Workplace Investigations

Before commencing a workplace investigation, an employer must review the terms of any applicable employment contract, policy, procedure or industrial instrument. These documents will likely contain clauses that will dictate the investigation process.

There is also a significant body of common law that dictates how an investigation should be conducted and the procedural fairness that should be afforded to those involved. To ensure a workplace investigation is procedurally fair, employers must consider several factors, including:

• putting all allegations to the respondent in a manner which does not suggest a pre-determination of the outcome;
• conducting the investigation in a timely manner;
• providing the respondent with the opportunity to respond to the allegations;
• conducting a fair investigation process;
• making an unbiased (and not pre-determined) decision; and
• permitting the respondent and complainant to involve a support person or union representative.

Employers should also consider the additional steps they can take to conduct a best-practice investigation, including:

• being thorough and taking the time to plan the investigation;
• communicating clearly and fairly;
• considering whether the allegations are indicative of a wider workplace behaviour problem;
• maintaining confidentiality; and
• preventing victimisation.

Austrian law does not impose an obligation on employers to conduct internal investigations and they do not have to follow a specific legal pattern when doing so. However, an obligation to conduct internal investigations may arise out of certain provisions of criminal, company or even labour law – in particular, an indirect obligation arising from an employer's duty of care, which requires them to act against employee mistreatment, such as bullying.

If such internal investigations are initiated, compliance with labour law and data protection regulations is mandatory. According to section 16 of the Austrian Civil Code (ABGB), the employer must also protect the personal rights of the individual. It is important to emphasise that a company's internal investigation is a private measure and differs from official investigations.

There is no specific legislation regarding a workplace investigation. In general, an employer has the right to investigate incidents at the workplace based on their authority over employees. However, the investigative powers of the employer are among others limited by the general right to privacy, which is also enshrined in Collective Bargaining Agreement No. 81 of 26 April 2002 to protect the privacy of employees concerning the control of electronic online data. If there are official complaints by employees due to sexual harassment, bullying or violence at work,  well-being legislation provides a specific procedure. Also, upcoming whistleblower rules include some specifications for an investigation, but at the time of publication these are not yet final (we refer to is in more detail below). The information below is only valid for workplace investigations in the private sector. The public sector has a set of specific rules and principles, which are outside the scope of this chapter.

There is no specific law governing workplace investigations in Brazil, but Law 14.457/2022 states that companies must have rules that relate to sexual and other forms of harassment in their internal policies, address the rules for receiving and processing accusations, assess the facts, and discipline any individuals directly and indirectly involved in acts of sexual harassment or violence.

If the investigation has any connection with anticorruption matters, the investigation procedure must comply with Law 12846/2013 (Brazilian Anticorruption Act) and Decree 8420/2015.

As a result, Brazilian employers usually follow the rules determined by internal corporate policies, which often result from international regulations and principles that differ from the Brazilian ones, which inadvertently expose the Brazilian subsidiary to liability. The answers below will highlight common examples of this, when appropriate.

Currently there are no unified laws, administrative regulations or policies in the field of labor laws in People's Republic of China (referred to as “PRC”) regarding investigations on workplaces of ordinary employers. The laws and regulations of employers in certain specific industries (such as banking, securities, insurance, medical institutions, etc.) and the laws and regulations governing certain personnel (such as officers of state-owned enterprises and members of the Communist Party of China) contain provisions relating to investigations on employees' conduct, but such provisions are only applicable to the aforementioned specific industries or personnel.

Employers generally will specify their investigation rights and rules and procedures of internal investigations in their internal rules and regulations (such as the employee handbook) or the employment contracts entered into with their employees. However, it should be noted that workplace investigations are still subject to laws and regulations in relation to personal information, privacy and data protection.

Mainly, the Occupational Safety and Health Act (738/2002). In addition, the following also have relevance in connection to a workplace investigation: the Employment Contracts Act (55/2001), the Criminal Code (39/1889), the Act on Occupational Safety and Health Enforcement and Cooperation on Occupational Safety and Health at Workplaces (44/2006), the Act on Equality between Women and Men (609/1986) and the Non-discrimination Act (1325/2014). In addition, the employer's own policies must be taken into consideration while conducting a workplace investigation.

No specific rules directly govern a workplace investigation in the event of employee misconduct. However, several rules, both legal and administrative, affect the conduct of such an investigation. In addition, codes of conduct, internal regulations or guidelines may also exist within companies.

A new law (No. 2022-401) came into effect on 1 September 2022 and constitutes one of the cornerstones for future regulation of workplace investigations. This law transposes into French law the European directive relating to whistleblower protection. It does not, however, constitute a revolution, as a previous French law dated 9 December 2016 (the so-called Sapin 2 Law) already provided the whistleblower with a specific status and protection. These laws are fundamental when considering an internal investigation as the rules protecting the whistleblower and requiring the establishment of an internal whistleblowing channel (eg, a dedicated email or hotline) affect the degree of flexibility available to companies in conducting the investigation.

A new decree has been adopted (No. 2022-1284), dated 3 October 2022, for application of these new provisions. This decree sets out several obligations relating to the internal whistleblowing reporting process. The reporting channel will necessarily contribute to shape the internal investigation triggered by situations which have been reported by that channel. Companies subject to this decree may define the reporting procedure using the supporting tool of their choice (company collective agreement, internal memorandum, etc.), as long as the employee representative bodies are duly consulted on the matter. The decree also specifies that an acknowledgement of receipt of the alert must be provided to the author of the alert in writing within seven days from the company receiving the alert. The author of the alert must also be informed in writing, within a reasonable period not exceeding three months from acknowledgement of receipt of the alert, of the measures envisaged or taken to assess the accuracy of the allegations and, where appropriate, to remedy the situation which had been reported, as well as the reasons for these measures and, finally, the closure of the case.

