Workplace Investigations

As part of an investigation, the investigator may want to collect evidence such as camera footage from CCTV, swipe card records, computer records, telephone records or recordings and GPS tracking. There are state-based workplace surveillance laws that operate in each jurisdiction in Australia. The laws recognise that employers are justified in monitoring workplaces for proper purposes, but this is balanced against employees’ reasonable expectations of privacy.

The Privacy Act 1988 (Cth) (Privacy Act) also regulates how certain organisations handle personal information, sensitive personal information and employee records. The Privacy Act contains 13 privacy principles that regulate the collection and management of information. Employers should familiarise themselves with the privacy principles before conducting any investigation to ensure they are not in breach when gathering evidence.

All data processing must comply with the principles of article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity). Personal data may only be collected and processed for specific, lawful purposes.

The admissibility of data processing depends on whether the suspicion relates to a criminal offence or another violation of the law. If the data processing is relevant to criminal law, article 10 GDPR or section 4(3) of the Austrian Data Protection Act (DSG) applies. If the investigations are exclusively to clarify violations under civil or labour law, such as an assertion of claims for damages or if they are general investigations to establish a criminal offence, the permissibility of data processing is based on article 6 or, for data covered by article 9 GDPR, on this provision.

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

The Brazilian General Data Protection Law (LGPD) does not have specific rules or principles that apply to internal investigations conducted within private organisations. Despite that, the general principles and obligations set forth by the LGPD apply to any processing of personal data carried out within the context of such investigations. As a result, the company must ensure the transparency of such processing activities through a privacy notice addressed to the data subjects; only process the personal data that is necessary for the investigation; define the lawful basis that applies to such processing activities (especially for sensitive data); and apply any other obligations established by the LGPD.

The Civil Code of the PRC, the Personal Information Protection Law of the PRC and other laws provide for the protection of employees' personal information and privacy. Employers are often involved in checking the information and materials stored in the computers, hard disks and other electronic office equipment provided to employees in internal investigation and are likely to access the employees' personal information including personal privacy information, such as the communication records stored in instant communication software such as WeChat, QQ or other instant communication software or to and from private email boxes. According to the Personal Information Protection Law of the PRC, employers are required to perform the obligation of informing and obtain the individuals' consent prior to the processing of personal information, i.e. the principle of informing + consent. Moreover, the Civil Code of the PRC stipulates that no organization or individual may process any person's private information, except as otherwise provided by law or with the explicit consent of the right holder.

Therefore, the legitimacy of obtaining data evidence can be enhanced and guaranteed only if it is explicitly stated in the relevant rules and regulations that the employer shall have the right to the work equipment provided to the employees or obtains the employees' personal consent.

Generally, the basic principles set out by the GDPR and the Finnish Data Protection Act apply to data processing in connection with investigations, including evidence gathering: there must be a legal basis for processing, personal data may only be processed and stored when and for as long as necessary considering the purposes of processing, etc.

Additionally, if physical evidence concerns the electronic communications (such as emails and online chats) of an employee, gathering evidence is subject to certain restrictions based on Finnish ePrivacy and employee privacy laws. As a general rule, an employee’s electronic communications accounts, including those provided by the employer for work purposes, may not be accessed and electronic communications may not be searched or reviewed by the employer. In practice, the employer may access such electronic correspondence only in limited situations stipulated in the Act on Protection of Privacy in Working Life (759/2004), or by obtaining case-specific consent from the employee, which is typically not possible in internal investigations, particularly concerning the employee suspected of wrongdoing.

However, monitoring data flow strictly between the employee and the employer's information systems (eg, the employee saving data to USB sticks, using printers) is allowed under Finnish legislation, provided that employee emails, chats, etc, are not accessed and monitored. If documentation is unrelated to electronic communications, it also may be reviewed by the employer. Laptops, paper archives and other similar company documentation considered "physical evidence" may be investigated while gathering evidence on the condition that any private documentation, communications, pictures or other content of an employee are not accessed.

