Workplace Investigations

As discussed in question 7, it may be difficult for a company to search an employee’s personal possessions. The company may search and gather electronic data stored in work laptops or company servers, subject to legal requirements and restrictions (eg, obtaining consent). 

The PIPA provides specific guidance on the requirements for obtaining consent. Under the PIPA, to collect or use an individual’s personal information, the information holder must be informed of and consent to:

• the purpose of the collection or use;
• the personal information that will be collected;
• the period of retention and use; and
• his or her right to refuse to provide consent and any disadvantages that may result from such refusal.

There are separate requirements for obtaining consent to provide an individual’s personal information to a third party. Also, consent must be obtained separately for the collection, use or provision of sensitive or unique identification information.

Under limited circumstances, personal information may be collected, used, or provided to third parties without obtaining the consent of the information holder. For instance, a company may collect and use personal information without obtaining consent where obtaining the information is necessary to achieve the company’s “legitimate interests”, which clearly exceed the information holder’s right to his or her personal information, and the collection and use are carried out within reasonable bounds. The term “legitimate interests” in this context is generally understood as a concept similar to “justifiable act” under the Criminal Code. The Korean Supreme Court has held that under exceptional circumstances such as the following, the company’s collection and review of employee data may constitute a “justifiable act” under the Criminal Code:

1. the company had specific and reasonable suspicion that the employee had committed a crime and the company had an urgent need to verify the facts;
2. the scope of the company’s review was limited to the suspected crime through the use of keywords, etc;
3. the employee had signed an agreement stating that he or she would not use work computers in an unauthorised manner and that all work products would belong to the company; and
4. the company’s review uncovered materials that could be used to verify whether the employee committed the alleged crime.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

There is generally no obligation to report violations to the Korean authorities, subject to limited exceptions (eg, financial institutions are required to report certain types of wrongdoing to the financial regulator; if there was a leak of an industrial technology developed through a national research and development project or a national core technology, this leak should be reported to the Ministry of Trade, Industry and Energy and the National Intelligence Service). However, even in the absence of a self-reporting obligation, the company may consider strategically deciding to make a voluntary report. For example, there have been instances where the police or prosecutors’ investigations were conducted in a more limited manner where the company filed a voluntary report and cooperated with the investigation. Also, for certain types of violations (eg, cartel activities), self-reporting to the relevant authority may entitle the company to leniency provided under the law.

In certain instances, the company may also consider reporting violations to the relevant foreign authorities, in addition to, or instead of, the Korean authorities. For example, if the company found potential violations of US law such as sanctions law or the Foreign Corrupt Practice Act, the company may want to self-report these violations to the relevant authorities such as the Office of Foreign Assets Control, or the US Department of Justice.

The employer is generally not required to disclose the final report, or the data obtained in connection with the investigation. In particular, the employer is not obliged to file a criminal complaint with the police or the public prosecutor's office.

Exceptions may arise, for example, from data protection law (see question 22) or a duty to release records may arise in a subsequent state proceeding.

Data voluntarily submitted in a proceeding in connection with the internal investigation shall be considered private opinion or party assertion.[1] If the company refuses to hand over the documents upon request, coercive measures may be used under certain circumstances.[2]