Workplace Investigations

In internal investigations, the fundamental rights and freedoms of employees are at stake,  including the right to privacy, respect for the privacy of home life and correspondence, freedom of expression, and the obligation of loyalty in searching for evidence.

In principle, work emails and files can be reviewed, even without the employee's consent, prior knowledge or warning. This includes: work email accounts; files stored on a work computer or a USB key connected to a work computer; and SMS messages and files stored on a work mobile phone and documents stored in the workplace unless they are labelled as “personal”. On the other hand, it is not permissible for an employer (or an investigator) to review “personal” emails and files, such as documents or emails identified as “personal” by the employee, or personal email accounts (Gmail, Yahoo, etc), even if accessed from a work computer.

There are certain exceptions to the above principle. An employer is allowed to check “personal” emails or data in any of the following cases:

• if the employee is present during the review;
• if the employee is absent, but was duly notified and invited to be present;
• if there is a particularly serious “specific risk or event”;
• if the review is authorised by a judge (this means having to prove a legitimate reason justifying not informing the employee).

When documents or emails are not marked as “personal” but contain information of a personal nature, the employer may open and review the data but may not use such documents or emails to justify applying disciplinary measures to the employee or use such documents or emails as evidence in court if they indeed relate to the employee’s private life.

Special attention must be given to employee representatives who must be entirely free to carry out their duties.

The employer is allowed to search an employee’s possessions or files, provided that they are work instruments or of a professional nature.

When performing these searches, employers should consider the specific provisions of the Data Protection Regulations as well as Resolution No. 1638/2013 of the Portuguese Data Protection Authority (CNPD), which contains rules on monitoring phone calls, e-mail and internet usage by employees. The CNPD understands that for the employer to access the employees’ professional data (e-mails, documents and other information stored on electronic devices), the latter should be present during the monitoring, to identify any information of a personal nature that should not be accessed by the employer (the employer must comply with these directions and should not access that email). In addition, review of the data should respect specific protocols to avoid potential access to personal data (eg, review of subject, recipients, data flow and type of files attached).

Body searches or the seizure of personal belongings or documents belonging to the employee are not permitted within the scope of a disciplinary procedure.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

Evidence obtained in the context of an investigation must specify who provided it and the date it was provided. No retaliatory measures may be taken against the whistleblower for the act of whistleblowing.

In certain cases, the whistleblower report must be forwarded to the judicial authorities (eg, when there is an obligation to assist persons in imminent danger, for serious offences or a disclosure that a vulnerable person is in danger (ie, minors under 15 or a person who is unable to protect themselves)).

The treatment of whistleblowers and their reports is laid down in various specific laws in Portugal.

Law 93/2021

Under Law 93/2021, a whistleblower of work-related offences must not be retaliated against. Furthermore, imposing disciplinary penalties on the whistleblower within two years after their disclosure is presumed to be abusive. The whistleblower is entitled to judicial protection and may benefit from the witness protection programme within criminal proceedings. Additionally, reports will be recorded for five years and, where applicable, personal data that is not relevant for the handling of a specific report will not be collected or, if accidentally collected, will be deleted immediately.

Corruption and Financial Crime Law (Law 19/2008)

Under Law 19/2008, a whistleblower must not be hampered. Furthermore, the imposition of disciplinary penalties on a whistleblower within one year following the communication of the infraction is presumed to be unfair.

Additionally, whistleblowers are entitled to:

• anonymity until the pressing of charges;
• be transferred following the pressing of charges; and
• benefit from the witness protection programme within criminal proceedings (remaining anonymous upon the verification of specific circumstances).

Money Laundering and Terrorism Financing Law (Law 83/2017)

Law 83/2017, which sets forth the legal framework to prevent, detect and effectively combat money laundering and terrorism financing, applies to financial entities and legal or natural persons acting in the exercise of their professional activities (eg, auditors and lawyers)(collectively, obliged entities).

According to article 20 of Law 83/2017, individuals who learn of any breach through their professional duties must report those breaches to the company's supervisory or management bodies. As a result, the obliged entities must refrain from threatening or taking hostile action against the whistleblower and, in particular, unfair treatment within the workplace. Specifically, the report cannot be used as grounds for disciplinary, civil or criminal action against the whistleblower (unless the communication is deliberately and clearly unjustified).

Legal Framework of Credit Institutions and Financial Companies (RGICSF)

Credit institutions must implement internal-reporting mechanisms that must guarantee the confidentiality of the information received and the protection of the personal data of the persons reporting the breaches and the persons charged. Under article 116-AA of RGICSF, persons who, while working in a credit institution, become aware of:

• any serious irregularities in the management, accounting procedures or internal control of the credit institution; or
• evidence of a breach of the duties set out in the RGICSF that may cause any financial imbalance, must communicate those circumstances to the company's supervisory body.

These communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower.

Moreover, article 116-AB of the RGICSF establishes that any person aware of compelling evidence of a breach of statutory duties may report it to the Bank of Portugal. Such communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower, unless the report is clearly unfounded.

The Bank of Portugal must ensure adequate protection of the person who has reported the breach and the person accused of breaching the applicable duties. It must also guarantee the confidentiality of the persons who have reported breaches at any given time.

Portuguese Securities Code (CVM)

Article 382 of the CVM states that financial intermediaries subject to the supervision of the Portuguese Securities Market Commission (CMVM), judicial authorities, police authorities, or respective employees must immediately inform the CMVM if they become aware of facts that qualify as crimes against the securities market or the market of other financial instruments, due to their performance, activity, or position.

Additionally, according to article 368-A of the CVM, any person aware of facts, evidence, or information regarding administrative offences under the CVM or its supplementary regulations may report them to the CMVM either anonymously or with the whistleblower's identity. The disclosure of the whistleblower's identity, as well as that of their employer, is optional. If the report identifies the whistleblower, their identity cannot be disclosed unless specifically authorised by the whistleblower, by an express provision of law or by the determination of a court.

Such communications may not be used as grounds for disciplinary, criminal, or civil liability action brought against the whistleblower, and they may not be used to demote the employee.

According to article 368-E of the CVM, the CMVM must cooperate with other authorities within the scope of administrative or judicial proceedings to protect employees against employer discrimination, retaliation or any other form of unfair treatment by the employer that may be linked to the communication to the CMVM. The whistleblower may be entitled to benefit from the witness-protection programme if an individual is charged in criminal or administrative proceedings because of their communication to the CMVM.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.