Workplace Investigations

In general, it is advisable to back up data, documents, emails and other records promptly to prevent their deletion. Admissibility depends on whether the data originates from personal or professional records and whether they are legally relevant. If internal investigations are carried out based on a specific suspicion of a criminal offence, it is the processing of legally relevant data. In general, the processing of professional emails or documents is permissible. If there is no professional connection, access to private files and documents is only permitted in exceptional cases.

If, for example, using a business email account for private purposes is not allowed, the employer can usually assume that the data processed is only "general" data within the meaning of article 6 GDPR and that such data processing is justified by a balancing of interests. However, if private use is allowed, the data may still be part of a special category within the meaning of article 9 GDPR. In such cases, the justification for its use must be based on one of the grounds explicitly mentioned in article 9(2) GDPR.

The employer must protect the employee's rights under section 16 of the ABGB and must consider the proportionality of the interference. Only the least restrictive means – the method that least interferes with the employee's rights – may be used to obtain the necessary information. The employer's interest in obtaining the information must outweigh the employee's interest in protecting his or her rights. The implementation or initiation of controls by the employer does not automatically constitute an interference with personal rights, as being subject to the employer's rights of control is part of the position as an employee.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

If a lawyer is involved in the investigation, communication between the lawyer and client is subject to legal professional privilege. These communications must not be disclosed. Any documents collected by an internal audit can be seized and used. However, a document created by a lawyer can only be seized. The same applies to other professional representatives of parties, such as notaries and auditors, as potential holders of professional secrecy.

As outlined above, all employees generally have the right to know whether and what personal data is being or has been processed about them (article 8 paragraph 1, Swiss Federal Act on Data Protection; article 328b, Swiss Code of Obligations).

The employer may refuse, restrict or postpone the disclosure or inspection of internal investigation documents if a legal statute so provides, if such action is necessary because of overriding third-party interests (article 9 paragraph 1, Swiss Federal Act on Data Protection) or if the request for information is manifestly unfounded or malicious. Furthermore, a restriction is possible if overriding the self-interests of the responsible company requires such a measure and it also does not disclose the personal data to third parties. The employer or responsible party must justify its decision (article 9 paragraph 5, Swiss Federal Act on Data Protection).[1]

The scope of the disclosure of information must, therefore, be determined by carefully weighing the interests of all parties involved in the internal investigation.