Workplace Investigations

The workplace investigation can be exercised by an internal (ad hoc) investigation department of the company itself, for example under the direction of the internal audit department or compliance department. This is possible if there is sufficient manpower with the necessary independence, knowledge and experience. Case law, however, shows that courts tend to be more critical of internal investigations than external investigations. For more complex and sensitive investigations, a forensic accountant or lawyer is often involved. The advantage of involving a lawyer is that the investigation and its outcome are covered by privilege. This guarantees the confidentiality of the investigation, also regarding supervisors and investigating authorities. Yet, at the same time, there is increasing debate about the role of lawyers as investigators, given their inherent bias to work in the interests of their client (the employer).

The investigation starts with a plan of approach that must be signed by the contractor. This plan of approach outlines the legal framework of the investigation, such as the scope, the means to be used, how it will deal with data, the use of experts, how the interviews will be conducted, the way of reporting and confidentiality. Furthermore, there must be a protocol for how the investigator conducts the investigation and that applies to all parties involved.

Gathering information can be done in various ways. For example:

• An inventory can be made of the household effects of a company. In the event of theft, an inventory can be an appropriate means of establishing exactly what has been stolen.
• An investigation of the books: this is an investigation of all documents of the company. These are not private documents of employees, but documents of the company itself. For an investigator, an interview can be a good way to gather more information, for example by interviewing witnesses. In practice, there are almost always several interviews with the suspects, the employer and other people involved.
• Open source research, which often involves researching a person's social media, or public documents relevant to the research. In principle, “open sources” refers to all public documents in the world; nowadays, many public documents are digitised.
• A workplace search, which includes everything present in the workplace: diaries, computer files, e-mails, letters, and even the contents of a wastebasket.
• A digital data investigation: this is a frequently used tool in fraud investigations. Most communication and documents are digital nowadays. It is, therefore, very likely that evidence can be found in digital data. Each of these means of investigation must respect the principles of an internal investigation and comply with the GDPR principles .

Internal investigations are usually initiated after reports about possible violations of the employer's code of conduct, applicable laws or regulations have been submitted by employees to their superiors, the human resources department or designated internal reporting systems such as hotlines (including whistleblowing hotlines).

For an internal investigation to be initiated, there must be a reasonable suspicion (grounds).[1] If no such grounds exist, the employer must ask the informant for further or more specific information. If no grounds for reasonable suspicion exists, the case must be closed. If grounds for reasonable suspicion exist, the appropriate investigative steps can be initiated by a formal investigation request from the company management.[2]

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.