More generally, not only do all the “pure” labour law rules relating to the protection of the human rights of employees need to be complied with (right to privacy, data protection under the GDPR, etc), but also the disciplinary rules and regulations that protect employees from unfounded sanctions imposed by their employer. For example, an employer can only sanction an employee's misconduct if the disciplinary procedure begins within two months of when the misconduct was committed or when the employer becomes aware of it. In this respect, an internal investigation can be necessary for the employer to obtain full knowledge of the facts alleged to have been committed by the employee. It is nonetheless recommended that the internal investigation be completed within these two months to avoid the risk of the disciplinary action being time-barred.

Administrative rules produced by the French anti-corruption agency should also be taken into consideration (good practice, guidelines and recommendations relating to senior management’s commitment to implement anti-corruption measures, corruption risk mapping, corruption risk management measures and procedures), as well as the guidelines produced by the French Ministry of Employment relating to the prevention of sexual harassment and gender-based violence or the recommendations of the Human Rights Defender, which is a French special institution aimed at protecting fundamental rights.

When the investigation in question concerns moral or sexual harassment or violence in the workplace, the national interprofessional agreement of 26 March 2010 should be <referred to. This text stipulates that in the event of an investigation procedure, it should be based on, but not limited to, the following guiding principles:

• it is in everyone's interest to act with the discretion necessary to protect everyone's dignity and privacy;
• no information, unless it is anonymized, should be divulged to parties not involved in the case in question;
• complaints must be investigated and dealt with without delay;
• all parties involved must be listened to impartially and treated fairly;
• complaints must be supported by detailed information;
• deliberate false accusations must not be tolerated, and may result in disciplinary action;
• external assistance may be useful, notably from occupational health services.

Many are calling for the adoption of legislative rules governing such investigations, and their coordination with general whistleblower protection measures.

Finally, a company must take its own rules and regulations into account. Every company with at least 50 employees has the legal obligation to draw up internal rules and regulations, which notably set out the disciplinary sanctions applicable to employees, as well as a reminder of certain employees' rights.

There are no specific legislative requirements for workplace investigations in Germany. In 2020, the Federal Ministry of Justice presented a draft bill with regulations on internal investigations and, in particular, employee interviews. However, this law failed to pass under the previous government. The current government has announced it will take up this matter again and plans to create a precise legal framework for internal investigations. Details, timing and content remain to be seen.

Nevertheless, workplace investigations do not take place in a "lawless space". They must comply with the provisions of employment and data protection law. Further, criminal and corporate law aspects can play a role. Moreover, works council information and co-determination rights may have to be taken into account.

In Greece, workplace investigations are not heavily regulated.

However, internal disciplinary procedures are governed by certain general principles, while there is also legislation regulating certain aspects of investigations opened in the context of whistleblowing procedures or concerning complaints for workplace violence or harassment. These include Law 4990/2022, which transposed EU Directive 2019/1937 into Greek Law; and Law 4808/2021, which ratified the ILO’s Violence and Harassment Convention, 2019 (No190) and introduced relevant provisions.

As far as disciplinary procedures in private-sector companies are concerned, employers that must have internal labour regulations in place (ie, those with more than 70 employees) or opt to adopt them voluntarily, can regulate the procedures themselves.  

In the public sector, internal investigations are governed by disciplinary provisions included in the civil servant code.

The Employment Ordinance (EO), which is the primary legislation governing employment relationships in Hong Kong, does not provide for a statutory workplace investigation procedure.

The Labour Department of Hong Kong has, however, published a Guide to Good People Management Practices[1] which recommends that employers lay down rules of conduct, grievance and disciplinary procedures. Such rules should be simple and clear, logical and fair, and in line with the provisions in the EO.

As part of risk management and internal controls, Hong Kong-listed companies are expected by The Stock Exchange of Hong Kong Limited (SEHK) to establish whistleblowing policies and systems for employees to raise concerns about possible improprieties with independent board members. Listed companies are also expected to establish policies for the promotion and support of anti-corruption laws and regulations. Such policies and systems may include workplace investigation procedures.[2] If a listed company chooses to not establish such policies and systems, it is required to explain how it could achieve appropriate and effective risk management and internal controls.

There is no codified law in India on conducting workplace investigations, so they largely depend on the internal policies of the employer. Certain requirements and best practice measures have evolved through judicial precedent, and these are codified through internal policies.

For claims involving sexual harassment, however, investigations can only be undertaken by the Internal Committee (IC), which an employer needs to constitute under the Prevention of Sexual Harassment of Women and Workplace (Prevention, Prohibition and Redressal) Act 2013 (SH Act).  

The general principle laid down by the courts is that any action against an employee for misconduct should be taken after conducting a disciplinary inquiry as per the principles of natural justice (PNJ). Whether or not a disciplinary inquiry can be done away with in any circumstances is a very fact-specific assessment and depends on various factors, including but not limited to the seniority and location of employment of the employee, and the nature and circumstances of the alleged misconduct.

The PNJ broadly require:

• that the accused employee should be issued with a written charge sheet or notice setting out the allegations against him or her along with a reasonable opportunity to respond;
• appointment of an independent inquiry officer to assess whether the allegations are proven or not; and
• that action must be taken based on the outcome of the inquiry, any punishment ordered should be proportionate to the gravity of the misconduct, and also take into account the service history (eg, prior warnings) of the individual.

