H&M was fined £32m and has apologised “unreservedly” to staff in Germany for the illegal surveillance of several hundred employees.
The world’s second largest fashion seller kept “excessive” records of its workforce at one of its service centres including details of holidays, medical symptoms and diagnosis for illnesses.
The findings come after a year-long investigation by the German data protection watchdog, and it is the second-largest fine a company has faced under GDPR rules. Last year, Google was fined €50m (£45m) for also breaking the rules.
Some managers even sought further personal details, including family issues or religious beliefs, which were then logged and used to review work performance and make employment decisions.
The head of the German watchdog said the breaches showed gross disregard of data protection rules and the fine was "justified and should help to scare off companies from violating people's privacy”.
H&M said all staff who are currently employed at the service centre, and those who had been working in Nuremberg for at least one month when GDPR came into force, will receive financial compensation.
The retailer also said it has taken "forceful measures" to correct any related shortcomings.
GDPR rules, which were first introduced two years ago, have changed the way personal data can be collected and used. Even companies based outside the European Union must follow the law if offering their services in the EU.
When Britain leaves the EU, GDPR will be retained in UK law alongside the Data Protection Act. Ministers said this week that the UK remains committed to high data protection standards.
The news follows H&M's decision to shut 250 stores worldwide after many customers shifted to online shopping during the pandemic.