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

When collecting data (in physical or digital form), the employer must ensure compliance with the data protection principles according to the General Data Protection Regulation (DSGVO) and the German Data Protection Act (BDSG). These principles include, among other things, that data collection must be carried out lawfully (principle of legality) and transparently (transparency principle) and must be comprehensively documented – specifically concerning the purpose of the workplace investigation – to be able to prove compliance with data protection.

The principle of legality states that data may only be collected on a legal basis (ie, there must either be a law authorising this or the employee must have consented to the collection of his data).

The transparency principle may constitute a special challenge during workplace investigations. Under the transparency principle, the employee must be generally informed about the collection of his data. This includes information on who processes the data, the purposes for which it is processed and whether the data is made available to third parties. However, there may be a risk of collusion, particularly when electronic data has to be reviewed, and thus the success of the investigation may be jeopardised if the relevant employee is comprehensively informed in advance. Accordingly, the employer should check, with the assistance of the data protection officer, whether the obligation to provide information may be dispensed with. This may be the case if providing the information would impair the assertion, exercise or defence of legal claims and the interests of the employer in not providing the information outweigh the interests of the employee. The respective circumstances and employer's considerations should be well documented in each case.

Regardless of whether the employee is informed about the investigation, to prevent data loss, the employee should be sent a so-called hold notice (ie, a prohibition to delete data). Additionally, to prevent automatic deletion, blocking mechanisms should also be implemented.

When gathering evidence by searching the employee's possessions or files, the employee's privacy rights also need to be observed (see question 8).

GDPR and the provisions of L. 4624/2019 regulate the gathering of physical evidence from a data protection perspective, providing, among other things, that personal data should be processed with transparency and to the extent necessary for the investigation.

L.4990/2022 on the protection of persons who report breaches of Union law regulates data protection issues in the context of whistleblowing investigations, mainly to safeguard confidentiality throughout the investigations.  

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

In India, the collection, disclosure, transfer and storage of personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPD Rules). Accordingly, if during an investigation any sensitive personal information (such as information relating to passwords; financial information such as a bank account, credit or debit card or other payment instrument details; a physical, physiological or mental health condition; sexual orientation; medical history; and biometric information) is collected, then the requirements under the SPD Rules will need to be complied with. This would include obtaining an individual’s “informed consent” before collecting any sensitive personal data if such information is intended to be collected or stored in an electronic format.

Under the GDPR (General Data Protection Regulation), personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023, which is a useful guide.

Employers should exercise caution when gathering physical evidence that may involve the use of CCTV or other surveillance practices. The Irish Court of Appeal in the case of Doolin v DPC examined the use by an employer of CCTV footage for disciplinary purposes and found such use constituted unlawful further processing. The original reason for processing the CCTV footage was to establish who was responsible for terrorist-related graffiti that was carved into a table in the staff tearoom. It subsequently transpired Mr Doolin, who was in no way connected to the graffiti incident, had accessed the tearoom for unauthorised breaks and a workplace investigation followed. The original reason for viewing the CCTV related to security, but further use of the CCTV footage in the disciplinary investigation was not related to the original reason. This case confirms that employers must have clear policies in place in compliance with both GDPR and the Data Protection Act 2018 specifying the purpose for which CCTV or any other monitoring system is being used. Not only that, but these policies must be communicated to employees specifying the use of such practices.

It is not only data about the investigation that must be processed fairly, but any retention of the data, which can only be further processed with good reason. It is a legitimate business reason to retain data to deal with any subsequent requests or appeals under various internal or statutory processes, provided employees have been advised of the relevant retention period.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

When collecting physical evidence that contains personal information, the Personal Information Protection Law and its related guidelines apply. In addition, when collecting physical evidence that contains privacy information or an employee's photograph, care must be taken to ensure that the right to privacy and the image rights are not violated.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

When gathering evidence, the person being investigated is protected by the Constitution, the Freedom of Information Act and the Nigerian Data Protection Regulation (NDPR), among others.

The Constitution, particularly section 37, guarantees the right of a person to privacy.

The NDPR is the main data protection regulation in Nigeria. It regulates the processing and transfer of personal data.

Further, the Freedom of Information Act, 2011 prohibits the disclosure of information gathered during an investigation to the public.