The charge sheet or notice issued to the employee has to set out the evidence used by the employer to support the allegations in sufficient detail. Therefore, gathering necessary information and evidence is usually a critical precursor for any disciplinary process that an employer may eventually initiate against an employee.

In Ireland, employees have a constitutional right and an implied contractual right to natural justice and fair procedures. If a workplace investigation is not conducted in accordance with these principles, an employee may allege that the investigation is fundamentally flawed. If such an allegation is made then an employee may seek recourse from the Workplace Relations Commission (WRC) or potentially the High Court. The WRC is the body in Ireland tasked with dealing with employment law-related claims, including unfair dismissal.

The constitutional rights that employees enjoy were specified in the Supreme Court case of Re Haughey in 1971. That case held that where proceedings may harm the reputation of a person, public bodies must afford certain basic protections of constitutional justice to a witness appearing before it. It further stated that article 40.3 of the Irish Constitution is a guarantee to the citizen of basic fairness of procedures. These protections, known as “Re Haughey rights” are implied in each contract of employment.

A Code of Practice was introduced in 2000, namely S.I. No. 146/2000 - Industrial Relations Act, 1990 (Code of Practice on Grievance and Disciplinary Procedures) (Declaration) Order, 2000 (the Code). The Code set out the procedures for dealing with grievances or disciplinary matters, which must comply with the general principles of natural justice and fair procedures and include:

• that employee grievances are fairly examined and processed;
• that details of any allegations or complaints are put to the employee concerned;
• that the employee concerned is allowed to respond fully to any such allegations or complaints;
• that the employee concerned is given the opportunity to avail of the right to be represented during the procedure; and
• that the employee concerned has the right to a fair and impartial determination of the issues concerned, taking into account any representations made by, or on behalf of, the employee and any other relevant or appropriate evidence, factors or circumstances.

Further Codes of Practice on the prevention and resolution of bullying at work and on dealing with sexual harassment and harassment at work were published in 2021 and 2022, respectively. The provisions of these codes are admissible in evidence before a court, the WRC and the Labour Court.

In addition to the above, the Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023.

All employers should have specific and up-to-date policies dealing with how workplace investigations will be carried out that are suitable for their organisation. These policies may vary, depending on the subject of the investigation and the size and type of employer. However, all should adhere to the principles identified above to ensure that a robust policy is in place and can be utilised.

From an Italian employment law perspective, there is no specific body of legislation that governs investigations. However, several legal and case-law principles may be relevant concerning various specific aspects of investigations, and to which reference will be made below (eg, provisions under Law No. 300 of 1970, the so-called Workers’ Statute regarding “controls on employees”, both physical and “remote”, or regarding “disciplinary proceedings”).

In addition, and outside of the specific scope of employment law, other law provisions may have an impact on investigations, including those regarding privacy law (eg, Italian Legislative Decree No. 196 of 2003 and the Regulation (EU) No. 679 of 2016 (GDPR), regarding data protection and the related policies), whistleblowing (Law No. 179 of 2017 and Directive (EU) No. 1937 of 2019, regarding whistleblower protection) and criminal law (eg, Italian Criminal Procedure Code, providing rules for criminal investigation and Italian Legislative Decree No. 231 of 2001, regarding the corporate (criminal) liability of legal entities).

There is no specific legislation, guidance or policies covering investigations in the workplace. Issues such as the Personal Data Protection Law, invasion of privacy, and infringement of freedoms may arise regarding the related parties, subjects, methods, and results of investigations. In addition, court decisions have stated that "when there has been a violation of corporate order, an investigation of the facts may be conducted to clarify the nature of the violation, issue business instructions or orders necessary to restore the disturbed order or take disciplinary action against the violator as a sanction”. The investigation or order must be reasonable and necessary for the smooth operation of the enterprise, and the method and manner of the investigation or order must not be excessive or restrain an employee's personality or freedom. In such a case, the investigation may be considered to be illegal and may constitute a tort.

Dutch employment law does not provide for a timeframe within which an internal investigation must be launched. However, it is important for an employer who suspects abuse or irregularities, to start an internal investigation without delay. In essence, that means that as soon as management, or – depending on the specific circumstances – the person who is authorised to decide on disciplinary sanctions against a certain employee, becomes aware of a potential abuse or irregularity, all measures to initiate an internal investigation should be taken promptly. If this is not done, the employer may lose the opportunity to take certain disciplinary actions.

The legal framework relating to an investigation by an employer into the acts and omissions of an employee are determined by, among other things, section 7:611 of the Dutch Civil Code (DCC) that stipulates good employer practices; Section 7:660 DCC (right to give instructions to the employee); the European Convention on Human Rights; the Dutch Constitution; the General Data Processing Regulation; and, if the employer uses a private investigation agency, the Private Security Organisations and Detective Agencies Act and the Privacy Code of Conduct for Private Investigation Agencies.

The legal basis from which the employer derives the authority to investigate can be based on the employer's right to give instructions (section 7:660 DCC). Pursuant to this section, the employer has – to a certain extent – the right to give instructions to the employee “which are intended to promote good order in the undertaking of the employer”. In many cases, an investigation of a work-related incident will aim to promote good order within the company. As such, the investigation is trying to:

• find the truth;
• sanction the perpetrator; and
• prevent repetition.

Instructing an employee to cooperate with an internal investigation falls within the scope of the right to instruct.

Subsequently, the employer must behave as a good employer during the investigation, pursuant to section 7:611 DCC. This is coloured by the classic principles of careful investigation: the principle of justification, the principle of trust, the principle of proportionality, the principle of subsidiarity and the principle of equality. Furthermore, the principle of hearing both sides of the argument applies and there must be a concrete suspicion of wrongdoing.

