Workplace Investigations

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

As explained above, investigation materials are not protected by privilege per se. To protect the confidentially of these materials, it is advisable to enter into NDAs with the employees involved in the investigation.

As outlined above, all employees generally have the right to know whether and what personal data is being or has been processed about them (article 8 paragraph 1, Swiss Federal Act on Data Protection; article 328b, Swiss Code of Obligations).

The employer may refuse, restrict or postpone the disclosure or inspection of internal investigation documents if a legal statute so provides, if such action is necessary because of overriding third-party interests (article 9 paragraph 1, Swiss Federal Act on Data Protection) or if the request for information is manifestly unfounded or malicious. Furthermore, a restriction is possible if overriding the self-interests of the responsible company requires such a measure and it also does not disclose the personal data to third parties. The employer or responsible party must justify its decision (article 9 paragraph 5, Swiss Federal Act on Data Protection).[1]

The scope of the disclosure of information must, therefore, be determined by carefully weighing the interests of all parties involved in the internal investigation.

The outcome of the investigation will contain personal data of the affected employee. For this reason, this information should only be kept for as long as a legal obligation or liability in connection with the information could arise for the company. Since the general statute of limitations for employment liability is one year, this is a good guideline.

In addition to the above, two specific rules apply:

• once the information becomes irrelevant for the purpose for which it was obtained and processed, the information should no longer be stored on the employee’s record or elsewhere; and
• the employees’ information (including those of the reporter and the affected employees) should only be stored in whistleblower systems during the time that is necessary to decide on whether the facts need to be investigated or not and, in any case, for a maximum period of three months.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]