Return to work questionnaires and meetings are common after employees return from sickness absence. On 1 October 2020, the Data Protection Authority of Hamburg (the DPA) handed H&M a fine of €35.3 million for data protection violations which in part related to data collected at return to work meetings at its service centre in Nuremberg; the largest GDPR fine to date in respect of handling employee data.

Background

At H&M's Nuremberg premises, supervisors held 'welcome back talks' after colleagues returned from vacations and sickness absences of any length. Personal information would be recorded by supervisors, including details of the vacation experience or symptoms of illnesses and diagnoses.

By way of casual 'corridor' discussions, some supervisors would also obtain other details about employees, such as family problems and religious beliefs.

The information obtained from the welcome back talks and corridor discussions was partially recorded (but in some cases with a high level of detail), stored digitally and updated over time. On some occasions the data was accessible by up to 50 other management colleagues throughout the company.

The DPA concluded that the data of several hundred colleagues was collected and then used to profile them for measures and decisions in the employment relationship. The DPA said that "the combination of researching private life and the ongoing recording of what activity they were engaged in led to a particularly intensive interference with the rights of those affected."

There was an insufficient legal basis for the processing activities and a "serious disregard for employee data protection". The DPA considered the €35.3 million fine to be appropriate in the circumstances, and in hope that it would deter other employers from carrying out similar practices.

Since the finding, H&M has implemented new measures, including a newly appointed data protection coordinator, additional training for management and monthly data protection status updates. As well as liability for the GDPR fine, H&M committed to paying certain employees damages for its breach.

What should employers do in light of this action?

Return to work meetings can be a useful absence management tool, and this decision doesn't mean they need to stop. However, if you've not done so recently, it would be a good idea to audit the data you collect via return to work meetings, and any other practices similar to those used by H&M.

In practice:

  • Provide training to individuals who conduct return to work meetings – including on their data protection responsibilities.
  • Hold return to work meetings and similar conversations in a private area. Limit participants to those who 'need' to be there.
  • Discussions should generally follow a standard format, to ensure consistency, and focus on issues that matter.
  • Only record relevant information – this will vary case to case. Some discussions will inevitably be very personal, with discussion of medical conditions and family situations. It may be appropriate to record details that could impact on, for example, work, performance, health and safety, or future absence levels. However, it would not be appropriate to record additional information divulged by employees, if this has no bearing on their work.
  • Store the information securely and limit access to those with a genuine 'need to know'.
  • Ensure absence data is only used for 'legitimate' purposes, such as absence management, health and safety, and managing disabilities.

If you have any queries or require assistance in carrying out an audit of your current practices, please get in touch.

Contributors

Kathleen Morrison

Practice Development Lawyer

Martin Sloan

Partner