Workplace Investigations

Whenever employers process personal data in the course of an investigation, they need to comply with Regulation (EU) 2016/679 (the GDPR) and Law 58/2019, which implements the GDPR in Portugal (jointly the Data Protection Regulations). If the gathering of physical evidence includes the collection and processing of sensitive data (eg, related to the employee’s health or any other category outlined in article 9 of the GDPR), additional safety measures should be in place to safeguard the adequate and confidential nature of such information.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The treatment of whistleblowers and their reports is laid down in various specific laws in Portugal.

Law 93/2021

Under Law 93/2021, a whistleblower of work-related offences must not be retaliated against. Furthermore, imposing disciplinary penalties on the whistleblower within two years after their disclosure is presumed to be abusive. The whistleblower is entitled to judicial protection and may benefit from the witness protection programme within criminal proceedings. Additionally, reports will be recorded for five years and, where applicable, personal data that is not relevant for the handling of a specific report will not be collected or, if accidentally collected, will be deleted immediately.

Corruption and Financial Crime Law (Law 19/2008)

Under Law 19/2008, a whistleblower must not be hampered. Furthermore, the imposition of disciplinary penalties on a whistleblower within one year following the communication of the infraction is presumed to be unfair.

Additionally, whistleblowers are entitled to:

• anonymity until the pressing of charges;
• be transferred following the pressing of charges; and
• benefit from the witness protection programme within criminal proceedings (remaining anonymous upon the verification of specific circumstances).

Money Laundering and Terrorism Financing Law (Law 83/2017)

Law 83/2017, which sets forth the legal framework to prevent, detect and effectively combat money laundering and terrorism financing, applies to financial entities and legal or natural persons acting in the exercise of their professional activities (eg, auditors and lawyers)(collectively, obliged entities).

According to article 20 of Law 83/2017, individuals who learn of any breach through their professional duties must report those breaches to the company's supervisory or management bodies. As a result, the obliged entities must refrain from threatening or taking hostile action against the whistleblower and, in particular, unfair treatment within the workplace. Specifically, the report cannot be used as grounds for disciplinary, civil or criminal action against the whistleblower (unless the communication is deliberately and clearly unjustified).

Legal Framework of Credit Institutions and Financial Companies (RGICSF)

Credit institutions must implement internal-reporting mechanisms that must guarantee the confidentiality of the information received and the protection of the personal data of the persons reporting the breaches and the persons charged. Under article 116-AA of RGICSF, persons who, while working in a credit institution, become aware of:

• any serious irregularities in the management, accounting procedures or internal control of the credit institution; or
• evidence of a breach of the duties set out in the RGICSF that may cause any financial imbalance, must communicate those circumstances to the company's supervisory body.

These communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower.

Moreover, article 116-AB of the RGICSF establishes that any person aware of compelling evidence of a breach of statutory duties may report it to the Bank of Portugal. Such communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower, unless the report is clearly unfounded.

The Bank of Portugal must ensure adequate protection of the person who has reported the breach and the person accused of breaching the applicable duties. It must also guarantee the confidentiality of the persons who have reported breaches at any given time.

Portuguese Securities Code (CVM)

Article 382 of the CVM states that financial intermediaries subject to the supervision of the Portuguese Securities Market Commission (CMVM), judicial authorities, police authorities, or respective employees must immediately inform the CMVM if they become aware of facts that qualify as crimes against the securities market or the market of other financial instruments, due to their performance, activity, or position.

Additionally, according to article 368-A of the CVM, any person aware of facts, evidence, or information regarding administrative offences under the CVM or its supplementary regulations may report them to the CMVM either anonymously or with the whistleblower's identity. The disclosure of the whistleblower's identity, as well as that of their employer, is optional. If the report identifies the whistleblower, their identity cannot be disclosed unless specifically authorised by the whistleblower, by an express provision of law or by the determination of a court.

Such communications may not be used as grounds for disciplinary, criminal, or civil liability action brought against the whistleblower, and they may not be used to demote the employee.

According to article 368-E of the CVM, the CMVM must cooperate with other authorities within the scope of administrative or judicial proceedings to protect employees against employer discrimination, retaliation or any other form of unfair treatment by the employer that may be linked to the communication to the CMVM. The whistleblower may be entitled to benefit from the witness-protection programme if an individual is charged in criminal or administrative proceedings because of their communication to the CMVM.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.