Workplace Investigations

GDPR and the provisions of L. 4624/2019 regulate the gathering of physical evidence from a data protection perspective, providing, among other things, that personal data should be processed with transparency and to the extent necessary for the investigation.

L.4990/2022 on the protection of persons who report breaches of Union law regulates data protection issues in the context of whistleblowing investigations, mainly to safeguard confidentiality throughout the investigations.  

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Confidentiality applies as a general principle in disciplinary investigations.

Moreover, L. 4990/2022, which transposed EU Directive 2019/1937 into Greek Law, regulates the issue of confidentiality during investigations that start based on an internal report. The managers conducting the investigation must respect and abide by the rules of confidentiality regarding the information they have become aware of when exercising their duties[1]. They must also protect the complainant’s and any third party’s (referred to in the report) confidentiality by preventing unauthorised persons from accessing the report[2].

Finally, L. 4808/2021 provides that employers must create a procedure that should be communicated to employees regarding all the necessary steps of an investigation following a complaint. Throughout the whole process, the employer, managers and the employer’s representatives responsible for the investigation must respect and abide by the rules of confidentiality in a manner that safeguards the dignity and personal data of the complainant and the person under investigation[3].

Besides the employee's duty of performance (article 319, Swiss Code of Obligations), the employment relationship is defined by the employer's duty of care (article 328, Swiss Code of Obligations) and the employee's duty of loyalty (article 321a, Swiss Code of Obligations). Ancillary duties can be derived from the two duties, which are of importance for the confidentiality of an internal investigation.[1]

In principle, the employer must respect and protect the personality (including confidentiality and privacy) and integrity of the employee (article 328 paragraph 1, Swiss Code of Obligations) and take appropriate measures to protect the employee. Because of the danger of pre-judgment or damage to reputation as well as other adverse consequences, the employer must conduct an internal investigation discreetly and objectively. The limits of the duty of care are found in the legitimate self-interest of the employer.[2]

In return for the employer's duty of care, employees must comply with their duty of loyalty and safeguard the employer's legitimate interests. In connection with an internal investigation, employees must therefore keep the conduct of an investigation confidential. Additionally, employees must keep confidential and not disclose to any third party any facts that they have acquired in the course of the employment relationship, and which are neither obvious nor publicly accessible.[3]

Workplace investigations should usually be conducted on a confidential basis, so that only those involved in the investigation are aware of its existence and subject matter. The need to maintain confidentiality about both the fact of the investigation, and any content discussed with an investigator, should be emphasised to all those involved. It may also be necessary to explain that a breach of confidentiality could be viewed as a disciplinary matter. Appropriate exceptions must, however, be made to allow employees to speak to any relevant employee or trade union representative, legal adviser and potentially the police or other regulators. Confidentiality provisions cannot override the rights of workers to make protected disclosures (see question 9).

In some situations, such as those involving a wide-ranging investigation into the organisation’s working practices and culture, it may be more appropriate to investigate a more “open” basis, and inform employees and other stakeholders.

Under the General Data Protection Regulation, employees’ personal details and information must be kept in the business records for as long as is necessary for the purposes of the employment relationship. Otherwise, stored data must be deleted. However, under L.4990/2022[14], reports remain in the relevant record for a reasonable and necessary time, and in any case until the completion of investigations or proceedings before the courts that have been initiated as a consequence of a complaint against the employee under investigation, the complainant or any third parties.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]

The investigation outcome may not need to be noted on the accused employee’s record at all. Usually only the outcome of any subsequent disciplinary or grievance process would be noted, rather than the prior investigation.

The employer should keep the investigation report for as long as it remains relevant. This would usually be no longer than six years, unless regulatory obligations dictate otherwise. The report along with all documentation and witness statements gathered during the investigation should be retained securely and confidentially but for no longer than is absolutely necessary under the requirements of the DPA 2018 and the employer's data protection policies and procedures. There may be additional retention requirements in a regulated context; the position for each particular business and employee should be checked.