The procedure for gathering physical evidence is governed primarily by company policy. Nevertheless, the Data Privacy Act of the Philippines protects all data subjects from unlawful processing of their personal information without consent.

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

Whenever employers process personal data in the course of an investigation, they need to comply with Regulation (EU) 2016/679 (the GDPR) and Law 58/2019, which implements the GDPR in Portugal (jointly the Data Protection Regulations). If the gathering of physical evidence includes the collection and processing of sensitive data (eg, related to the employee’s health or any other category outlined in article 9 of the GDPR), additional safety measures should be in place to safeguard the adequate and confidential nature of such information.

The employer may collect the personal data of an individual without the individual’s consent or from a source other than the individual, where it is necessary for any investigation according to section 17(1) read with paragraph 4 of Part 3 of the Third Schedule of the Personal Data Protection Act 2012 (PDPA). Under section 2(1) of the PDPA, “investigation” means an investigation relating to:

• a breach of an agreement;
• a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in the exercise of its powers under any written law; or
• a circumstance or conduct that may result in a remedy or relief being available under any law.

Under the Banking Act 1970, a bank and its officers cannot disclose customer information to third parties, subject to certain exceptions. An employer carrying out a workplace investigation does not fall within any of the exceptions.

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

To the extent the gathering of physical evidence includes the processing of personal data, please see question 1.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The basic premise is that all evidence is admissible unless it violates the law of admissibility and production of evidence, which may vary depending on the jurisdiction. In a criminal court, for example, evidence gathered in violation of the fruit of the poisonous tree doctrine would be typically inadmissible, yet in a civil court, this doctrine would not be an exclusionary rule.

The Personal Data Protection Act, BE 2562 (2019) (PDPA), which is the main data protection law in Thailand, applies when collecting, using, and disclosing pieces of evidence containing the personal data of employees. If the investigation requires sensitive information of the employee under investigation, for example, race, ethnic origin, political opinion, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data and biometric data, consent from the employee should be obtained.

The conditions applicable to gathering physical evidence mainly stem from the precedents of the Turkish Constitutional Court about employment disputes and the rules set forth under Turkish Law No. 6698 on the Protection of Personal Data (DPL). It is generally accepted that employers can gather physical evidence for certain legitimate purposes, such as disciplinary investigations, the prevention of bribery and corruption, fraud or theft, money laundering, and employee performance monitoring and compliance. In doing so, employers must, however, comply with the fundamental principles of the Turkish Constitutional Court as briefly described below:

• The grounds for the gathering of evidence must be legitimate. The definition of the legitimate interests of the employer may change depending on the characteristics of the business, workplace and employee job description, as well as the specific circumstances of the case. Therefore, it is advisable to carry out a balancing test between the legitimate interest the employer is seeking to protect and the employee’s interest in the protection of their privacy.
• The collection activities must be proportionate, in the sense that the measure implemented by the employer must be appropriate and reasonably necessary to achieve the legitimate purpose, without infringing upon the fundamental rights and freedoms of the employees. For instance, e-mail monitoring to collect evidence may not be proportionate if it is determined that e-mails that are not related to the incident subject to investigation are also accessed. To achieve this, certain keywords or algorithms can be used while monitoring e-mails during a disciplinary investigation.
• The collection process must be necessary to achieve the purpose. In other words, the collection of physical evidence must only be carried out to the extent there are no other measures allowing the employer to achieve its purpose, such as witness testimony, workplace records, or examining the results of projects. If the purpose can be achieved through less invasive means, the collection of physical evidence may not comply with the principles established by the decisions of the Constitutional Court.

Separately, depending on the type of physical evidence collected, the collection process may lead to the processing of the concerned employees’ personal data. Under the DPL, personal data collected in Turkey can only be processed if the explicit consent of the data subject is obtained; or the data is processed based on one of the exceptions to consent provided by the law. To the extent the data processing can be deemed to be based on the pursuit of a legitimate interest of the employer, it should also meet the following conditions:

• it should be the most convenient and efficient method to identify any employee wrongdoing to protect the legitimate interests of the company; and
• the data processing should not harm the fundamental rights and freedoms of the employees.

