Workplace Investigations

As a first step, the employer should ask for the employee’s permission to access their possessions and files. Employment contracts and internal labour regulations may include provisions regarding an employer’s access to employees’ documents created and kept for business purposes or related to business activity.

When conducting an internal investigation (which must have a legitimate purpose), the employer must act in accordance with the principles of proportionality and subsidiarity. In line with these principles, the means of collecting and processing personal data during an internal investigation as well as the data that is searched, collected or processed, should be adequate, relevant and not excessive given the purposes for which the data is being collected or subsequently processed. These principles can be complied with by, for example, using specific search terms when searching electronic data, limiting the investigation’s scope (subject matter, period, geographic locations) and, in principle, excluding an employee's private data.

The employer is, in principle, allowed to access documents, emails and internet connection history saved on computers that were provided to the employees to perform their duties, provided the requirements of proportionality and subsidiarity are taken into account. In other words, reading the employee's emails or searching electronic devices provided by the employer must serve a legitimate purpose (e.g. tracing suspected irregularities or abuse) and the manner of review or collecting and processing the data contained in such emails should be in accordance with the principles of proportionality and subsidiarity.

The employer can ask the employee to hand over an employee's USB stick for an investigation. Depending on company policies and (individual or collective) employment agreements, an employee is, in principle, not obliged to comply with such a request. A refusal from an employee, when there is a strong indication that this USB stick contains information that is relevant to an investigation into possible irregularities, may be to the disadvantage of an employee, for example in a dismissal case.

The following factors, which derive from the Bărbulescu judgment of the European Court of Human Rights, are relevant to the question of whether an employee's e-mail or internet use can be monitored:

• whether the employee has been informed in advance of (the nature of) the possible monitoring of correspondence and other communications by the employer;
• the extent of the monitoring and the seriousness of the intrusion into the employee's privacy;
• whether the employer has put forward legitimate grounds for justifying the monitoring;
• whether a monitoring system using less intrusive methods and measures would have been possible;
• the consequences of the monitoring for the employee; and
• whether the employee has been afforded adequate safeguards, in particular in the case of intrusive forms of monitoring.

These requirements can sometimes create a barrier for employers, as seen in a ruling by the District Court Midden-Nederland (16 December 2021, ECLI:NL:RBMNE:2021:6071) in which the employer had used information obtained from the employee's e-mail as the basis for a request for termination of the employment contract. In the proceedings, the employee argued that his employer did not have the authority to search his e-mail.

According to the District Court, it was unclear whether the employer had complied with the requirements of Bărbulescu regarding searching the employee's e-mail. The regulations submitted by the employer only described the processing of data flows within the organisation in general. Therefore, the District Court found that the employer did not have a (sufficient) e-mail and internet protocol and the employee was not properly informed that his employer could monitor him. In addition, according to the District Court, it was unclear what exactly prompted the employer to search the employee's e-mail, as the employer did not provide any insight into the nature and content of the investigation. As a result, the District Court was unable to determine whether the employer had legitimate grounds to search the employee's e-mail. On this basis, the District Court disregarded the (possibly) illegally obtained evidence and ruled against the employer's termination request.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

Under the General Data Protection Regulation, employees’ personal details and information must be kept in the business records for as long as is necessary for the purposes of the employment relationship. Otherwise, stored data must be deleted. However, under L.4990/2022[14], reports remain in the relevant record for a reasonable and necessary time, and in any case until the completion of investigations or proceedings before the courts that have been initiated as a consequence of a complaint against the employee under investigation, the complainant or any third parties.

The outcomes are usually kept in the records until termination of the employment agreement and only deleted when personal records are deleted.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]