Insights on outsourcing and other lessons from a data breach – the UK FCA perspective

On 13 October 2023, the UK Financial Conduct Authority (FCA) published its press release and Final Notice to Equifax Limited (Equifax Ltd), the UK subsidiary of US company Equifax Inc, in relation to a major 2017 data breach which affected over 13.7 million UK consumers. The FCA determined that the firm had breached Principles 3, 6 and 7 of its Principles for Businesses and imposed a fine of over £11m on Equifax Ltd. The firm agreed to resolve the matter and so qualified for a 30% discount for early settlement. Continue reading

High GDPR fine issued but not for a data security breach

The Hamburg data protection regulator in Germany has issued a fine of €35.3 million against retail firm H&M for breaches of the GDPR relating to the excessive and unlawful collection of employee data. Interestingly, although the fine is the highest yet levied by a German regulator, it did not relate to a data security breach, which is how we have to date seen the biggest fines originating. In comparison to multiple high profile ongoing enforcement investigations in the UK and Ireland, the investigation in Germany has also been concluded at relatively high speed, in just under a year.


H&M is registered in Hamburg and operates a service centre in Nuremberg. Since at least 2014, according to the Hamburg regulator’s investigation, parts of the workforce have been subject to extensive recording of details about their private lives.

After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, comprehensive details of the employees holiday experiences or illness and diagnosis (in the case of sickness absence) would be recorded. In addition, some supervisors recorded personal information ranging from rather harmless details to family issues and religious beliefs as a result of casual and informal conversations with employees.

The recorded information was accessible by up to 50 other managers throughout the company and the information was used to create a detailed profile of individual employees and sometimes used to make employment-related decisions.

The excessive and unlawful collection of employee data came to light towards the end of October 2019 when a configuration error meant that the data became accessible company-wide for several hours. The Hamburg regulator was informed about the data collection through press reports and proactively issued an order for the contents of the network drive to be “frozen” and then demanded it to be handed over. The company complied and submitted a data record of around 60 gigabytes for evaluation.

Despite the company’s full cooperation with the investigation, and its offer to compensate affected employees – actions which the regulator acknowledged as being an unprecedented acknowledgement of corporate responsibility following a data protection incident – the regulator considered that the seriousness of the breach warranted a significant fine (although not as significant as it appears it could have been according to the German authorities’ fine calculation model).

Practical Implications

We have set out below some key takeaways from this enforcement action:

  • Be warned that significant fines are not only reserved for security incidents – there are many ‘breaches’ of the GDPR that could potentially result in a fine of up to 4% of annual worldwide turnover;
  • Make sure that your HR and privacy functions are joined up and that HR personnel are properly trained in data protection issues – the HR function is a naturally data heavy part of any organisation;
  • Even within the HR function itself, ensure that personal data is only accessible to personnel on a need to know basis;
  • Keep the data minimisation principal front of mind and only collect data that is necessary; and
  • Full cooperation with the regulator could lead to a reduced fine but will not absolve an organisation of regulatory liability.
Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378