The employer should in any case comply with the obligation to inform employees before the processing of their data, through a privacy notice containing mandatory information required by the DPL.

In addition, as a general principle, the evidence-gathering process should always be conducted based on the assumption that the internal investigation can lead to litigation. Any evidence that will be used in litigation needs to have been gathered in compliance with the law. In both criminal and civil litigation, the courts will review each piece of evidence to confirm whether it was gathered through lawful methods and disregard any evidence that fails to comply with due process.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.

Decree No. 13/2023/ND-CP on personal data protection is the main data protection regulation in Vietnam. It regulates the processing of personal data, including the collection or gathering of data. If the physical evidence contains personal data of an individual, the gathering of physical evidence must comply with this decree.

A complaint will be a whistleblowing complaint where a complainant has reasonable grounds to suspect that the information they are disclosing about the organisation concerns misconduct or an improper state of affairs or circumstances. The information can be about the organisation or an officer or employee of the organisation engaging in conduct that:

• breaches the Corporations Act 2001 (Cth);
• breaches other financial sector laws;
• breaches any other law punishable by 12 months’ imprisonment; or
• represents a danger to the public or the financial system.

Since 2020, all public companies, large proprietary companies and trustees of registrable superannuation entities in Australia are required to have a whistleblower policy. Employers conducting an investigation will need to follow the processes outlined in their policy.

One of the key differences when conducting an investigation that involves whistleblowing is identity protection and the ability of the whistleblower to disclose anonymously and remain anonymous.

The provisions of the Whistleblowing Directive must be respected. In Austria, these have been implemented through the Whistleblower Protection Act (HSchG). If the whistleblower or the persons concerned fall within the scope of the Directive, their identity must be protected. Only authorised persons may access the report. Retaliatory measures are invalid or must be reversed. Within a maximum of seven days, the whistleblower must receive a confirmation of his or her complaint. Feedback to the whistleblower must then be provided within a maximum of three months.

If the investigation is based on a whistleblower report that falls under the scope of the upcoming rules, the investigators are bound by a strict duty of confidentiality, especially regarding the identity of the report. The rules also provide some procedural deadlines for feeding back to the reporter. Within seven days of receiving the report through an internal reporting channel, the reporting manager needs to send a receipt to the whistleblower. From that moment, the reporting manager has three months to investigate the report and give feedback and an adequate follow-up to the report. Next, the rules offer strong protection against any retaliatory measures the reporter may experience. Regardless, these rules are mostly intended to offer the necessary protection for whistleblowers and to ensure that companies take necessary investigative steps following a report, but they do not include much information about the actual procedure of the investigation besides certain deadlines, nor do they deal with other employees involved (or under investigation).

If the investigation involves matters within the scope of a specific whistleblowing policy, the policy rules should prevail against the general investigation rules if there is a conflict.

In practice, the following factors to be considered will be: (1) verification of the informant's identity; (2) whether the informant has any conflict of interest with the reported employee or whether it will affect the objectivity of their reporting; (3) how to persuade the informant to provide more information or evidence, or to cooperate in court as a witness; (4) how to increase the admissibility of evidence when the informant refuses to cooperate in court as a witness or fails to provide original evidence; (5) how to improve the evidence chain and protect the informant from being attacked or retaliated by the informant, etc.

In respect of data protection, the processing of personal data in whistleblowing systems is considered by the Finnish Data Protection Ombudsman (DPO) as requiring a data protection impact assessment (DPIA).

Evidence obtained in the context of an investigation must specify who provided it and the date it was provided. No retaliatory measures may be taken against the whistleblower for the act of whistleblowing.

In certain cases, the whistleblower report must be forwarded to the judicial authorities (eg, when there is an obligation to assist persons in imminent danger, for serious offences or a disclosure that a vulnerable person is in danger (ie, minors under 15 or a person who is unable to protect themselves)).

In 2023, Germany has implemented the EU Whistleblowing Directive into national law with the German Whistleblower Protection Act (HinSchG).

The German Whistleblower Protection Act provides that companies with at least 50 employees must establish internal reporting channels as further set out in the law. Among other things, the confidentiality of the whistleblower as well as of the individuals affected by the report must be protected.

