Workplace Investigations

An employer can search an employee’s personal possessions (eg, handbag, pockets and locker) if the employer has a legitimate interest in a search. This could, for example, include a reasonable suspicion of theft of employer property. Furthermore, an employer may search, but not continually monitor, an employee’s computer and email provided that it is in accordance with GDPR requirements. For the processing to be lawful under the GDPR, the employer has to establish a purpose and a legal basis for the processing of personal data. Furthermore, data subjects must have received information on the legal basis for and purpose of the processing of personal data beforehand. If the data subjects have not received such information, the employer’s right to process their data is limited. However, if the employer has reasonable grounds to believe that trade secrets or similar has been copied and stolen, no such requirements would typically apply.

Investigations into an employee's possessions may, under certain circumstances, also be carried out by the Swedish authorities.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

Under the GDPR personal data may not, according to the general principle on storage limitation, be retained for longer than is necessary for the purposes for which the personal data are processed. The GDPR does not stipulate a generally applicable storage limitation period. Such a regulation is, on the other hand, included in the Swedish Whistleblowing Act. If the Swedish Whistleblowing Act applies, the outcome of the investigation and all personal data should be retained for as long as necessary, but not for longer than two years after the investigation has been closed.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]