Workplace Investigations

The employer is allowed to search an employee’s possessions or files, provided that they are work instruments or of a professional nature.

When performing these searches, employers should consider the specific provisions of the Data Protection Regulations as well as Resolution No. 1638/2013 of the Portuguese Data Protection Authority (CNPD), which contains rules on monitoring phone calls, e-mail and internet usage by employees. The CNPD understands that for the employer to access the employees’ professional data (e-mails, documents and other information stored on electronic devices), the latter should be present during the monitoring, to identify any information of a personal nature that should not be accessed by the employer (the employer must comply with these directions and should not access that email). In addition, review of the data should respect specific protocols to avoid potential access to personal data (eg, review of subject, recipients, data flow and type of files attached).

Body searches or the seizure of personal belongings or documents belonging to the employee are not permitted within the scope of a disciplinary procedure.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

As there is no unified data protection regime, privacy protections stem from a patchwork of federal and state privacy laws which impose limits on the extent to which an employer can collect information from its employees in connection with an internal investigation. Whether specific conduct violates an employee’s rights is a very fact-specific inquiry requiring the application of relevant state laws and a regulatory regime. 

In most circumstances, an employer is free to conduct searches of its workplace and computer systems in the course of investigating potential wrongdoing. Such searches are generally not protected by personal privacy laws because workspaces, computer systems and company-issued electronic devices are often considered company property. Many companies explicitly address this in written corporate policies and employment agreements. Employees who use their own electronic devices for work should be aware that work-related data stored on those devices is generally considered to belong to the employer (as a matter of best practice, employers should generally prohibit or at least advise employees against using personal devices for work and to maintain separate work devices, where possible).

These broad investigatory powers notwithstanding, the ability of an employer to conduct searches in furtherance of an internal investigation is not unlimited. For example, if an employer seeks to obtain or review work-related data from an employee’s personal device, the employer must be careful to exclude any personal data. Certain states also prohibit an employer from requiring an employee to disclose passwords or other credentials to his or her personal email and social networking accounts, but permit an employer to require employees to share the content of personal online accounts as necessary during an interview while investigating employee misconduct.