On October 17, 2023, Integritetsskyddsmyndigheten (IMY), Sweden’s supervisory authority, issued a decision in which it mandated an administrative fine against the retailer for violations of several articles of the GDPR.
The decision comes after six complaints were submitted by individuals in Poland, Italy, and the United Kingdom against the retailer where the individuals objected to direct marketing and still had their personal information processed for marketing purposes. The supervisory authorities in the respective countries handed over these complaints to the Swedish authority based on Article 56 of the GDPR and IMY has investigated this further based on Chapter VII, which regulates the cooperation between a lead supervisory authority, in this case Sweden, and other supervisory authorities concerned, which in this case lists the supervisory authorities in Germany, Slovenia, France, Denmark. Spain, Norway, Italy, Finland, Poland, Belgium, Portugal, Cyprus, Estonia and the Netherlands.
Between July 2018 and September 2019, the six affected individuals each objected to the processing of their respective personal data for marketing purposes and each one continued to receive marketing related materials in the form of unsolicited newsletters from the company some for 3 more months after objecting, while others for 1 year and a half.
While H&M has confirmed that they received the six objections, they were unable to locate the correspondence between themselves and the six affected individuals, as the retention period for communication with the customer service department had expired. As regards the means for objecting, the retailer allows its customers to do so in three ways:
In their answer about the six complaints, H&M stated that it is only in a handful of cases that issues with unsubscribing customers from further mailings arise and that in October of 2019, the company launched a project for continuous management and improvement and appointed IT, data protection, and marketing specialists with the goal of resolving such cases. Following the work conducted for this purpose, the company identified the root cause for these issues, and performed bug fixes associated with customer service manual changes to a customer's subscription status, bug fixes associated with the subscription status of a member/account holder's account settings, and adjustment of procedures, working methods, and further training of customer service personnel.
Between May 2020 and December 2020, the company implemented a series of technical solutions that improved the way a signal was sent directly to the relevant system, when a customer clicked on an unsubscribe link, as opposed to previous settings where the signal was sent to a different system that would need to communicate with surrounding systems for the unsubscribe action to take place.
In reaching the decision to impose an administrative fine, IMY argues that H&M violated the following articles of the GDPR:
The administrative fee, SEK 350,000 (approx. $33,000), was determined based on Article 83 (5) which mandates “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.” In the case of H&M, IMY found that their annual turnover for the year 2022 was approximately SEK 223,553,000,000 (approx. $21,205,000,000) which would mean that the 4% penalty would amount to approximately SEK 8,942,120,000 (approx. $848,000,000). However, the seriousness of the violations was of a low degree, there were no aggravating circumstances, and as a mitigating circumstance the company has since implemented technical measures and has corrected the bugs that resulted in the violation.
Clym helps to keep your website compliant with GDPR requirements, as well as 40+ other global regulations. Clym offers the following:
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.