In a recent development, the Swedish Data Protection Authority, known as IMY, has taken action against global fashion retailer H&M for its failure to comply with the General Data Protection Regulation (GDPR).
This decision comes in response to six complaints filed by individuals who objected to receiving direct marketing communications from the company.
In this blog post, we delve into the details of the case, highlighting key findings 👇
Origin of the Case
The saga began when IMY initiated a supervision of H&M based on six complaints received from individuals who voiced their concerns about receiving unsolicited direct marketing materials from the company. It’s important to note that these complaints came from individuals in various countries, including Poland and Italy. However, since H&M is headquartered in Sweden, IMY took on the responsibility of investigating the matter.
Key Findings
IMY’s investigation yielded crucial findings that underscored H&M’s non-compliance with the GDPR:
- Continued Handling of Personal Data: The primary violation identified by IMY was H&M’s failure to promptly cease the handling of personal data belonging to the complainants for direct marketing purposes. Despite these individuals clearly expressing their objection to such marketing tactics, the company continued its practices without undue delay.
- Lack of Systems and Routines: Additionally, IMY’s decision pointed out that H&M lacked the necessary systems and routines to facilitate the easy exercise of the right to object to direct marketing by those who had filed complaints. This deficiency contributed to the GDPR violations.
The Decision
In light of the GDPR breaches uncovered during the investigation, IMY has taken decisive action against H&M. The authority has issued an administrative fine amounting to SEK 350,000, which roughly translates to approximately 28,500 EUR. This fine serves as a clear message that non-compliance with GDPR regulations will not be tolerated.
The IMY’s decision to fine H&M for GDPR violations emphasizes the importance of data protection and respecting individuals’ rights to control their personal data. It’s a reminder to businesses operating within the European Union and handling personal data to implement robust systems and procedures to honor data subject requests, such as objections to direct marketing. This case serves as a valuable lesson for companies of all sizes on the significance of GDPR compliance and the consequences of non-compliance.