The German Data Protection Authority has issued the second-largest fine to a single company under the EU General Data Protection Regulation (GDPR). The GDPR changed the way personal data can be collected and used, and it also mandates companies to be fair and transparent. This is where H&M failed.

The company has been fined €35.3m and had to apologise “unreservedly” for having put in place an illegal surveillance affecting several hundred employees. The world’s second largest fashion seller also kept “excessive” records on the families, religions, and illnesses of employees at its Nuremberg service centre, which were then used to review performance and make employment decisions.

As a reminder, only last year Google was fined £45m by the French data regulator CNIL for breaching the rules.