Workplace Investigations

In light of the legal and case-law principles as outlined above:

• see question 7 regarding employee “physical inspections and inspections on the employee’s belongings”;
• regarding “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities also arises”, article 4 of the Workers’ Statute provides for:
  • the prohibition of the use of audiovisual equipment and instruments of “direct” remote control (ie, whose sole purpose is to verify the manner, quality and quantity of working performance (eg, a camera installed in an office to film employees’ working activities, without any other purpose));
  • the possibility of carrying out controls through audiovisual equipment and “indirect” remote instruments (ie, instruments that serve different needs (organisational, production, work safety or company assets’ protection), but which indirectly monitor working activities (eg, a camera installed in a warehouse to prevent theft, but which indirectly monitors the activity of warehouse workers), which may only be installed with a trade union agreement (or National Labour Inspectorate authorisation);
  • the possibility of carrying out checks using working tools in the employee’s possession (e.g., PCs, tablets, mobile phones, e-mail), which may be carried out even in the absence of any trade union agreement, provided that the employee is given adequate information on how to use the tools and how checks may be carried out on their use (according to privacy law strictly related to the employment relationship).

Furthermore, based on case law, the employer can carry out so-called defensive controls (ie, actions carried out in the absence of the guarantees provided for in article 4, to protect the company and its assets from any unlawful conduct by employees). These “defensive controls” can be carried out if:

• they are intended to determine unlawful behaviour by the employee (ie, not simply to verify his or her working performance);
• there is a “well-founded suspicion” that an offence has been committed;
• they take place after the conduct complained of has been committed; and
• adequate precautions are nevertheless put in place to guarantee a proper balancing between the need to protect company assets and safeguarding the dignity and privacy of the employee.

As discussed in question 7, it may be difficult for a company to search an employee’s personal possessions. The company may search and gather electronic data stored in work laptops or company servers, subject to legal requirements and restrictions (eg, obtaining consent). 

The PIPA provides specific guidance on the requirements for obtaining consent. Under the PIPA, to collect or use an individual’s personal information, the information holder must be informed of and consent to:

• the purpose of the collection or use;
• the personal information that will be collected;
• the period of retention and use; and
• his or her right to refuse to provide consent and any disadvantages that may result from such refusal.

There are separate requirements for obtaining consent to provide an individual’s personal information to a third party. Also, consent must be obtained separately for the collection, use or provision of sensitive or unique identification information.

Under limited circumstances, personal information may be collected, used, or provided to third parties without obtaining the consent of the information holder. For instance, a company may collect and use personal information without obtaining consent where obtaining the information is necessary to achieve the company’s “legitimate interests”, which clearly exceed the information holder’s right to his or her personal information, and the collection and use are carried out within reasonable bounds. The term “legitimate interests” in this context is generally understood as a concept similar to “justifiable act” under the Criminal Code. The Korean Supreme Court has held that under exceptional circumstances such as the following, the company’s collection and review of employee data may constitute a “justifiable act” under the Criminal Code:

1. the company had specific and reasonable suspicion that the employee had committed a crime and the company had an urgent need to verify the facts;
2. the scope of the company’s review was limited to the suspected crime through the use of keywords, etc;
3. the employee had signed an agreement stating that he or she would not use work computers in an unauthorised manner and that all work products would belong to the company; and
4. the company’s review uncovered materials that could be used to verify whether the employee committed the alleged crime.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]