Workplace Investigations

In general, it is advisable to back up data, documents, emails and other records promptly to prevent their deletion. Admissibility depends on whether the data originates from personal or professional records and whether they are legally relevant. If internal investigations are carried out based on a specific suspicion of a criminal offence, it is the processing of legally relevant data. In general, the processing of professional emails or documents is permissible. If there is no professional connection, access to private files and documents is only permitted in exceptional cases.

If, for example, using a business email account for private purposes is not allowed, the employer can usually assume that the data processed is only "general" data within the meaning of article 6 GDPR and that such data processing is justified by a balancing of interests. However, if private use is allowed, the data may still be part of a special category within the meaning of article 9 GDPR. In such cases, the justification for its use must be based on one of the grounds explicitly mentioned in article 9(2) GDPR.

The employer must protect the employee's rights under section 16 of the ABGB and must consider the proportionality of the interference. Only the least restrictive means – the method that least interferes with the employee's rights – may be used to obtain the necessary information. The employer's interest in obtaining the information must outweigh the employee's interest in protecting his or her rights. The implementation or initiation of controls by the employer does not automatically constitute an interference with personal rights, as being subject to the employer's rights of control is part of the position as an employee.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

Data protection law requires that personal data should not be kept longer than necessary for the purpose it was collected. Once the purpose of the internal investigation is fulfilled and the data is no longer needed, it should be deleted or anonymised. Regulations regarding this matter may also be subject to WCAs or internal policies. In any case, it is advisable to keep the results for as long as they may be needed in possible subsequent administrative or judicial proceedings.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]