• The Constitution of the Federal Republic of Nigeria, 1999 (as amended)
• The Criminal Code Act
• Penal Code Law
• Money Laundering (Prohibition) Act 2011 (as amended)
• Freedom of Information Act 2011
• Terrorism (Prevention) Act 2013
• Independent Corrupt Practices and other related offences Act 2000
• Code of Conduct Bureau and Tribunal Act
• Companies and Allied Matters Act 2020
• Nigerian Code of Corporate Governance 2018
• Economic Financial Crime Commission (Establishment) Act 2004
• Investment Securities Act 2007
• Central Bank of Nigeria Act 2007
• Banks and Other Financial Institutions Act 2020
• Whistleblowing Programme under the Ministry of Finance

There are essentially two phases in a workplace investigation: the fact-finding phase and the administrative proceeding.

The fact-finding phase of workplace investigations is usually governed by the internal policies of the employer, save for investigations relating to gender-based sexual harassment in the workplace. Republic Act No. 11313, otherwise known as the Safe Spaces Act, sets the parameters for these kinds of investigations.

Philippine case law recognises the right of an employer to conduct investigations for other acts of misconduct in the workplace in the exercise of its management prerogative. The Supreme Court has held that it is an employer’s right to investigate acts of wrongdoing by employees, and employees involved in such investigations cannot simply claim that employers are out to get them.

After the fact-finding aspect of the investigation, if the employer decides it has sufficient grounds to proceed to full-blown administrative proceedings, it needs to comply with the due process requirements outlined under the Philippine Labor Code. These requirements are:

• a first notice, or notice to explain, informing the employee of the charges against him or her;
• an opportunity for the employee to be heard; and
• a final notice on the outcome of the administrative action.

There is no legislation on this area in Poland. However, employers implement internal policies that provide for workplace investigation rules to fulfil certain legal obligations, including those arising directly from labour law.

Based on the currently binding provisions of labour law, an employer must counteract unwanted behaviour in the workplace (eg, bullying, discrimination and unequal treatment). To fulfil this obligation, employers implement internal policies that provide a framework for reporting misconduct and conducting internal investigations. They may freely design the rules of such investigations, within the constraints of their policy. Therefore, it is recommended they create the policy based on the following:
 

• it should be possible to effectively report the misconduct;
• there should be more than one way to report misconduct;
• anonymous reporting should be allowed;
• an investigation committee should be appointed and be objective;
• rules on excluding persons with a conflict of interest from conducting the investigation should be provided; and
• the report from the investigation should be prepared and signed by all persons participating in the process.

However, work on a bill on whistleblower protections is in progress (the Draft Law). The Draft Law will not determine the rules of workplace investigations but it will force employers to implement a whistleblowing procedure and follow-up on recommendations in the case of a report, including initiating an internal investigation where appropriate. Whether an internal investigation is initiated depends on the assessment of a reported irregularity by the employer.

In addition, employers (especially those that are part of an international group) often already implement internal policies on whistleblowing management and internal investigations. Employers often base their policies on guidelines issued by relevant (usually international) organisations.

Pursuant to article 98 of the Portuguese Labour Code, the employer has a disciplinary power over its employees during the employment period. This is enforced through the initiation of disciplinary procedures – which can include a preliminary workplace investigation as provided for in article 352(1) of the Portuguese Labour Code – and ultimately the application of sanctions laid down by law or in an applicable collective bargaining agreement.

The Portuguese Labour Code governs disciplinary procedures, which can include a preliminary workplace investigation, in two different sections. On the one hand, articles 328 to 332 establish general rules regarding the imposition of disciplinary sanctions; statutory deadlines and statutes of limitations involved; decision criteria; penalties; and disciplinary records. On the other hand, articles 351 to 358 lay down the rules applicable to dismissals with cause, which are also widely understood to be applicable concerning conservatory sanctions (i.e. those that enable the continuity of the employment relationship).

Additionally, collective bargaining agreements may provide for different disciplinary penalties, as long as the rights and guarantees of employees are not impaired.

Workplace investigations must also abide by the general rules laid down in the Portuguese Constitution, Portuguese Civil Code and Data Protection Laws (including guidelines issued by the Data Protection Agency), as regards the personal rights of the employees.

A workplace investigation is usually governed by the employer’s internal grievance policy or contractual guidelines found in the employment contract or employee handbook. In the absence of the same, the default governing regime is as set out by the Ministry of Manpower (MOM) and the Tripartite Alliance for Fair and Progressive Employment Practices (TAFEP) in its guidelines and advisories, which include:

• the Tripartite Advisory on Managing Workplace Harassment;
• the TAFEP Grievance Handling Handbook; and
• the Tripartite Guidelines on Fair Employment Practices.

In addition, section 14(1) of the Employment Act 1968 provides that an employer is required to conduct “due inquiry” before dismissing an employee covered under the Employment Act 1968 without notice for misconduct. The Singapore Courts take the view that “due inquiry” suggests some sort of process in which the employee concerned is informed about the allegations and the evidence against him or her so that he or she has an opportunity to defend him or herself with or without evidence during the investigation process.

Further, there are numerous cases where the Singapore High Court has alluded to or implicitly accepted the application of the implied term of mutual trust and confidence in employment contracts that would oblige the employer to act reasonably and fairly during the investigation, even though it is worth noting that the Singapore Court of Appeal has stated that the status of the implied term of mutual trust and confidence has not been settled in Singapore and that the Appellate Division of the Singapore High Court has stated that “[i]t remains an open question for the Court of Appeal to resolve in a more appropriate case, ideally with facts capable of bearing out a claim based directly on the existence of the implied term” (see [81]-[82] of Dong Wei v Shell Eastern Trading (Pte) Ltd and another [2022] SGHC(A) 8).

