allowed to volunteer the information but the employer strictly isn't even allowed to ask.
I am not suggesting that an employer has access to employees' medical records. However, the fact is that employers will reasonably keep track of sicks leave and will in practice (and quite reasonably) have knowledge of health information very often including the illness.
Personally, I think things start to go too far. Saying that "employee health is a personal matter" is going too far. Intimate details are of course personal and people may not want to share too much (and that's fine) but an employee's health insofar it impacts their job very much concerns the employer, but it must be handled lawfully, reasonably, and tactfully by them. If the employer has a clear picture it is not necessarily negative for the employee as it means that the employer can adapt and take the appropriate supportive action.
I think that the legislator recognises this, seeing that employment is an exception to the GDPR's ban on health information processing (obviously without reason).
> Speaking only for NL here, but I think the regulation is the same EU-wide.
In Germany the doctor only certifies that the employee is unable to carry out their work duties. The reason why is a secret between doctor and patient.
In Finland the doctor sends the ICD code to the employer.
So there is no EU-wide regulation. IIRC GDPR says that data is protected unless the exchange is regulated by a law or the subject has consented. (It's been a while I read it...) Laws are national.
