Workplace Investigations

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

In internal investigations, the fundamental rights and freedoms of employees are at stake,  including the right to privacy, respect for the privacy of home life and correspondence, freedom of expression, and the obligation of loyalty in searching for evidence.

In principle, work emails and files can be reviewed, even without the employee's consent, prior knowledge or warning. This includes: work email accounts; files stored on a work computer or a USB key connected to a work computer; and SMS messages and files stored on a work mobile phone and documents stored in the workplace unless they are labelled as “personal”. On the other hand, it is not permissible for an employer (or an investigator) to review “personal” emails and files, such as documents or emails identified as “personal” by the employee, or personal email accounts (Gmail, Yahoo, etc), even if accessed from a work computer.

There are certain exceptions to the above principle. An employer is allowed to check “personal” emails or data in any of the following cases:

• if the employee is present during the review;
• if the employee is absent, but was duly notified and invited to be present;
• if there is a particularly serious “specific risk or event”;
• if the review is authorised by a judge (this means having to prove a legitimate reason justifying not informing the employee).

When documents or emails are not marked as “personal” but contain information of a personal nature, the employer may open and review the data but may not use such documents or emails to justify applying disciplinary measures to the employee or use such documents or emails as evidence in court if they indeed relate to the employee’s private life.

Special attention must be given to employee representatives who must be entirely free to carry out their duties.

In light of the legal and case-law principles as outlined above:

• see question 7 regarding employee “physical inspections and inspections on the employee’s belongings”;
• regarding “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities also arises”, article 4 of the Workers’ Statute provides for:
  • the prohibition of the use of audiovisual equipment and instruments of “direct” remote control (ie, whose sole purpose is to verify the manner, quality and quantity of working performance (eg, a camera installed in an office to film employees’ working activities, without any other purpose));
  • the possibility of carrying out controls through audiovisual equipment and “indirect” remote instruments (ie, instruments that serve different needs (organisational, production, work safety or company assets’ protection), but which indirectly monitor working activities (eg, a camera installed in a warehouse to prevent theft, but which indirectly monitors the activity of warehouse workers), which may only be installed with a trade union agreement (or National Labour Inspectorate authorisation);
  • the possibility of carrying out checks using working tools in the employee’s possession (e.g., PCs, tablets, mobile phones, e-mail), which may be carried out even in the absence of any trade union agreement, provided that the employee is given adequate information on how to use the tools and how checks may be carried out on their use (according to privacy law strictly related to the employment relationship).

Furthermore, based on case law, the employer can carry out so-called defensive controls (ie, actions carried out in the absence of the guarantees provided for in article 4, to protect the company and its assets from any unlawful conduct by employees). These “defensive controls” can be carried out if:

• they are intended to determine unlawful behaviour by the employee (ie, not simply to verify his or her working performance);
• there is a “well-founded suspicion” that an offence has been committed;
• they take place after the conduct complained of has been committed; and
• adequate precautions are nevertheless put in place to guarantee a proper balancing between the need to protect company assets and safeguarding the dignity and privacy of the employee.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

It may sometimes be difficult to draw a clear distinction between the property of the employer and employees’ personal property, both physical and electronic, particularly where employees are increasingly working from home. Employers should ideally have a clear policy to delineate what is the employer’s property.

Employees typically have a reasonable expectation of privacy at work, although how far this extends will depend on the circumstances of each case and the employer’s policies.

When it comes to employees’ personal possessions, a search should only be conducted in exceptional circumstances where there is a clear, legitimate justification. The employer should always consider whether it is possible to establish the relevant facts through the collection of other evidence. Even if the employee’s contract specifies that it is permitted, employers would usually require explicit employee consent for the search to be lawful. The employee should be invited to be present during the search; if this is not feasible, another independent third party (such as a manager) should be present.  

If the employee refuses to consent to a search of their personal possessions, their refusal should not be used to assume guilt; the investigator should explore why the employee has refused and seek to resolve their concerns if possible.

If the employer believes that a criminal offence has been committed it should consider involving the police, since they have wider powers to search individuals and their possessions.