Hence, any references to the application of the implied term of mutual trust and confidence in Singapore in this article must be read in light of the above.

The current position is expected to change in the second half of 2024, with the passing of Singapore’s first workplace fairness law, the Workplace Fairness Legislation. On 4 August 2023, the Singapore government announced that it has accepted the final set of recommendations by the Tripartite Committee on Workplace Fairness in respect of the upcoming Workplace Fairness Legislation. The Tripartite Committee on Workplace Fairness recommended, among other things, that employers are required to put grievance-handling processes in place. It is therefore expected that the Workplace Fairness Legislation may contain requirements on how and when a workplace investigation should be conducted.

This article sets out the current position, before the Workplace Fairness Legislation was enacted, and will be updated when appropriate.

While there are no specific laws that regulate a workplace investigation, there are several laws that companies should consider when conducting a workplace investigation concerning alleged employee misconduct.

One key example is the Whistleblower Protection Act (WPA). The WPA provides legal protection to a whistleblower if their allegations are raised in good faith and are in the public interest as specified under the WPA. If the WPA applies, certain obligations apply to the company, including but not limited to the following:

• the obligation to protect the confidentiality of the whistleblower’s identity;
• protecting the whistleblower if the whistleblower suffers or is likely to suffer serious harm to life or health as a result of whistleblowing and the whistleblower requests protection; and
• refraining from taking retaliatory action on the whistleblower.

Therefore, if an employee raises allegations of another employee’s misconduct, the company should review whether the allegations fall under the WPA.

There are also special laws that impose obligations on the company if there are certain types of allegations (eg, sexual harassment, workplace harassment).

In addition, when collecting and reviewing employees’ electronic data, such as emails or files stored in work laptops or company servers, which may contain personal information, the company should comply with data privacy laws discussed in more detail in questions 7 and 8.

Companies may also have internal policies (eg, whistleblower protection policies, Code of Conduct) that may apply to workplace investigations, aside from the requirements under Korean law.

Spain has not passed any statutes, regulations or policies specifically governing workplace investigations. Instead, general employment and data protection legislation, which safeguards employees’ rights, is fully applicable during these types of enquiries.

These statutes focus on employee privacy. As a result, the application of this legislation:

• limits the matters that may be investigated: they have to be relevant to the employment relationship and there has to be a legitimate reason to conduct the enquiry;
• sets boundaries to the means that may be lawfully used by the company in the investigation: they must be the least intrusive means for employees’ rights (for instance, an email review should be a last resort, reserved for when less-invasive means are not available or would not be effective); and
• states that the companies’ decisions during the investigation must be proportional in light of the facts under review and the legal consequences attached to them.

Collective bargaining agreements, which in Spain generally apply to every company within their scope of application (normally a given economic sector), may regulate workplace investigations. However, it is unusual for collective bargaining agreements to regulate workplace investigations.

Finally, major international corporations with a presence in Spain do tend to have an ethics or whistleblowing policy that governs how an investigation should be conducted. Even if these are self-imposed policies, they are contractually binding and, once established, must be respected by companies.

Workplace investigations in Sweden are governed by several rules and regulations. Listed below are the central legislation and regulations that govern a workplace investigation related to alleged employee misconduct.

• The Swedish Discrimination Act (2008:567).
• The Swedish Work Environment Act (1977:1160), which is complemented by the Swedish Work Environment Authority’s other statutes.[1]
• The Swedish Whistleblowing Act (2021:890).

If a workplace investigation has been initiated after the receipt of a report filed through a reporting channel established under the Swedish Whistleblowing Act, that law applies provided that the report has been filed by a person who may report under the Act and provided that the subject of the report falls under the material scope of the Act. The Swedish Whistleblowing Act implements Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law and has been given a wide material scope in Sweden. The Swedish Whistleblowing Act may apply if the reported irregularity concerns breaches of certain EU laws or if the reported irregularity is of public interest.

In addition to the regulations mentioned above, certain data protection legislation may affect workplace investigations by restricting what personal data may be processed. Such data protection legislation includes the following:

• Regulation (EU) 2016/679 on the protection of natural persons concerning the processing of personal data and the free movement of such data (the GDPR);
• the Swedish Supplementary Data Protection Act (2018:218);
• the Swedish Supplementary Data Protection Regulation (2018:219);

• Regulation DIFS:2018:2 on the processing of personal data relating to criminal convictions or offences. This regulation governs the processing of personal data relating to criminal convictions or suspected criminal offences in internal workplace investigations that are not governed by the Swedish Whistleblowing Act.[2]

The above-mentioned legislation and regulations may overlap in many aspects and it is therefore important before starting an investigation, as well as during an investigation, to assess which rules and regulations apply to the situation at hand. Another aspect of this is that many issues that can arise during an investigation are not regulated by law or other legislation. If the investigation is a non-whistleblowing investigation there are limited rules on exactly how and by whom the investigation should be carried out.

A Swedish law firm that undertakes a workplace investigation also has to adhere to the Swedish Bar Association’s Code of Conduct. The Code of Conduct includes additional considerations, mainly ethical, which will not be addressed in this submission. Furthermore, this submission will not focus on investigations following an employee’s possible misappropriation of proprietary information or breach of the Swedish Trade Secrets Act (2018:558). Investigations into such irregularities are often conducted to gather evidence and these investigations include the same or similar investigative measures used in other investigations, such as interviews with employees and IT-forensic searches, but also infringement investigations carried out by the authorities or other measures by the police.

