Workplace Investigations

There is no specific legislation, guidance or policies covering investigations in the workplace. Issues such as the Personal Data Protection Law, invasion of privacy, and infringement of freedoms may arise regarding the related parties, subjects, methods, and results of investigations. In addition, court decisions have stated that "when there has been a violation of corporate order, an investigation of the facts may be conducted to clarify the nature of the violation, issue business instructions or orders necessary to restore the disturbed order or take disciplinary action against the violator as a sanction”. The investigation or order must be reasonable and necessary for the smooth operation of the enterprise, and the method and manner of the investigation or order must not be excessive or restrain an employee's personality or freedom. In such a case, the investigation may be considered to be illegal and may constitute a tort.

Workplace investigations in Sweden are governed by several rules and regulations. Listed below are the central legislation and regulations that govern a workplace investigation related to alleged employee misconduct.

• The Swedish Discrimination Act (2008:567).
• The Swedish Work Environment Act (1977:1160), which is complemented by the Swedish Work Environment Authority’s other statutes.[1]
• The Swedish Whistleblowing Act (2021:890).

If a workplace investigation has been initiated after the receipt of a report filed through a reporting channel established under the Swedish Whistleblowing Act, that law applies provided that the report has been filed by a person who may report under the Act and provided that the subject of the report falls under the material scope of the Act. The Swedish Whistleblowing Act implements Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law and has been given a wide material scope in Sweden. The Swedish Whistleblowing Act may apply if the reported irregularity concerns breaches of certain EU laws or if the reported irregularity is of public interest.

In addition to the regulations mentioned above, certain data protection legislation may affect workplace investigations by restricting what personal data may be processed. Such data protection legislation includes the following:

• Regulation (EU) 2016/679 on the protection of natural persons concerning the processing of personal data and the free movement of such data (the GDPR);
• the Swedish Supplementary Data Protection Act (2018:218);
• the Swedish Supplementary Data Protection Regulation (2018:219);

• Regulation DIFS:2018:2 on the processing of personal data relating to criminal convictions or offences. This regulation governs the processing of personal data relating to criminal convictions or suspected criminal offences in internal workplace investigations that are not governed by the Swedish Whistleblowing Act.[2]

The above-mentioned legislation and regulations may overlap in many aspects and it is therefore important before starting an investigation, as well as during an investigation, to assess which rules and regulations apply to the situation at hand. Another aspect of this is that many issues that can arise during an investigation are not regulated by law or other legislation. If the investigation is a non-whistleblowing investigation there are limited rules on exactly how and by whom the investigation should be carried out.

A Swedish law firm that undertakes a workplace investigation also has to adhere to the Swedish Bar Association’s Code of Conduct. The Code of Conduct includes additional considerations, mainly ethical, which will not be addressed in this submission. Furthermore, this submission will not focus on investigations following an employee’s possible misappropriation of proprietary information or breach of the Swedish Trade Secrets Act (2018:558). Investigations into such irregularities are often conducted to gather evidence and these investigations include the same or similar investigative measures used in other investigations, such as interviews with employees and IT-forensic searches, but also infringement investigations carried out by the authorities or other measures by the police.

There is no specific legal regulation for internal investigations in Switzerland. The legal framework is derived from general rules such as the employer's duty of care, the employee's duty of loyalty and the employee's data protection rights. Depending on the context of the investigation, additional legal provisions may apply; for instance, additional provisions of the Swiss Federal Act on Data Protection or the Swiss Criminal Code.

Since inspections of personal belongings may potentially undermine employees' fundamental human rights, they would not become lawful simply because they are conducted under employment regulations.

Inspections of personal belongings must be conducted uniformly among employees in the workplace based on reasonable grounds, in a generally reasonable manner and to a generally reasonable degree, and based on the work rules, etc.

When inspections of personal belongings are conducted under employment regulations, etc, employees must agree to the inspection except in special circumstances, such as the method or degree of the inspection being unreasonable.

On the other hand, an investigation of information stored on a company network system may constitute an infringement of the right to privacy. If there is a provision in the employment regulations regarding the use of the internet and monitoring, it is possible to investigate under such a provision. A Japanese court case on the illegality of reading e-mails in the absence of a monitoring provision stated that private use of e-mails also carries a certain right to privacy, but also stated that "considering the fact that the system is maintained and managed by the company, the protection of the employee's privacy can only be expected within a reasonable range according to the specific circumstances of the system," and that the act of reading e-mails was not illegal because the extent of private use of e-mails was beyond the limit, which was outside the reasonable range of socially accepted ideas. The court also ruled that the monitoring of the employee's abusive private use of e-mail, which was discovered in the course of an investigation of slanderous e-mails within the company, was not illegal because even if the monitoring was conducted without notice, there was suspicion of a violation of the duty of devotion to duty and corporate order. The court also stated that the investigation was necessary and that the scope of the investigation did not exceed its limit.

An employer can search an employee’s personal possessions (eg, handbag, pockets and locker) if the employer has a legitimate interest in a search. This could, for example, include a reasonable suspicion of theft of employer property. Furthermore, an employer may search, but not continually monitor, an employee’s computer and email provided that it is in accordance with GDPR requirements. For the processing to be lawful under the GDPR, the employer has to establish a purpose and a legal basis for the processing of personal data. Furthermore, data subjects must have received information on the legal basis for and purpose of the processing of personal data beforehand. If the data subjects have not received such information, the employer’s right to process their data is limited. However, if the employer has reasonable grounds to believe that trade secrets or similar has been copied and stolen, no such requirements would typically apply.

Investigations into an employee's possessions may, under certain circumstances, also be carried out by the Swedish authorities.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]