Changeflow GovPing Privacy Enforcement H&M Fined for GDPR Marketing Violations
Priority review Enforcement Amended Final

H&M Fined for GDPR Marketing Violations

Favicon for www.imy.se IMY News (Sweden DPA)
Filed October 19th, 2023
Detected February 24th, 2026
Email

Summary

The Swedish Agency for Privacy Protection (IMY) has fined H&M SEK 350,000 for violating GDPR. The company failed to properly handle requests from individuals wishing to opt out of direct marketing, making it unnecessarily difficult for them to exercise their rights.

View original document View source feed page

What changed

The Swedish Agency for Privacy Protection (IMY) has issued an administrative fine of SEK 350,000 against H&M for violations of the General Data Protection Regulation (GDPR). IMY found that H&M failed to cease processing personal data for direct marketing without undue delay when individuals objected, and lacked sufficient systems and routines to facilitate the exercise of the right to object. This decision stems from complaints originating from Poland, Italy, and Great Britain, but was handled by IMY due to H&M's headquarters being in Sweden.

This enforcement action highlights the critical need for companies to have robust and accessible processes for managing marketing opt-out requests. H&M is required to ensure its systems allow individuals to easily exercise their right to object to direct marketing. Failure to comply with GDPR provisions regarding data subject rights can result in significant financial penalties, as demonstrated by this fine. Companies should review their internal procedures for handling such requests to avoid similar violations.

What to do next

  1. Review and update systems and routines for handling marketing opt-out requests to ensure they are efficient and compliant with GDPR.
  2. Ensure immediate cessation of direct marketing processing upon receiving an objection from an individual.
  3. Train relevant personnel on GDPR requirements for data subject rights, particularly the right to object.

Penalties

SEK 350,000

Source document (simplified)

Svensk version Listen

H&M has made it unnecessarily difficult to avoid marketing

Published: 19 October 2023 The Swedish Agency for Privacy Protection (IMY) has reviewed complaints concerning H&M and finds that the company has failed in its handling of requests from individuals who do not want to receive marketing from the company. IMY has initiated a supervision of H&M due to six complaints from individuals who objected to receiving direct marketing from the company. The complaints come from people in Poland, Italy and Great Britain but have been handed over to IMY because H&M has its headquarters in Sweden.

– It should be easy to avoid receiving advertising and offers that you are not interested in, says Albin Brunskog who is head of unit at IMY.

In its decision, IMY states that H&M has violated the GDPR by not ceasing to handle the complainants' personal data for direct marketing without undue delay, despite the complainants objecting to this.

The decision states that the company did not have sufficient systems and routines in place to make it easier for those who complained to exercise their right to object to direct marketing.

IMY issues an administrative fine of SEK 350,000 against the company for violations of the GDPR.

Latest update: 19 October 2023 Print Page labels Data protection, Tillsyn

More news on this topic

23 February 2026
- ### Administrative fine against Sportadmin

28 January 2026
- ### Administrative fines against two companies in the SL Group

3 July 2025
- ### Administrative fine against the Equality Ombudsman when personal data was collected via a web form

12 May 2025
See more news

More news on this topic

23 February 2026
- ### Administrative fine against Sportadmin

28 January 2026
- ### Administrative fines against two companies in the SL Group

3 July 2025
- ### Administrative fine against the Equality Ombudsman when personal data was collected via a web form

12 May 2025
See more news Latest update: 19 October 2023 Print Page labels Data protection, Tillsyn

Related changes

Favicon for www.gasupreme.us Candace Lanette Sneed Reinstated to Practice Law
Routine Mar 14, 2026 Georgia Supreme Court 2026 Opinions State Courts
Favicon for iapp.org NJ Scrap Tire Act Privacy Concerns
Priority review Mar 14, 2026 IAPP Privacy News Privacy Guidance
Favicon for taxfoundation.org Trump Tariffs Impact on US Households and Trade
Priority review Mar 14, 2026 Tax Foundation Research & Analysis Trade Policy
Favicon for www.priv.gc.ca Privacy Commissioner concludes Loblaw loyalty program investigation
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Global Data Protection Authorities Statement on AI Imagery Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government
Favicon for www.priv.gc.ca Privacy Commissioner Recommends Bill C-4 Amendments for Political Party Privacy
Priority review Mar 13, 2026 Canada OPC News & Actions Government

Source

Favicon for www.imy.se
IMY News (Sweden DPA) imy.se/en/news
Privacy Enforcement
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
Various
Filed
October 19th, 2023
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Employers Retailers Technology companies
Geographic scope
Sweden (HQ of H&M)

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
GDPR Direct Marketing

Browse Categories

Federal Courts 26 State Courts 91 Securities Regulation 6 Financial Regulation 43 Consumer Protection 5 Drug Safety 45 Data Protection 21 Competition 2 Attorneys General 3 Insurance Regulation 5 Trade & Export 36 Legislation 42 Energy Regulation 13 Environment 3 Labor & Employment 2 Tax 1

Get Privacy Enforcement alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when IMY News (Sweden DPA) publishes new changes.

Free. Unsubscribe anytime.