H&M has been fined €35.3m (£32.1m) for the illegal surveillance of several hundred employees.
The company kept “excessive” records on the families, religions and illnesses of its workforce at its Nuremberg service centre, the German data protection watchdog found.
The retailer has accepted full responsibility and plans to compensate employees.
It is the second-largest fine a single company has faced under EU GDPR rules.
Last year, the French data regulator, CNIL, fined Google €50m for breaching the General Data Protection Regulation.