Workplace Investigations

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The employer would normally keep the outcomes of the investigation for the entire duration of the employment relationship with the involved employee.

After the termination of the employment relationship, it appears reasonable to conclude that the employer would be entitled to retain this information for the time necessary to exercise its defence rights in litigation (taking into account that 10 years is the statute of limitations for contractual liability). Further requirements or restrictions under general privacy laws (and particularly the GDPR) should also be checked.

According to Art. 14 WB Decree, internal and external whistleblowing reports (including related documents) must be kept for as long as necessary for report processing, but no more than five years from the date of transmission of the procedure's final outcome.

Neither Polish law nor the Draft Law specifically provide for a mandatory period during which the outcome of the investigation should be kept on the employee’s record.

At the same time, the Draft Law indicates that the register of whistleblowing reports, which should also contain information about follow-up actions undertaken as a result of the report, should be kept for 15 months starting from the end of the calendar year in which the follow-up actions have been completed, or the proceedings initiated by those actions have been terminated.

Also, while determining how long the outcome of an internal investigation should be kept, additional legal considerations can be taken into account, especially data privacy.

The GDPR does not specify precise storage time for personal data. The employer must assess what will be an appropriate time for storage of the data, taking into consideration the necessity of keeping personal data concerning the purpose of the processing in question. Employees' personal data should be kept for the period necessary for the performance of the employment relationship and may be kept for a period appropriate for the statute of limitations for claims and criminal deeds. A longer retention period may result from applicable laws. Following the Regulation of the Minister of Family, Labour and Social Policy on employee documentation, the employer may keep a copy of the notice of punishment and other documents related to the employee’s incurring of disciplinary responsibility in the employee record.

There are different retention periods for the data contained in employee files:

• 10 years if the employee was hired on or after 1 January 2019;
•  if the employment relationship began between 1 January 1999 and 1 January 2019, the retention period is 50 years, but may be reduced to 10 years if the employer provides the Polish Social Insurance Institution with certain mandatory information; and
•  for 50 years if the employee was hired before 1 January 1999. It does not matter whether the person is still working or not.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]