Contractors, go belt and braces on GDPR to ensure your practices don’t mirror H&M’s
It might be an unlikely corporate candidate to come up short for GDPR compliance, but fashion retailer H&M has pocketed the second largest fine that a single company has bagged under the EU’s data legislation.
In fact, the Hamburg State Commissioner for Data Protection and Freedom of Information (Germany’s data protection watchdog) has fined H&M’s online store a hefty €35.3million (£32million), for the unlawful monitoring of employees in their service centre.
Despite this monitoring only affecting those on the fashion firm’s payroll, contractors should not put this case by for another time – it has a Big Brother-style underbelly that many IT contractors will want to ensure doesn’t fit with them, personally or professionally, writes Lily Morrison, legal consultant at Gerrish Legal.
The case of the fast-fashionista who flouted data law
The H&M Nuremberg service centre had, since at least 2014, kept extensive records of personal information on the living circumstances of their employees -- indefinitely. The watchdog discovered that some files contained team “Welcome Back Talks,” which had been conducted years ago with employees following absences, but which involved specific personal stories about holidays plus trivial conversations.
There was also records on absences with information about diseases and symptoms. During these meetings, H&M supervisors had acquired detailed information about the private information of employees through individual talks. The watchdog noted that this information ranged from “harmless details, to family problems, and religious confessions”.
This information was partly recorded digitally and was accessible by up to 50 managers. They were kept in high-detail and organised, chronologically, so it amounted to a particularly intensive interference with the rights of the employees. The recorded personal information was used to assess individual performance at work. It could even be used to create profiles of employees that could be used with regards to measures and decisions affecting the employment relationship! On one occasion, in 2019, there was a data breach which meant that the records were accessible -- across the company -- for two hours.
The watchdog has now concluded that this monitoring was not proportionate and does not comply with the data protection obligations that the company had, and has. Not only has H&M been fined a huge amount (proving that data watchdogs are willing to inflict steep penalties under the GDPR), but the Swedish multinational has also accepted that it will need to pay a considerable amount of damages to employees.
This huge fine will have everyone keen to make sure they do not fall foul of excessive data collection and monitoring. So, what are the practices to avoid and how can you keep records properly, and proportionately?
The rules (and liabilities) for independent contractors
It should be noted firstly that an independent contractor working for a company with employees will still have obligations under EU and UK data protection legislation. While employees working for a company normally come under the direction and supervision of the employer and so are not give specific responsibilities under law, this is not the case for independent contractors.
When receiving services, if the company provides the contractor with personal data in order to perform their role, the company will be a ‘controller’ and the contractor a ‘processor’ of that data. This means that a contractor must demonstrate to their client that they are using the data shared with them in accordance with data protection laws, following the principles of ‘data minimisation’ and using the data proportionately, while also having adequate security measures in place to protect the data.
This does not mean that a contractor will only be a ‘data processor’ -- many contractors might have their own data that they are responsible for and need to decide what the purposes of processing the data will be, in which case they will be a ‘controller’ of data.
While the roles and duties between the contractor and the company will heavily influence this relationship, as a general rule, contractors will be responsible for the data they use and process during the relationship. For in-depth guidance on the processes a contractor should follow, check out our previous guidance for ContractorUK readers.
However, the recent H&M fine has shown that it is equally essential to ensure that end-clients follow their own data protection obligations. As we know, controllers can be jointly liable under EU legislation and failures from a client to follow the rules could mean that all practices fall under strict scrutiny and receive the same bad press. So, what should a contractor look out for when engaging a client to make sure both parties follow the rules properly?
What end-users should be doing to be GDPR-compliant
There is a lot of guidance available from the Information Commissioner’s Office (the UK’s data protection watchdog) about monitoring employees while at work, and in general the rules that employers have to follow when they collect information about their staff.
And while monitoring is an accepted way of ensuring proper performance in a role, and data protection rules do not prohibit it, the methods of monitoring must be necessary and legitimate to satisfy their requirements, and any adverse impacts must be justified. Employers should carry out ‘impact assessments’ to justify the approaches they are taking, and ensure the procedures they have in place are open.
Of course , it is a company’s business to work out these policies and ensure they follow the guidance, when they engage an independent contractor, yet these practices may inevitably affect the contractor, depending on the processing that will occur between the parties. So, what can contractors do to make sure their end-users are following their own rules?
Practical steps for IT contractors to take in wake of the H&M case
Firstly, when you as a contractor are engaging any client, in any setting, explicitly ask them about their data protection compliance.
Any legitimate organisation carrying out data processing in a proper way and following their obligations should be both able and willing to provide you with information about this. Any hesitancy or difficulty presented when asking about this would be a red flag.