There is no specific legal regulation for internal investigations in Switzerland. The legal framework is derived from general rules such as the employer's duty of care, the employee's duty of loyalty and the employee's data protection rights. Depending on the context of the investigation, additional legal provisions may apply; for instance, additional provisions of the Swiss Federal Act on Data Protection or the Swiss Criminal Code.

The Labour Protection Act B.E. 2541 (1998) (LPA) is the key legislation governing the relationship between employer and employee in Thailand. The LPA set out a minimum standard for the protection of employees’ rights, as well as a mechanism for suspension from work for an investigation.

The LPA requires any employer having ten or more employees to prepare work rules in the Thai language and the work rules require an employer to prescribe a procedure for the submission of grievances that would normally include the process for investigations in the workplace. Therefore, the work rules are the main guidance and policy that govern a workplace investigation. In some cases, an employer may have a whistleblowing policy allowing whistle-blowers to submit complaints of illegal or improper activities to the employer. The whistleblowing policy will also prescribe the procedures for investigating in workplace reflecting the complaints submitted by whistle-blowers.

There is no specific legislation governing workplace investigations in Turkish law. However, there are general principles stemming from Labour Law No. 4857 as well as good practice principles. Data protection laws also occasionally intertwine with these. The internal codes and policies of the company should also be followed throughout the process.

In the UK, the primary employment legislation of relevance to a workplace investigation includes the Employment Rights Act 1996 (ERA 1996), the Equality Act 2010 (EA 2010), and the Employment Relations Act 1999 (ERA 1999).

Other legislation includes the retained EU law version of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), the Investigatory Powers Act 2016 (IPA 2016) and the Investigatory Powers (Interception by Businesses etc for Monitoring and Record-keeping Purposes) Regulations 2018 (IP Regs 2018), and the Humans Rights Act 1998 (HRA 1998).

In terms of guidance, the Advisory, Conciliation and Arbitration Service (ACAS) have produced a Code of Practice on Disciplinary and Grievance Procedures (the ACAS Code) as well as a Guide to conducting workplace investigations. The Information Commissioner’s Office (ICO) have their Employment Practices Code,  and other pieces of guidance on the data protection aspects of investigations (see question 7).

Most employers will have internal policies governing how workplace investigations should be conducted. The level of detail may vary considerably; public sector and regulated employers may be more prescriptive in their policies, which may even have contractual force. There may also be provisions of the employment contract that are relevant (particularly as regards suspension – see question 3).

In the United States, any combination of legislation at the federal, state and local level, as well as judicial opinions and regulatory guidance interpreting those statutes, may impose obligations on relevant employers to undertake a timely internal investigation in response to complaints of workplace misconduct and to promptly implement remedial measures, where appropriate.

An employer’s written policies often also set forth the company’s expectations for how its employees, partners, vendors, consultants or other third parties will conduct themselves in carrying out the business of the company, and these policies may include protocols setting forth the parameters for an investigation in the event of potential non-compliance. Such investigatory roadmaps are often described in, for example, employee handbooks or a company’s policy against discrimination and harassment.

Due to the patchwork nature of employment and related laws, it is not possible to cover every investigation scenario or related legislation in this guide. Employers should instead consult with experienced employment attorneys in their state to ensure compliance with the applicable legal and regulatory regimes. 

There are no specific legislative requirements for workplace investigations in Vietnam. However, Labor Code No. 45/2019/QH14 dated 20 November 2019 (2019 Labor Code), which is currently the primary legislation governing employment relationships, requires employers that have more than ten employees to provide a mechanism and procedure for handling sexual harassment cases in the workplace. Other than that, an employer may incorporate policies and guidelines on how to deal with workplace investigations into its handbook.

As part of an investigation, the investigator may want to collect evidence such as camera footage from CCTV, swipe card records, computer records, telephone records or recordings and GPS tracking. There are state-based workplace surveillance laws that operate in each jurisdiction in Australia. The laws recognise that employers are justified in monitoring workplaces for proper purposes, but this is balanced against employees’ reasonable expectations of privacy.

The Privacy Act 1988 (Cth) (Privacy Act) also regulates how certain organisations handle personal information, sensitive personal information and employee records. The Privacy Act contains 13 privacy principles that regulate the collection and management of information. Employers should familiarise themselves with the privacy principles before conducting any investigation to ensure they are not in breach when gathering evidence.

All data processing must comply with the principles of article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity). Personal data may only be collected and processed for specific, lawful purposes.

The admissibility of data processing depends on whether the suspicion relates to a criminal offence or another violation of the law. If the data processing is relevant to criminal law, article 10 GDPR or section 4(3) of the Austrian Data Protection Act (DSG) applies. If the investigations are exclusively to clarify violations under civil or labour law, such as an assertion of claims for damages or if they are general investigations to establish a criminal offence, the permissibility of data processing is based on article 6 or, for data covered by article 9 GDPR, on this provision.

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

The Brazilian General Data Protection Law (LGPD) does not have specific rules or principles that apply to internal investigations conducted within private organisations. Despite that, the general principles and obligations set forth by the LGPD apply to any processing of personal data carried out within the context of such investigations. As a result, the company must ensure the transparency of such processing activities through a privacy notice addressed to the data subjects; only process the personal data that is necessary for the investigation; define the lawful basis that applies to such processing activities (especially for sensitive data); and apply any other obligations established by the LGPD.

