Workplace Investigations

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.