Protecting employees’ privacy and its limits is still an issue in today’s digital world, drawing the attention of more and more employers.

An example of when the privacy protection rules have clearly been broken by an employer is described in a decision issued by the Hamburg Office for the Protection of Personal Data and Freedom of Information. The office has imposed a fine of EUR 35.3 million[1] on the global fashion brand Hennes & Mauritz Online Shop A.B. & Co KG (“Company”) for an extensive breach of the personal data protection and protection of privacy of its employees. The company based in Germany unlawfully collected and stored records about its employees’ privacy since at least 2014.

One of the ways when Company obtained such data was inviting its employees to so-called “Welcome Back Talks” after they had returned to work from vacation or a sick leave. Team leaders recorded particular holiday experiences, medical symptoms and diagnoses of the employees during the interviews. Moreover, some managers were also collecting extensive information from the private life of other employees during one-on-one conversations or “corridor chats”, a majority of which concerned their family problems and religious beliefs.  

These findings were recorded, digitally stored and accessible to several dozens of leading employees having access to them at one time. These records were very detailed and regularly updated. The Company used all the collected data to assess individual work performance of a particular employee and to take employment-related measures and/or decisions.

These unlawful data collection practices were revealed due to a configuration error that made all collected data available to all Company employees. Subsequently, the Company submitted as much as 60 GB of collected data during the inspection.

The presented case does not only involve a serious interference into the right to the protection of employees’ personal data, but also into the right to the protection of their privacy. The Company admitted its mistake and, in addition to adopting corrective measures, it has also proposed to pay financial compensations to its employees.



Newsletters are one of the most widely used and most effective online marketing tools. They are used for sending specific information (news, sales, special offers) of a largely promotional nature by email. Their key benefits are low operating costs and maintaining permanent contacts with customers.

Pursuant to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR regulation”), the processing of personal data for direct marketing purposes may be considered as a legitimate interest and obtaining a data subject’s consent is not required for this particular purpose.

In addition to the GDPR regulation, the distribution of newsletters is also governed by Act No. 351/2011 Coll. on electronic communications, as amended. This act stipulates that the newsletters may only be sent with prior consent of a newsletter recipient and such consent must be demonstrated. However, it also specifies an exemption when such consent is not required by the law – in the case of direct marketing of a sender’s own similar goods and services to a recipient whose email contact information has been obtained by the sender in connection with the sale of goods or services.  

An example of the violation of said principles is described in a decision of the Personal Data Protection Office of the Czech Republic which has imposed a fine of 6 million Czech crowns (EUR 221,696)[2] to a company engaged in the sale of used motor vehicles. The company had regularly distributed newsletters to data subjects – natural persons (including newsletters offering goods and services) and, at the time of inspection, was unable to demonstrate the legal basis for the processing of personal data according to Act No. 480/2004 Coll. on certain information society services and on amendments to certain acts (“Act”) for a large number of the contacts that were inspected. In other words, the company did not have consents required under the Act (the provision of §7 of the Act is nearly identical with that applied in the Slovak Republic), nor did it cover the situation when such consent is not required where the advertising of its own similar goods and services which were provided to the particular data subject in the past is involved. The inspection was quite an in-depth one as the Office requested that the legal basis for the processing of personal data be demonstrated for several thousands of contacts. However, the Office did not content itself with an overview of the legal basis only, but it also requested that the granted consents be presented and insisted that the existence of customer relationships be demonstrated either by an invoice or another proof. Moreover, the Company argued during the inspection that it had ordered the distribution of newsletters as a service from a number of companies, trying to transfer the responsibility for the processing of personal data to those companies. The Office held in this respect that ordering the services from third parties has not relieved the Company of its responsibility to make sure that the processing of personal data is only carried out on a relevant legal basis and that it is not enough to rely on the assurances of third-party service providers that they process such data on a relevant legal basis.

In the reasoning to its decision, the Office concluded that the consent must be obtained in advance and must be given to a specific sender. The consent cannot be a general one, granted to an unspecified number of entities. It also emphasised that the consent to receiving newsletters has to meet the parameters of the consent of the data subject under the GDPR. Given the fact that the consents had also allegedly been given by phone in the case at hand, the Office discussed the ways to avoid disputes concerning the existence of consent, as well. One of them is a so-called double opt-in procedure, i.e., sending a confirmation from an email address or a phone number that the recipient gives his/her consent to receiving marketing messages at that email address or phone number.

The above-discussed decision does not only supplement the application practice, but, given the size of the fine, it also warns against a reckless approach to the sending of marketing messages.

We believe you have found this information useful. If you wish to learn more, please do not hesitate to contact us.



Viktória Poliaková, Zuzana Krajčovičová