The Civil Code of the PRC, the Personal Information Protection Law of the PRC and other laws provide for the protection of employees' personal information and privacy. Employers are often involved in checking the information and materials stored in the computers, hard disks and other electronic office equipment provided to employees in internal investigation and are likely to access the employees' personal information including personal privacy information, such as the communication records stored in instant communication software such as WeChat, QQ or other instant communication software or to and from private email boxes. According to the Personal Information Protection Law of the PRC, employers are required to perform the obligation of informing and obtain the individuals' consent prior to the processing of personal information, i.e. the principle of informing + consent. Moreover, the Civil Code of the PRC stipulates that no organization or individual may process any person's private information, except as otherwise provided by law or with the explicit consent of the right holder.

Therefore, the legitimacy of obtaining data evidence can be enhanced and guaranteed only if it is explicitly stated in the relevant rules and regulations that the employer shall have the right to the work equipment provided to the employees or obtains the employees' personal consent.

Generally, the basic principles set out by the GDPR and the Finnish Data Protection Act apply to data processing in connection with investigations, including evidence gathering: there must be a legal basis for processing, personal data may only be processed and stored when and for as long as necessary considering the purposes of processing, etc.

Additionally, if physical evidence concerns the electronic communications (such as emails and online chats) of an employee, gathering evidence is subject to certain restrictions based on Finnish ePrivacy and employee privacy laws. As a general rule, an employee’s electronic communications accounts, including those provided by the employer for work purposes, may not be accessed and electronic communications may not be searched or reviewed by the employer. In practice, the employer may access such electronic correspondence only in limited situations stipulated in the Act on Protection of Privacy in Working Life (759/2004), or by obtaining case-specific consent from the employee, which is typically not possible in internal investigations, particularly concerning the employee suspected of wrongdoing.

However, monitoring data flow strictly between the employee and the employer's information systems (eg, the employee saving data to USB sticks, using printers) is allowed under Finnish legislation, provided that employee emails, chats, etc, are not accessed and monitored. If documentation is unrelated to electronic communications, it also may be reviewed by the employer. Laptops, paper archives and other similar company documentation considered "physical evidence" may be investigated while gathering evidence on the condition that any private documentation, communications, pictures or other content of an employee are not accessed.

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

When collecting data (in physical or digital form), the employer must ensure compliance with the data protection principles according to the General Data Protection Regulation (DSGVO) and the German Data Protection Act (BDSG). These principles include, among other things, that data collection must be carried out lawfully (principle of legality) and transparently (transparency principle) and must be comprehensively documented – specifically concerning the purpose of the workplace investigation – to be able to prove compliance with data protection.

The principle of legality states that data may only be collected on a legal basis (ie, there must either be a law authorising this or the employee must have consented to the collection of his data).

The transparency principle may constitute a special challenge during workplace investigations. Under the transparency principle, the employee must be generally informed about the collection of his data. This includes information on who processes the data, the purposes for which it is processed and whether the data is made available to third parties. However, there may be a risk of collusion, particularly when electronic data has to be reviewed, and thus the success of the investigation may be jeopardised if the relevant employee is comprehensively informed in advance. Accordingly, the employer should check, with the assistance of the data protection officer, whether the obligation to provide information may be dispensed with. This may be the case if providing the information would impair the assertion, exercise or defence of legal claims and the interests of the employer in not providing the information outweigh the interests of the employee. The respective circumstances and employer's considerations should be well documented in each case.

Regardless of whether the employee is informed about the investigation, to prevent data loss, the employee should be sent a so-called hold notice (ie, a prohibition to delete data). Additionally, to prevent automatic deletion, blocking mechanisms should also be implemented.

When gathering evidence by searching the employee's possessions or files, the employee's privacy rights also need to be observed (see question 8).

GDPR and the provisions of L. 4624/2019 regulate the gathering of physical evidence from a data protection perspective, providing, among other things, that personal data should be processed with transparency and to the extent necessary for the investigation.

L.4990/2022 on the protection of persons who report breaches of Union law regulates data protection issues in the context of whistleblowing investigations, mainly to safeguard confidentiality throughout the investigations.  

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

In India, the collection, disclosure, transfer and storage of personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPD Rules). Accordingly, if during an investigation any sensitive personal information (such as information relating to passwords; financial information such as a bank account, credit or debit card or other payment instrument details; a physical, physiological or mental health condition; sexual orientation; medical history; and biometric information) is collected, then the requirements under the SPD Rules will need to be complied with. This would include obtaining an individual’s “informed consent” before collecting any sensitive personal data if such information is intended to be collected or stored in an electronic format.

Under the GDPR (General Data Protection Regulation), personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023, which is a useful guide.

Employers should exercise caution when gathering physical evidence that may involve the use of CCTV or other surveillance practices. The Irish Court of Appeal in the case of Doolin v DPC examined the use by an employer of CCTV footage for disciplinary purposes and found such use constituted unlawful further processing. The original reason for processing the CCTV footage was to establish who was responsible for terrorist-related graffiti that was carved into a table in the staff tearoom. It subsequently transpired Mr Doolin, who was in no way connected to the graffiti incident, had accessed the tearoom for unauthorised breaks and a workplace investigation followed. The original reason for viewing the CCTV related to security, but further use of the CCTV footage in the disciplinary investigation was not related to the original reason. This case confirms that employers must have clear policies in place in compliance with both GDPR and the Data Protection Act 2018 specifying the purpose for which CCTV or any other monitoring system is being used. Not only that, but these policies must be communicated to employees specifying the use of such practices.

