Workplace Investigations

All data processing must comply with the principles of article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity). Personal data may only be collected and processed for specific, lawful purposes.

The admissibility of data processing depends on whether the suspicion relates to a criminal offence or another violation of the law. If the data processing is relevant to criminal law, article 10 GDPR or section 4(3) of the Austrian Data Protection Act (DSG) applies. If the investigations are exclusively to clarify violations under civil or labour law, such as an assertion of claims for damages or if they are general investigations to establish a criminal offence, the permissibility of data processing is based on article 6 or, for data covered by article 9 GDPR, on this provision.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

It is up to management to decide which results should be disclosed and to whom. It is important to know who the persons concerned are and who has an interest in disclosure.

From a legal perspective, disclosure must follow the GDPR. Internal policies can specify how the results are to be handled. Works Council Agreements (WCAs) may also contain regulations on how to deal with internal investigations and the disclosure of results.

There is no requirement to publish the results of the investigation, but it may be advisable to cooperate with the authorities. This is particularly the case if the employer has suffered damage or is himself threatened with prosecution. The release of investigation results can be compelled through the courts.

The employer is generally not required to disclose the final report, or the data obtained in connection with the investigation. In particular, the employer is not obliged to file a criminal complaint with the police or the public prosecutor's office.

Exceptions may arise, for example, from data protection law (see question 22) or a duty to release records may arise in a subsequent state proceeding.

Data voluntarily submitted in a proceeding in connection with the internal investigation shall be considered private opinion or party assertion.[1] If the company refuses to hand over the documents upon request, coercive measures may be used under certain circumstances.[2]