$41 million in GDPR fines for H&M
If you think the GDPR is all bark and no bite, then you should take H&M's Germany subsidiary as a cautionary tale (see link). The Data Protection Authority of Hamburg on October 5, 2020 fined that subsidiary $35.3 million Euros (or $41 million dollars) for keeping excessive amounts of personal data on its employees.
The Hamburg Authority found that H&M had been collecting for at least 6 years information concerning its employees' holiday experiences, family issues, religious beliefs, and symptoms of illness and diagnoses. The information was stored on its computer system and shared with a consideration number of managers.