Contractors should ask for:
- an example of the steps the end-user has taken to ensure GDPR compliance;
- the identity/details of the data protection team and officers they might have in place;
- copies of the end-user’s privacy policies (likely kept by the DP team);
- evidence that any data which they (the contractor) are being provided with – as part of the contract or work required -- has been obtained properly and can, legally, be used.
Depending on the size of the company, or the amount of data being collected and used, the end-user may also have IT security policies that can be outlined and provided to you – the contractor.
This would be especially important if your role or assignment involved specific data and software programming. Companies highly involved in data should be able to explain their security practices which might involve the pseudonymisation or encryption of data, and be able to explain what their processes are for regularly testing and evaluating these measures.
However, even if a company is not mainly involved in the processing of data, they should still be able to explain the security measures in place that ensure any data that is collected is protected.
Make your own pre-engagement checks and do due diligence
This objective can also be achieved by, or be the subject of, an independent risk assessment taken by contractors themselves. Similarly, before engaging any client, contractors should do some basic market research to check the company’s websites and any reviews of the firm online. Most companies should have their privacy policies displayed on their websites or portals, and have appropriate ‘cookie’ banner wording alongside access to ongoing privacy settings on the website. These aspects are normally a good indicator, from the outset and from the outside looking in, of what that company’s internal data protection processes will be like.
Next, contractors should make sure to document this risk assessment and any information provided to them by the end-user, to demonstrate that they as an independent, external consultant has not just taken a company’s assurance at face value, but instead have performed their own ‘due diligence’ checks.
Then, when in any process of contract negotiation, ensure appropriate wording is included.
This will involve considering the data that will be provided, and what the journey of that data will be. For example, is it possible that the end-user will transfer data outside of the EU? Is this something that you are willing to accept, as their contractor? The contractor’s consent or objection to this should be clearly stated in the contract, and the consequences of sharing should be set out.
Be aware, it is important to ensure that the contract clearly defines the roles of both parties and what their level of responsibility will be. Stating that both parties warrant they are treating data properly and remain responsible for the data that they use and process is imperative -- although, of course, some responsibilities under data protection rules cannot be avoided.
When contractors need a DPA
Consider though, if the relationship and services to be performed will involve a considerable amount of data, it is highly recommended to enter into a ‘Data Processing Agreement’ as well as a main contract.
The DPA will set out in a higher level of detail the treatment expected of data. And not only this, but the DPA would also clearly demonstrate to data authorities -- like the ones who just fined H&M for coming up short -- that the contractor actively thought about what was being shared between parties, and how it could do all in its power to ensure this was done properly.
Finally, if all of the steps above have been followed but there remain concerns from you, the contractor, about the practices of an end-user, quite simply -- do not process any data.
No silver bullet (so ready your own proof)
Even the most careful risk assessment and strongest contracts will not justify violating data protection laws. If a company does not seem to have proper measures in place, immediately stop processing and notify them in writing of your decision to desist. Our recommendation here ought to indicate to you something else -- that ‘due diligence’ and signing a data processing agreement is not a one-time thing; contractors must constantly and continually review the parties they contract with, to ensure that their processes are as diligent as the contractors’ themselves.
Penultimately, and crucially, it should be borne in mind that a data protection authority (whether in Germany or the UK), should not hold a contractor responsible for GDPR violations, where the contractor has followed all of their obligations and were not aware of internal practices which were illegal.
However, this does not mean that a contractor should simply turn a blind eye to their clients’ data protection practices in the hope that they can avoid any responsibility for them. There is a responsibility for all data processors to ensure that the parties they engage also handle data properly, so it is imperative for contractors to be as thorough as possible and document all of their findings. If something does not seem right, ask about it, and document your investigations!
Lastly, data processing relationships can be very convoluted, and a large company or client could mean a difficult bargaining process for you the contractor, which could become more confusing and frustrating depending on the departments involved. This is why we always recommend getting legal advice when entering into a relationship -- it proves that a contractor is serious about compliance and ensures the proper steps have been taken to follow specific obligations.
It’s from H&M: an apology
For it to prove that it is serious about compliance, on top of paying the hefty fine, H&M has issued an “unreserved apology” to its affected staff, who probably feel more than a little snooped on. Fortunately for those in the retailer’s tech division, part of its corrective action includes “improved IT solutions”.
The company has also said it wants to “emphasise its commitment to GDPR compliance and reassure its customers and employees that the company takes privacy and the protection of all personal data as top priority.” To some, so far, its data processes will appear as over the top, with impressions of the clothing retailer not helped by the fact that its excessive record-keeping was only discovered upon investigation of the two-hour breach in 2019. Let’s hope the fashion firm can now cut its data cloth accordingly, and compliantly.