Workplace Investigations

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

Neither Polish law nor the Draft Law specifically provide for a mandatory period during which the outcome of the investigation should be kept on the employee’s record.

At the same time, the Draft Law indicates that the register of whistleblowing reports, which should also contain information about follow-up actions undertaken as a result of the report, should be kept for 15 months starting from the end of the calendar year in which the follow-up actions have been completed, or the proceedings initiated by those actions have been terminated.

Also, while determining how long the outcome of an internal investigation should be kept, additional legal considerations can be taken into account, especially data privacy.

The GDPR does not specify precise storage time for personal data. The employer must assess what will be an appropriate time for storage of the data, taking into consideration the necessity of keeping personal data concerning the purpose of the processing in question. Employees' personal data should be kept for the period necessary for the performance of the employment relationship and may be kept for a period appropriate for the statute of limitations for claims and criminal deeds. A longer retention period may result from applicable laws. Following the Regulation of the Minister of Family, Labour and Social Policy on employee documentation, the employer may keep a copy of the notice of punishment and other documents related to the employee’s incurring of disciplinary responsibility in the employee record.

There are different retention periods for the data contained in employee files:

• 10 years if the employee was hired on or after 1 January 2019;
•  if the employment relationship began between 1 January 1999 and 1 January 2019, the retention period is 50 years, but may be reduced to 10 years if the employer provides the Polish Social Insurance Institution with certain mandatory information; and
•  for 50 years if the employee was hired before 1 January 1999. It does not matter whether the person is still working or not.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]