Further, whistleblowers must be protected from negative consequences that may arise from their reports. If the employment of a whistleblower were terminated or if the whistleblower were to be denied promotion after reporting a violation, the employer would have to prove that this was not related to the whistleblowing but was based on justified reasons.

Employers should  familiarise themselves with the provisions of the new law.

L. 4990/2022 includes specific requirements regarding, among other things, the procedure of receiving and investigating respective reports, confidentiality issues (especially regarding the identity of the whistleblower), data protection issues (including restrictions to the right of access) and the employer’s right to keep a record of the relevant complaint and investigation. Such provisions are expected to be further detailed by Ministerial Decisions in future.

Hong Kong does not have a comprehensive legislative framework relating to whistleblowing. Therefore, in general, employers are free to establish whistleblowing policies and procedures and confer such protections on whistleblowers as they see fit. That said, companies listed on the Main Board of the SEHK are expected to establish a whistleblowing policy and system for employees to voice concerns anonymously about possible improprieties in the companies’ affairs. If a listed issuer deviates from this practice, it must explain the deviation.[1]

When an investigation involves whistleblowing, the employer needs to comply with the relevant policy and system and provide the whistleblower with such protections as stated in the policy. The employer should not ignore a complaint simply because it was made anonymously, and should ascertain the substance of the complaint to decide whether a full-blown investigation is warranted.

In addition, the employer should seek to establish a secure communication channel with the whistleblower to gather more information about the complaint or misconduct while maintaining the confidentiality of his or her identity. If the complaint is serious, the employer may consider referring the complaint to a law enforcement agency or regulator as they would be better placed in protecting the anonymity of the whistleblower while proceeding with the investigation. That said, employers generally have no obligation to report internal wrongdoing to any external body (please see question 25 for exceptions). The employer may assess whether it is appropriate to do so on a case-by-case basis.

Indian labour legislation does not stipulate any additional considerations or requirements concerning whistleblower complaints in private organisations and these are only available if there are complaints against public servants. Further, under the Companies Act, 2013, certain companies are required to establish a “vigil mechanism” for directors and employees to report genuine concerns regarding the affairs of the company. The vigil mechanism should provide adequate safeguards against the victimisation of persons using it.

Most whistleblowing policies will include a section that provides for an initial assessment of the complaint as to whether it meets the definition of a protected disclosure. This assessment, which ought to be carried out by a designated person who has been appointed to deal with disclosures, is a useful tool as some matters which may be labelled as whistleblowing may fall under the grievance procedure.

Where there are grounds, an investigation will be commenced. Under the Protected Disclosures (Amendment) Act 2022, whistleblowers are protected from penalisation for having made a protected disclosure, under the Act.

Penalisation may include; suspension, lay-off or dismissal; demotion, loss of opportunity for promotion or withholding of promotion; transfer of duties, change of location or place of work; reduction in wages or change in working hours; the imposition or administering of any discipline, reprimand or other penalty (including a financial penalty); coercion, intimidation, harassment or ostracism; or discrimination, disadvantage or unfair treatment.

If an employee (which includes trainees, volunteers, and job applicants) alleges that they have suffered penalisation as a result of making a protected disclosure, they may apply to the Circuit Court for interim relief within 21 days of the date of the last act of penalisation by the employer.

A claim for penalisation may also be brought before the WRC within six months of the alleged act of penalisation. If an employee alleges that they were dismissed for having made a protected disclosure, the potential award that the WRC can make increases from the usual unfair dismissal cap of two years’ pay to up to five years’ gross pay, based on actual loss.

Where a complaint of whistleblowing is made, employers should ensure that they appoint investigators with the appropriate knowledge and expertise to deal with such a matter and comply with the time limits set by legislation.

The regulations on whistleblowing in the private sector were originally outlined in article 6 of Italian Legislative Decree No. 231 of 2001 (as amended by Law No. 179 of 2017), which state that the models of organisation must provide for one or more channels that allow persons in positions of representation, administration and management of the entity (and persons subject to their direction or supervision) to report unlawful conduct according to Italian Legislative Decree No. 231 of 2001 and violations of the entity’s organisational and management rules.

