In acase concerningthe monitoring of several hundred employees of the H&M Service Centerin Nuremberg by itsmanagement, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 Euros against H&M Hennes & Mauritz Online Shop A.B. & Co KG. The company is registered in Hamburg and operates a service center in Nuremberg. Since at least 2014, parts of the work force have been subject to extensive recording of details about their private lives. Corresponding notes were permanently stored on a network drive. After absences such as vacationsand sick leave – even short absences – the supervising team leaders conducted so-called Welcome Back Talkswith their employees. Afterthese talks, in many cases not only the employees’ concrete vacation experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees’ private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs. Some of this knowledge was recorded, digitally stored and partly readable by up to 50 other managers throughout the company. The recordings were sometimes made with a high level of detail and recorded over greater periods of time documenting the development of these issues. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a detailed profile of employees for measures and decisions regarding their employment. The combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.This data collection was made known by the fact that the data became accessible company-wide for several hours in October 2019 due to a configuration error. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection through press reports, he first ordered the contents of the network drive to be “frozen” and then demanded it to be handed over. The company complied and submitted adata record of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practice safter analyzing the data.