Workplace Investigations

When collecting data (in physical or digital form), the employer must ensure compliance with the data protection principles according to the General Data Protection Regulation (DSGVO) and the German Data Protection Act (BDSG). These principles include, among other things, that data collection must be carried out lawfully (principle of legality) and transparently (transparency principle) and must be comprehensively documented – specifically concerning the purpose of the workplace investigation – to be able to prove compliance with data protection.

The principle of legality states that data may only be collected on a legal basis (ie, there must either be a law authorising this or the employee must have consented to the collection of his data).

The transparency principle may constitute a special challenge during workplace investigations. Under the transparency principle, the employee must be generally informed about the collection of his data. This includes information on who processes the data, the purposes for which it is processed and whether the data is made available to third parties. However, there may be a risk of collusion, particularly when electronic data has to be reviewed, and thus the success of the investigation may be jeopardised if the relevant employee is comprehensively informed in advance. Accordingly, the employer should check, with the assistance of the data protection officer, whether the obligation to provide information may be dispensed with. This may be the case if providing the information would impair the assertion, exercise or defence of legal claims and the interests of the employer in not providing the information outweigh the interests of the employee. The respective circumstances and employer's considerations should be well documented in each case.

Regardless of whether the employee is informed about the investigation, to prevent data loss, the employee should be sent a so-called hold notice (ie, a prohibition to delete data). Additionally, to prevent automatic deletion, blocking mechanisms should also be implemented.

When gathering evidence by searching the employee's possessions or files, the employee's privacy rights also need to be observed (see question 8).

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

There is no general obligation on the part of the employer to disclose to the employee concerned the identity of the complainant, witnesses or other sources of information during the workplace investigation.

However, as described in question 11, the employee must be sufficiently informed of the allegations before a termination based on suspicion of wrongdoing is issued. This may also require disclosing the complainant's or witnesses' identity or other sources of information. In addition, the employer would have the burden of proof in the context of a legal dispute (eg, termination protection proceedings or proceedings about the legality of certain investigation measures) and may have to name witnesses and disclose sources of information.

As discussed in question 1, if the whistleblower falls under the WPA, the whistleblower’s identity should be kept confidential. Even if the WPA does not apply, the company may wish to keep the identity of the whistleblower and other key witnesses confidential to the greatest extent possible.

As mentioned under Question 10, the employer’s duty of care (article 328, Swiss Code of Obligations) also entails the employer’s duty to respect and protect the personality (including confidentiality and privacy) and integrity of employees (article 328 paragraph 1, Swiss Code of Obligations) and to take appropriate measures to protect them.

However, in combination with the right to be heard and the right to be informed regarding an investigation, the accused also has the right that incriminating evidence is presented to them throughout the investigation and that they can comment on it. For instance, this right includes disclosure of the persons accusing them and their concrete statements. Anonymisation or redaction of such statements is permissible if the interests of the persons incriminating the accused or the interests of the employer override the accused’ interests to be presented with the relevant documents or statements (see question 11; see also article 9 paragraphs 1 and 4, Swiss Federal Act on Data Protection). However, a careful assessment of interests is required, and these must be limited to what is necessary. In principle, a person accusing another person must take responsibility for their information and accept criticism from the person implicated by the information provided.[1]