Workplace Investigations

Dutch employment law does not provide for a timeframe within which an internal investigation must be launched. However, it is important for an employer who suspects abuse or irregularities, to start an internal investigation without delay. In essence, that means that as soon as management, or – depending on the specific circumstances – the person who is authorised to decide on disciplinary sanctions against a certain employee, becomes aware of a potential abuse or irregularity, all measures to initiate an internal investigation should be taken promptly. If this is not done, the employer may lose the opportunity to take certain disciplinary actions.

The legal framework relating to an investigation by an employer into the acts and omissions of an employee are determined by, among other things, section 7:611 of the Dutch Civil Code (DCC) that stipulates good employer practices; Section 7:660 DCC (right to give instructions to the employee); the European Convention on Human Rights; the Dutch Constitution; the General Data Processing Regulation; and, if the employer uses a private investigation agency, the Private Security Organisations and Detective Agencies Act and the Privacy Code of Conduct for Private Investigation Agencies.

The legal basis from which the employer derives the authority to investigate can be based on the employer's right to give instructions (section 7:660 DCC). Pursuant to this section, the employer has – to a certain extent – the right to give instructions to the employee “which are intended to promote good order in the undertaking of the employer”. In many cases, an investigation of a work-related incident will aim to promote good order within the company. As such, the investigation is trying to:

• find the truth;
• sanction the perpetrator; and
• prevent repetition.

Instructing an employee to cooperate with an internal investigation falls within the scope of the right to instruct.

Subsequently, the employer must behave as a good employer during the investigation, pursuant to section 7:611 DCC. This is coloured by the classic principles of careful investigation: the principle of justification, the principle of trust, the principle of proportionality, the principle of subsidiarity and the principle of equality. Furthermore, the principle of hearing both sides of the argument applies and there must be a concrete suspicion of wrongdoing.

There is no specific legal regulation for internal investigations in Switzerland. The legal framework is derived from general rules such as the employer's duty of care, the employee's duty of loyalty and the employee's data protection rights. Depending on the context of the investigation, additional legal provisions may apply; for instance, additional provisions of the Swiss Federal Act on Data Protection or the Swiss Criminal Code.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

When conducting an internal investigation (which must have a legitimate purpose), the employer must act in accordance with the principles of proportionality and subsidiarity. In line with these principles, the means of collecting and processing personal data during an internal investigation as well as the data that is searched, collected or processed, should be adequate, relevant and not excessive given the purposes for which the data is being collected or subsequently processed. These principles can be complied with by, for example, using specific search terms when searching electronic data, limiting the investigation’s scope (subject matter, period, geographic locations) and, in principle, excluding an employee's private data.

The employer is, in principle, allowed to access documents, emails and internet connection history saved on computers that were provided to the employees to perform their duties, provided the requirements of proportionality and subsidiarity are taken into account. In other words, reading the employee's emails or searching electronic devices provided by the employer must serve a legitimate purpose (e.g. tracing suspected irregularities or abuse) and the manner of review or collecting and processing the data contained in such emails should be in accordance with the principles of proportionality and subsidiarity.

The employer can ask the employee to hand over an employee's USB stick for an investigation. Depending on company policies and (individual or collective) employment agreements, an employee is, in principle, not obliged to comply with such a request. A refusal from an employee, when there is a strong indication that this USB stick contains information that is relevant to an investigation into possible irregularities, may be to the disadvantage of an employee, for example in a dismissal case.

The following factors, which derive from the Bărbulescu judgment of the European Court of Human Rights, are relevant to the question of whether an employee's e-mail or internet use can be monitored:

• whether the employee has been informed in advance of (the nature of) the possible monitoring of correspondence and other communications by the employer;
• the extent of the monitoring and the seriousness of the intrusion into the employee's privacy;
• whether the employer has put forward legitimate grounds for justifying the monitoring;
• whether a monitoring system using less intrusive methods and measures would have been possible;
• the consequences of the monitoring for the employee; and
• whether the employee has been afforded adequate safeguards, in particular in the case of intrusive forms of monitoring.

These requirements can sometimes create a barrier for employers, as seen in a ruling by the District Court Midden-Nederland (16 December 2021, ECLI:NL:RBMNE:2021:6071) in which the employer had used information obtained from the employee's e-mail as the basis for a request for termination of the employment contract. In the proceedings, the employee argued that his employer did not have the authority to search his e-mail.

According to the District Court, it was unclear whether the employer had complied with the requirements of Bărbulescu regarding searching the employee's e-mail. The regulations submitted by the employer only described the processing of data flows within the organisation in general. Therefore, the District Court found that the employer did not have a (sufficient) e-mail and internet protocol and the employee was not properly informed that his employer could monitor him. In addition, according to the District Court, it was unclear what exactly prompted the employer to search the employee's e-mail, as the employer did not provide any insight into the nature and content of the investigation. As a result, the District Court was unable to determine whether the employer had legitimate grounds to search the employee's e-mail. On this basis, the District Court disregarded the (possibly) illegally obtained evidence and ruled against the employer's termination request.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]