Workplace Investigations

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

If the investigation is based on a whistleblower report that falls under the scope of the upcoming rules, the investigators are bound by a strict duty of confidentiality, especially regarding the identity of the report. The rules also provide some procedural deadlines for feeding back to the reporter. Within seven days of receiving the report through an internal reporting channel, the reporting manager needs to send a receipt to the whistleblower. From that moment, the reporting manager has three months to investigate the report and give feedback and an adequate follow-up to the report. Next, the rules offer strong protection against any retaliatory measures the reporter may experience. Regardless, these rules are mostly intended to offer the necessary protection for whistleblowers and to ensure that companies take necessary investigative steps following a report, but they do not include much information about the actual procedure of the investigation besides certain deadlines, nor do they deal with other employees involved (or under investigation).

The former Act on the House for Whistleblowers already provided for several preconditions that a whistleblowing procedure must meet. For example, internal reporting lines must be laid down, as well as how the internal report is handled, and an obligation of confidentiality and the opportunity to consult an advisor in confidence must be applied. Employers are obliged to share the whistleblowing policy with employees, including information about the employee's legal protection. The employee who reports a suspicion of wrongdoing in good faith may not be disadvantaged in their legal position because of the report (section17e/ea Act House of Whistleblowers).

The starting point is that an employee must first report internally, unless this cannot reasonably be expected. If the employee does not report internally first, the House for Whistleblowers does not initiate an investigation. The House for Whistleblowers was established on 1 July 2016 and has two main tasks: advising employees on the steps to take and conducting an investigation in response to a report.

The Act on the Protection of Whistleblowers, which entered into force in 2023, introduced several changes, of which the most relevant are:

• Abolition of mandatory internal reporting: the obligation to report internally first is abolished. Direct external reporting is allowed, such as to the House for Whistleblowers or another competent authority. When reporting externally, the reporter retains his protection. However, reporting internally first remains preferable and will be encouraged by the employer as much as possible.
• Expansion of prohibition on detriment: the prohibition on detriment already included prejudicing the legal position of the reporter, such as suspension, dismissal, demotion, withholding of promotion, reduction of salary or change of work location. It now also includes all forms of disadvantage, such as being blacklisted, refusing to give a reference, bullying, intimidation and exclusion. 
• Stricter time limit requirements for internal reporting: the reporter must receive an acknowledgement of receipt of the report within seven days and the reporter must receive information from the employer on the assessment of their report within a reasonable period, not exceeding three months.

• Extension of the circle of protected persons: not just employees, but third parties who are in a working relationship with the employer are now also protected, such as freelancers, interns, volunteers, suppliers, shareholders, job applicants and involved family members and colleagues.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.