Currently, Italy has implemented Directive (EU) No. 1937 of 2019, which provides for the adoption of new standards of protection for whistleblowers, through the Italian Legislative Decree No. 24 of 2023 (WB Decree)[1].

In line with the Directive, the WB Decree states, inter alia, that[2]:

• an internal whistleblowing reporting channel must be put in place by all private legal entities (and legal entities in the public sector) that have employed, during the previous year, an average of 50 employees or, even below this threshold, operate in certain industries[3] or have adopted an organizational model in accordance with Legislative Decree no. 231 of 2001;
• the WB Decree prescriptions apply to reports concerning breaches of certain national/EU[4] legal provisions (varying depending on features such as the private or public nature of the employer and its dimensions), and not to claims or requests linked to interests of a personal nature of the reporting individuals (pertaining to their individual employment contracts or to relations with their superiors)[5];
• whistleblowers’ reporting may take place through:
  • the company’s internal reporting channels and internal reporting procedures (with the possibility – for entities employing up to 249 employees, even if not part of the same group – to share whistleblowing reporting channels); or
  • external reporting channels and external reporting procedures established by the member states’ competent authorities (in Italy, ANAC, i.e. the National Anticorruption Authority); or
  • in certain circumstances, public disclosure;
• whistleblowing systems must provide:
  • a duty of confidentiality regarding the whistleblowers’ identity (which generally may not be disclosed to persons other than those competent to receive or investigate on the reports, except in specific case and with the whistleblower’s consent; see also answer to question 12 below); and
  • ways of protecting collected data according to the GDPR, as well as tight deadlines for communication with whistleblowers[6]; and
  • an integrated system of protection of whistleblowers against any retaliatory action directly or indirectly linked to their reports or declarations, with a reversal of the burden of proof (meaning the employer must give proof of the non-retaliatory nature of measures adopted vis-à-vis whistleblowers); and
  • the procedures to be taken in case of anonymous whistleblowing report.

See question 4 regarding amendments to the Whistleblower Protection Act.

The person designated as a whistleblower response service employee must not divulge the name, employee ID number, or other information that would allow a whistleblower to be identified without a justifiable reason, and there is a criminal penalty of up to 300,000 yen for violating this duty of confidentiality.

The former Act on the House for Whistleblowers already provided for several preconditions that a whistleblowing procedure must meet. For example, internal reporting lines must be laid down, as well as how the internal report is handled, and an obligation of confidentiality and the opportunity to consult an advisor in confidence must be applied. Employers are obliged to share the whistleblowing policy with employees, including information about the employee's legal protection. The employee who reports a suspicion of wrongdoing in good faith may not be disadvantaged in their legal position because of the report (section17e/ea Act House of Whistleblowers).

The starting point is that an employee must first report internally, unless this cannot reasonably be expected. If the employee does not report internally first, the House for Whistleblowers does not initiate an investigation. The House for Whistleblowers was established on 1 July 2016 and has two main tasks: advising employees on the steps to take and conducting an investigation in response to a report.

The Act on the Protection of Whistleblowers, which entered into force in 2023, introduced several changes, of which the most relevant are:

• Abolition of mandatory internal reporting: the obligation to report internally first is abolished. Direct external reporting is allowed, such as to the House for Whistleblowers or another competent authority. When reporting externally, the reporter retains his protection. However, reporting internally first remains preferable and will be encouraged by the employer as much as possible.
• Expansion of prohibition on detriment: the prohibition on detriment already included prejudicing the legal position of the reporter, such as suspension, dismissal, demotion, withholding of promotion, reduction of salary or change of work location. It now also includes all forms of disadvantage, such as being blacklisted, refusing to give a reference, bullying, intimidation and exclusion. 
• Stricter time limit requirements for internal reporting: the reporter must receive an acknowledgement of receipt of the report within seven days and the reporter must receive information from the employer on the assessment of their report within a reasonable period, not exceeding three months.

• Extension of the circle of protected persons: not just employees, but third parties who are in a working relationship with the employer are now also protected, such as freelancers, interns, volunteers, suppliers, shareholders, job applicants and involved family members and colleagues.