It is not only data about the investigation that must be processed fairly, but any retention of the data, which can only be further processed with good reason. It is a legitimate business reason to retain data to deal with any subsequent requests or appeals under various internal or statutory processes, provided employees have been advised of the relevant retention period.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

When collecting physical evidence that contains personal information, the Personal Information Protection Law and its related guidelines apply. In addition, when collecting physical evidence that contains privacy information or an employee's photograph, care must be taken to ensure that the right to privacy and the image rights are not violated.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

When gathering evidence, the person being investigated is protected by the Constitution, the Freedom of Information Act and the Nigerian Data Protection Regulation (NDPR), among others.

The Constitution, particularly section 37, guarantees the right of a person to privacy.

The NDPR is the main data protection regulation in Nigeria. It regulates the processing and transfer of personal data.

Further, the Freedom of Information Act, 2011 prohibits the disclosure of information gathered during an investigation to the public.

The procedure for gathering physical evidence is governed primarily by company policy. Nevertheless, the Data Privacy Act of the Philippines protects all data subjects from unlawful processing of their personal information without consent.

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

Whenever employers process personal data in the course of an investigation, they need to comply with Regulation (EU) 2016/679 (the GDPR) and Law 58/2019, which implements the GDPR in Portugal (jointly the Data Protection Regulations). If the gathering of physical evidence includes the collection and processing of sensitive data (eg, related to the employee’s health or any other category outlined in article 9 of the GDPR), additional safety measures should be in place to safeguard the adequate and confidential nature of such information.

The employer may collect the personal data of an individual without the individual’s consent or from a source other than the individual, where it is necessary for any investigation according to section 17(1) read with paragraph 4 of Part 3 of the Third Schedule of the Personal Data Protection Act 2012 (PDPA). Under section 2(1) of the PDPA, “investigation” means an investigation relating to:

• a breach of an agreement;
• a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in the exercise of its powers under any written law; or
• a circumstance or conduct that may result in a remedy or relief being available under any law.

Under the Banking Act 1970, a bank and its officers cannot disclose customer information to third parties, subject to certain exceptions. An employer carrying out a workplace investigation does not fall within any of the exceptions.

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

To the extent the gathering of physical evidence includes the processing of personal data, please see question 1.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The basic premise is that all evidence is admissible unless it violates the law of admissibility and production of evidence, which may vary depending on the jurisdiction. In a criminal court, for example, evidence gathered in violation of the fruit of the poisonous tree doctrine would be typically inadmissible, yet in a civil court, this doctrine would not be an exclusionary rule.

The Personal Data Protection Act, BE 2562 (2019) (PDPA), which is the main data protection law in Thailand, applies when collecting, using, and disclosing pieces of evidence containing the personal data of employees. If the investigation requires sensitive information of the employee under investigation, for example, race, ethnic origin, political opinion, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data and biometric data, consent from the employee should be obtained.

The conditions applicable to gathering physical evidence mainly stem from the precedents of the Turkish Constitutional Court about employment disputes and the rules set forth under Turkish Law No. 6698 on the Protection of Personal Data (DPL). It is generally accepted that employers can gather physical evidence for certain legitimate purposes, such as disciplinary investigations, the prevention of bribery and corruption, fraud or theft, money laundering, and employee performance monitoring and compliance. In doing so, employers must, however, comply with the fundamental principles of the Turkish Constitutional Court as briefly described below:

• The grounds for the gathering of evidence must be legitimate. The definition of the legitimate interests of the employer may change depending on the characteristics of the business, workplace and employee job description, as well as the specific circumstances of the case. Therefore, it is advisable to carry out a balancing test between the legitimate interest the employer is seeking to protect and the employee’s interest in the protection of their privacy.
• The collection activities must be proportionate, in the sense that the measure implemented by the employer must be appropriate and reasonably necessary to achieve the legitimate purpose, without infringing upon the fundamental rights and freedoms of the employees. For instance, e-mail monitoring to collect evidence may not be proportionate if it is determined that e-mails that are not related to the incident subject to investigation are also accessed. To achieve this, certain keywords or algorithms can be used while monitoring e-mails during a disciplinary investigation.
• The collection process must be necessary to achieve the purpose. In other words, the collection of physical evidence must only be carried out to the extent there are no other measures allowing the employer to achieve its purpose, such as witness testimony, workplace records, or examining the results of projects. If the purpose can be achieved through less invasive means, the collection of physical evidence may not comply with the principles established by the decisions of the Constitutional Court.

Separately, depending on the type of physical evidence collected, the collection process may lead to the processing of the concerned employees’ personal data. Under the DPL, personal data collected in Turkey can only be processed if the explicit consent of the data subject is obtained; or the data is processed based on one of the exceptions to consent provided by the law. To the extent the data processing can be deemed to be based on the pursuit of a legitimate interest of the employer, it should also meet the following conditions:

• it should be the most convenient and efficient method to identify any employee wrongdoing to protect the legitimate interests of the company; and
• the data processing should not harm the fundamental rights and freedoms of the employees.

The employer should in any case comply with the obligation to inform employees before the processing of their data, through a privacy notice containing mandatory information required by the DPL.

In addition, as a general principle, the evidence-gathering process should always be conducted based on the assumption that the internal investigation can lead to litigation. Any evidence that will be used in litigation needs to have been gathered in compliance with the law. In both criminal and civil litigation, the courts will review each piece of evidence to confirm whether it was gathered through lawful methods and disregard any evidence that fails to comply with due process.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.

Decree No. 13/2023/ND-CP on personal data protection is the main data protection regulation in Vietnam. It regulates the processing of personal data, including the collection or gathering of data. If the physical evidence contains personal data of an individual, the gathering of physical evidence must comply with this decree.