Workplace Investigations

Mainly, the Occupational Safety and Health Act (738/2002). In addition, the following also have relevance in connection to a workplace investigation: the Employment Contracts Act (55/2001), the Criminal Code (39/1889), the Act on Occupational Safety and Health Enforcement and Cooperation on Occupational Safety and Health at Workplaces (44/2006), the Act on Equality between Women and Men (609/1986) and the Non-discrimination Act (1325/2014). In addition, the employer's own policies must be taken into consideration while conducting a workplace investigation.

Dutch employment law does not provide for a timeframe within which an internal investigation must be launched. However, it is important for an employer who suspects abuse or irregularities, to start an internal investigation without delay. In essence, that means that as soon as management, or – depending on the specific circumstances – the person who is authorised to decide on disciplinary sanctions against a certain employee, becomes aware of a potential abuse or irregularity, all measures to initiate an internal investigation should be taken promptly. If this is not done, the employer may lose the opportunity to take certain disciplinary actions.

The legal framework relating to an investigation by an employer into the acts and omissions of an employee are determined by, among other things, section 7:611 of the Dutch Civil Code (DCC) that stipulates good employer practices; Section 7:660 DCC (right to give instructions to the employee); the European Convention on Human Rights; the Dutch Constitution; the General Data Processing Regulation; and, if the employer uses a private investigation agency, the Private Security Organisations and Detective Agencies Act and the Privacy Code of Conduct for Private Investigation Agencies.

The legal basis from which the employer derives the authority to investigate can be based on the employer's right to give instructions (section 7:660 DCC). Pursuant to this section, the employer has – to a certain extent – the right to give instructions to the employee “which are intended to promote good order in the undertaking of the employer”. In many cases, an investigation of a work-related incident will aim to promote good order within the company. As such, the investigation is trying to:

• find the truth;
• sanction the perpetrator; and
• prevent repetition.

Instructing an employee to cooperate with an internal investigation falls within the scope of the right to instruct.

Subsequently, the employer must behave as a good employer during the investigation, pursuant to section 7:611 DCC. This is coloured by the classic principles of careful investigation: the principle of justification, the principle of trust, the principle of proportionality, the principle of subsidiarity and the principle of equality. Furthermore, the principle of hearing both sides of the argument applies and there must be a concrete suspicion of wrongdoing.

Generally, the basic principles set out by the GDPR and the Finnish Data Protection Act apply to data processing in connection with investigations, including evidence gathering: there must be a legal basis for processing, personal data may only be processed and stored when and for as long as necessary considering the purposes of processing, etc.

Additionally, if physical evidence concerns the electronic communications (such as emails and online chats) of an employee, gathering evidence is subject to certain restrictions based on Finnish ePrivacy and employee privacy laws. As a general rule, an employee’s electronic communications accounts, including those provided by the employer for work purposes, may not be accessed and electronic communications may not be searched or reviewed by the employer. In practice, the employer may access such electronic correspondence only in limited situations stipulated in the Act on Protection of Privacy in Working Life (759/2004), or by obtaining case-specific consent from the employee, which is typically not possible in internal investigations, particularly concerning the employee suspected of wrongdoing.

However, monitoring data flow strictly between the employee and the employer's information systems (eg, the employee saving data to USB sticks, using printers) is allowed under Finnish legislation, provided that employee emails, chats, etc, are not accessed and monitored. If documentation is unrelated to electronic communications, it also may be reviewed by the employer. Laptops, paper archives and other similar company documentation considered "physical evidence" may be investigated while gathering evidence on the condition that any private documentation, communications, pictures or other content of an employee are not accessed.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.