Data protection watchdogs in Germany handed down the second largest fine under the General Data Protection Regulation earlier this month, fining clothing store H&M €35.2, or $41.1 million USD, for essentially carrying out surveillance on some of its employees.

While many have lamented whether data protection authorities are issuing enough credible enforcement actions, the action is a reminder that GDPR fines, while maybe not as commonplace as the industry expected, can be significant.

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) handed the fine down after learning through local media reports last year that an issue at its customer service center in Nuremberg resulted in the company exposing employee data for a few hours. When confronted for evidence of the incident, H&M supplied 60 gigabytes of files that demonstrated the company had been recording information since 2014.

According to the European Data Protection Board, supervisors at the company recorded data from hundreds of employees – the regulator called the data “extensive recordings of the private-life circumstances” - while carrying out informal conversations. Supervisors at the customer service center in Nuremberg recorded data like employee vacation experiences, illnesses, family issues and religious beliefs - and stored it in a database that was readable by up to 50 managers throughout the company.

“The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues…” the EDPB wrote. “The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

Hamburg’s data protection authority didn’t know about the data collection until a technical issue with the company's network in October 2019 made the data accessible company wide, something that in turn led to media coverage. The authority said it believes the amount of the fine is appropriate to deter companies from similar privacy violations.

It’s the largest GDPR fine since CNIL, France's data protection authority, fined Google 50 million Euros in January 2019, alleging the way the company handles ad personalization violates the GDPR.

H&M, for its part, acknowledged the incident shortly after it became public, apologizing to its employees and stressing that its practices for processing employees' personal data were out of line. The company said earlier this month it was reviewing the fine carefully, adding that its since made adjustments to how it handles data privacy, data cleansing, and stores personal data.

While it's too soon to know whether the tides are changing around GDPR fines, the fact that this is the second highest fine levied since the regulation's inception in 2018 shows that securing privacy of individuals, especially employees, is still critical for regulators.