Swedish supervisory authority imposes administrative fine on H&M for GDPR infringements in direct marketing

On 17 October 2023, the Swedish supervisory authority (IMY) found violations of the GDPR by the Swedish fashion group H&M. This was the result of six complaints from customers, some of them international, who had objected to receiving direct marketing from the company.
In these cases, H&M was accused – despite the complainants’ objections – of not having stopped processing personal data immediately.
IMY justified its decision by stating that H&M “did not have sufficient systems and routines in place to facilitate the exercise of the complainants’ right to object to direct marketing”.
IMY therefore imposed an administrative fine of SEK 350,000 (approx. EUR 28,500) for violations of the GDPR.