Workplace Investigations

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.