Consideration must be given to the confidentiality or anonymity of the whistleblower, when an investigation involves whistleblowing.

Since there is no specific law that governs whistleblowing, matters that involve whistleblowing will be governed by company policy.

In principle, an internal investigation should be conducted in the same way, regardless of whether it is initiated following a whistleblowing report, an audit, or a monitoring result. This includes anything related to confidentiality, fairness, data privacy protection, etc.

If an internal investigation is initiated following a whistleblower report, the main characteristic that is imposed by the EU Directive on the protection of persons who report breaches of EU Law (Whistleblowers Directive) and that will also be available under the Draft Law is for the organisation (employer) to communicate (if practicable) the report to the whistleblower. Furthermore, the whistleblower should receive feedback as to whether follow-up actions were undertaken following the report and, if yes – what actions were taken – and if not – why the follow-up actions were not taken.

The treatment of whistleblowers and their reports is laid down in various specific laws in Portugal.

Law 93/2021

Under Law 93/2021, a whistleblower of work-related offences must not be retaliated against. Furthermore, imposing disciplinary penalties on the whistleblower within two years after their disclosure is presumed to be abusive. The whistleblower is entitled to judicial protection and may benefit from the witness protection programme within criminal proceedings. Additionally, reports will be recorded for five years and, where applicable, personal data that is not relevant for the handling of a specific report will not be collected or, if accidentally collected, will be deleted immediately.

Corruption and Financial Crime Law (Law 19/2008)

Under Law 19/2008, a whistleblower must not be hampered. Furthermore, the imposition of disciplinary penalties on a whistleblower within one year following the communication of the infraction is presumed to be unfair.

Additionally, whistleblowers are entitled to:

• anonymity until the pressing of charges;
• be transferred following the pressing of charges; and
• benefit from the witness protection programme within criminal proceedings (remaining anonymous upon the verification of specific circumstances).

Money Laundering and Terrorism Financing Law (Law 83/2017)

Law 83/2017, which sets forth the legal framework to prevent, detect and effectively combat money laundering and terrorism financing, applies to financial entities and legal or natural persons acting in the exercise of their professional activities (eg, auditors and lawyers)(collectively, obliged entities).

According to article 20 of Law 83/2017, individuals who learn of any breach through their professional duties must report those breaches to the company's supervisory or management bodies. As a result, the obliged entities must refrain from threatening or taking hostile action against the whistleblower and, in particular, unfair treatment within the workplace. Specifically, the report cannot be used as grounds for disciplinary, civil or criminal action against the whistleblower (unless the communication is deliberately and clearly unjustified).

Legal Framework of Credit Institutions and Financial Companies (RGICSF)

Credit institutions must implement internal-reporting mechanisms that must guarantee the confidentiality of the information received and the protection of the personal data of the persons reporting the breaches and the persons charged. Under article 116-AA of RGICSF, persons who, while working in a credit institution, become aware of:

• any serious irregularities in the management, accounting procedures or internal control of the credit institution; or
• evidence of a breach of the duties set out in the RGICSF that may cause any financial imbalance, must communicate those circumstances to the company's supervisory body.

These communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower.

Moreover, article 116-AB of the RGICSF establishes that any person aware of compelling evidence of a breach of statutory duties may report it to the Bank of Portugal. Such communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower, unless the report is clearly unfounded.

The Bank of Portugal must ensure adequate protection of the person who has reported the breach and the person accused of breaching the applicable duties. It must also guarantee the confidentiality of the persons who have reported breaches at any given time.

Portuguese Securities Code (CVM)

Article 382 of the CVM states that financial intermediaries subject to the supervision of the Portuguese Securities Market Commission (CMVM), judicial authorities, police authorities, or respective employees must immediately inform the CMVM if they become aware of facts that qualify as crimes against the securities market or the market of other financial instruments, due to their performance, activity, or position.

Additionally, according to article 368-A of the CVM, any person aware of facts, evidence, or information regarding administrative offences under the CVM or its supplementary regulations may report them to the CMVM either anonymously or with the whistleblower's identity. The disclosure of the whistleblower's identity, as well as that of their employer, is optional. If the report identifies the whistleblower, their identity cannot be disclosed unless specifically authorised by the whistleblower, by an express provision of law or by the determination of a court.

