Workplace Investigations

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

There is generally no obligation to report violations to the Korean authorities, subject to limited exceptions (eg, financial institutions are required to report certain types of wrongdoing to the financial regulator; if there was a leak of an industrial technology developed through a national research and development project or a national core technology, this leak should be reported to the Ministry of Trade, Industry and Energy and the National Intelligence Service). However, even in the absence of a self-reporting obligation, the company may consider strategically deciding to make a voluntary report. For example, there have been instances where the police or prosecutors’ investigations were conducted in a more limited manner where the company filed a voluntary report and cooperated with the investigation. Also, for certain types of violations (eg, cartel activities), self-reporting to the relevant authority may entitle the company to leniency provided under the law.

In certain instances, the company may also consider reporting violations to the relevant foreign authorities, in addition to, or instead of, the Korean authorities. For example, if the company found potential violations of US law such as sanctions law or the Foreign Corrupt Practice Act, the company may want to self-report these violations to the relevant authorities such as the Office of Foreign Assets Control, or the US Department of Justice.

Companies may only disclose the outcome of an investigation to employees or officers of the company who are empowered to adopt the measures that are necessary because of the investigation’s results (see question 4).

This disclosure obligation does not extend to authorities: while there is a general obligation to report criminal or administrative offences to the competent authorities, this obligation must be read in line with the companies’ right not to self-report themselves. What a company must not do is cover up, aid or otherwise become an accessory to the offence.

The employer is generally not required to disclose the final report, or the data obtained in connection with the investigation. In particular, the employer is not obliged to file a criminal complaint with the police or the public prosecutor's office.

Exceptions may arise, for example, from data protection law (see question 22) or a duty to release records may arise in a subsequent state proceeding.

Data voluntarily submitted in a proceeding in connection with the internal investigation shall be considered private opinion or party assertion.[1] If the company refuses to hand over the documents upon request, coercive measures may be used under certain circumstances.[2]