H&M Retailer Fined for GDPR Violation
On October 17, 2023, Integritetsskyddsmyndigheten (IMY), Sweden’s supervisory authority, issued a decision in which it mandated an administrative fine against the retailer for violations of several articles of the GDPR.
The decision comes after six complaints were submitted by individuals in Poland, Italy, and the United Kingdom against the retailer where the individuals objected to direct marketing and still had their personal information processed for marketing purposes. The supervisory authorities in the respective countries handed over these complaints to the Swedish authority based on Article 56 of the GDPR and IMY has investigated this further based on Chapter VII, which regulates the cooperation between a lead supervisory authority, in this case Sweden, and other supervisory authorities concerned, which in this case lists the supervisory authorities in Germany, Slovenia, France, Denmark. Spain, Norway, Italy, Finland, Poland, Belgium, Portugal, Cyprus, Estonia and the Netherlands.
Between July 2018 and September 2019, the six affected individuals each objected to the processing of their respective personal data for marketing purposes and each one continued to receive marketing related materials in the form of unsolicited newsletters from the company some for 3 more months after objecting, while others for 1 year and a half.
While H&M has confirmed that they received the six objections, they were unable to locate the correspondence between themselves and the six affected individuals, as the retention period for communication with the customer service department had expired. As regards the means for objecting, the retailer allows its customers to do so in three ways:
- Customers can change their subscription status in their account settings;
- Customers can unsubscribe from communications via a link located in each newsletter;
- Customers can contact the customer service of H&M.
In their answer about the six complaints, H&M stated that it is only in a handful of cases that issues with unsubscribing customers from further mailings arise and that in October of 2019, the company launched a project for continuous management and improvement and appointed IT, data protection, and marketing specialists with the goal of resolving such cases. Following the work conducted for this purpose, the company identified the root cause for these issues, and performed bug fixes associated with customer service manual changes to a customer's subscription status, bug fixes associated with the subscription status of a member/account holder's account settings, and adjustment of procedures, working methods, and further training of customer service personnel.
Between May 2020 and December 2020, the company implemented a series of technical solutions that improved the way a signal was sent directly to the relevant system, when a customer clicked on an unsubscribe link, as opposed to previous settings where the signal was sent to a different system that would need to communicate with surrounding systems for the unsubscribe action to take place.
In reaching the decision to impose an administrative fine, IMY argues that H&M violated the following articles of the GDPR:
- Article 6: Lawfulness of processing - Once the six individuals objected to the processing of their personal data, H&M no longer had a legal basis for processing the data. In continuing to send newsletters to the individuals after they objected, the company violated Article 6 of the GDPR.
- Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject - Four of the six individuals tried to use the unsubscribe link with little success and informed the company of this issue. The company delayed addressing the issue for too long (June 2018 - October 2019) and in doing so did not facilitate a user’s exercising their data subject rights, particularly the right to object.
- Article 21: Right to object - Once a data subject has exercised their right to object to processing for direct marketing purposes, as granted by Article 21 (3), the data will have to no longer be processed and, according to Article 12 (3) the person in charge of the personal data will have to, without undue delay but no later than one month after the request is received, take the necessary measures to satisfy the request and to inform the concerned data subject about the measures taken for this purpose. In not granting the request to object to processing for direct marketing, H&M violated both Article 12 (3) and Article 21 (3).
The administrative fee, SEK 350,000 (approx. $33,000), was determined based on Article 83 (5) which mandates “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” In the case of H&M, IMY found that their annual turnover for the year 2022 was approximately SEK 223,553,000,000 (approx. $21,205,000,000) which would mean that the 4% penalty would amount to approximately SEK 8,942,120,000 (approx. $848,000,000). However, the seriousness of the violations was of a low degree, there were no aggravating circumstances, and as a mitigating circumstance the company has since implemented technical measures and has corrected the bugs that resulted in the violation.
How can Clym help?
Clym helps to keep your website compliant with GDPR requirements, as well as 40+ other global regulations. Clym offers the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.