Workplace Investigations

To the extent the gathering of physical evidence includes the processing of personal data, please see question 1.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.

An employer can search an employee’s personal possessions (eg, handbag, pockets and locker) if the employer has a legitimate interest in a search. This could, for example, include a reasonable suspicion of theft of employer property. Furthermore, an employer may search, but not continually monitor, an employee’s computer and email provided that it is in accordance with GDPR requirements. For the processing to be lawful under the GDPR, the employer has to establish a purpose and a legal basis for the processing of personal data. Furthermore, data subjects must have received information on the legal basis for and purpose of the processing of personal data beforehand. If the data subjects have not received such information, the employer’s right to process their data is limited. However, if the employer has reasonable grounds to believe that trade secrets or similar has been copied and stolen, no such requirements would typically apply.

Investigations into an employee's possessions may, under certain circumstances, also be carried out by the Swedish authorities.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

As there is no unified data protection regime, privacy protections stem from a patchwork of federal and state privacy laws which impose limits on the extent to which an employer can collect information from its employees in connection with an internal investigation. Whether specific conduct violates an employee’s rights is a very fact-specific inquiry requiring the application of relevant state laws and a regulatory regime. 

In most circumstances, an employer is free to conduct searches of its workplace and computer systems in the course of investigating potential wrongdoing. Such searches are generally not protected by personal privacy laws because workspaces, computer systems and company-issued electronic devices are often considered company property. Many companies explicitly address this in written corporate policies and employment agreements. Employees who use their own electronic devices for work should be aware that work-related data stored on those devices is generally considered to belong to the employer (as a matter of best practice, employers should generally prohibit or at least advise employees against using personal devices for work and to maintain separate work devices, where possible).

These broad investigatory powers notwithstanding, the ability of an employer to conduct searches in furtherance of an internal investigation is not unlimited. For example, if an employer seeks to obtain or review work-related data from an employee’s personal device, the employer must be careful to exclude any personal data. Certain states also prohibit an employer from requiring an employee to disclose passwords or other credentials to his or her personal email and social networking accounts, but permit an employer to require employees to share the content of personal online accounts as necessary during an interview while investigating employee misconduct.