Workplace Investigations

The employer is allowed to search an employee’s possessions or files, provided that they are work instruments or of a professional nature.

When performing these searches, employers should consider the specific provisions of the Data Protection Regulations as well as Resolution No. 1638/2013 of the Portuguese Data Protection Authority (CNPD), which contains rules on monitoring phone calls, e-mail and internet usage by employees. The CNPD understands that for the employer to access the employees’ professional data (e-mails, documents and other information stored on electronic devices), the latter should be present during the monitoring, to identify any information of a personal nature that should not be accessed by the employer (the employer must comply with these directions and should not access that email). In addition, review of the data should respect specific protocols to avoid potential access to personal data (eg, review of subject, recipients, data flow and type of files attached).

Body searches or the seizure of personal belongings or documents belonging to the employee are not permitted within the scope of a disciplinary procedure.

An employer can search an employee’s personal possessions (eg, handbag, pockets and locker) if the employer has a legitimate interest in a search. This could, for example, include a reasonable suspicion of theft of employer property. Furthermore, an employer may search, but not continually monitor, an employee’s computer and email provided that it is in accordance with GDPR requirements. For the processing to be lawful under the GDPR, the employer has to establish a purpose and a legal basis for the processing of personal data. Furthermore, data subjects must have received information on the legal basis for and purpose of the processing of personal data beforehand. If the data subjects have not received such information, the employer’s right to process their data is limited. However, if the employer has reasonable grounds to believe that trade secrets or similar has been copied and stolen, no such requirements would typically apply.

Investigations into an employee's possessions may, under certain circumstances, also be carried out by the Swedish authorities.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

There are no specific rules in the Portuguese Labour Code on this matter.

However, article 332 of the PLC states that the employer should keep an updated record of disciplinary sanctions, so the competent authorities can easily verify compliance with applicable provisions. Accordingly, it is advisable to maintain a record of disciplinary sanctions during the entire employment relationship.

Also, please note that some collective bargaining agreements state that the disciplinary register must be deleted from the employee’s record periodically.

Under the GDPR personal data may not, according to the general principle on storage limitation, be retained for longer than is necessary for the purposes for which the personal data are processed. The GDPR does not stipulate a generally applicable storage limitation period. Such a regulation is, on the other hand, included in the Swedish Whistleblowing Act. If the Swedish Whistleblowing Act applies, the outcome of the investigation and all personal data should be retained for as long as necessary, but not for longer than two years after the investigation has been closed.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]