Such communications may not be used as grounds for disciplinary, criminal, or civil liability action brought against the whistleblower, and they may not be used to demote the employee.

According to article 368-E of the CVM, the CMVM must cooperate with other authorities within the scope of administrative or judicial proceedings to protect employees against employer discrimination, retaliation or any other form of unfair treatment by the employer that may be linked to the communication to the CMVM. The whistleblower may be entitled to benefit from the witness-protection programme if an individual is charged in criminal or administrative proceedings because of their communication to the CMVM.

Under the Prevention of Corruption Act 1960 and the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSCA), in any civil or criminal proceeding, no witness is obliged to disclose the name or address of any informer, or disclose any information that might lead to his or her discovery concerning offences such as corruption, drug trafficking, and money laundering, save where:

• in any proceeding for the offence, the Court, after a full inquiry into the case, is of the opinion that the informer wilfully made, in his complaint, a material statement that he knew or believed to be false or did not believe to be true; or
• in any other proceeding, the court is of the opinion that justice cannot be fully done between the parties without the discovery of the informer.

In line with the above, employers should therefore keep the informer’s identity confidential upon receiving a complaint relating to corruption, drug trafficking, money laundering, and other serious offences prescribed in the second schedule of the CDSCA.

Aside from the legal obligations imposed on the company when dealing with a whistleblower who is subject to the WPA as discussed in question 1, there are also practical considerations the company should keep in mind when dealing with a whistleblower, regardless of whether the whistleblower falls under the WPA.

For example, there have been instances where an employee who raised allegations filed a complaint with Korean authorities (such as the Anti-Corruption and Civil Rights Commission (ACRC) or the Labour Office) that the company took retaliatory action against the whistleblower. The company should carefully review the legal risks before taking action, such as personnel action or civil or criminal action, against an employee who raises allegations if that employee was also involved in the wrongdoing.

Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law, has been implemented in Spain through Law 2/2023 (Ley 2/2023, de 20 de febrero, reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción). This law limits the capacity of companies to retaliate or to take any action against employees who report workplace violations or breaches of the law. Any action taken against an employee in such a position would be considered null and void if challenged in court.

Spanish law allows anonymous reports to protect whistleblowers from retaliation.

If the Swedish Whistleblowing Act governs the investigation, additional considerations apply relating to who may investigate a reported irregularity (see question 4) and the duty of confidentiality and restrictions on access to and disclosure of personal data in investigations (see questions 6, 10 and 11), as well as the rights and protections of whistleblowers.

As regards the rights and protections of whistleblowers, the following can be noted. A person reporting in a reporting channel governed by the Swedish Whistleblowing Act is protected against retaliation and restrictive measures. Thus, companies are prohibited from preventing or trying to prevent a person from reporting, and retaliating against a person who reports. Furthermore, a reporting person will not be held liable for breach of confidentiality for collecting the reported information if the person had reasonable grounds to believe that it was necessary to submit the report to expose irregularities. Under the Swedish Whistleblowing Act, any person reporting irregularities in a reporting channel established under the Swedish Whistleblowing Act may also report irregularities to designated Swedish authorities.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.

It is down to the employer’s discretion and subject to the whistleblowing policy (if any) to commence the investigation resulting from a complaint from a whistleblower. Whistleblowers and those who cooperate with an investigation should be protected. Normally the employer would not try to identify the whistleblowers. Also, it is best not to reveal the identity of the witness or the source of information; otherwise, they may feel uncomfortable giving information or raising their concerns next time. Any allegations of retaliation that surface during the investigation should be treated as a new report of possible misconduct that could be subject to additional investigation.

Although there is no specific legislation in Turkish law on whistleblowing, necessary mechanisms need to be implemented to ensure that whistleblowers and the whistleblowing process are kept confidential. In addition, whistleblowers must be encouraged and supported to be open about raising their concerns in good faith. A whistleblowing activity, when it amounts to raising a concern in good faith, must not be mistreated by the employer. Employers should also put in place protection mechanisms against the mistreatment of whistleblowers or retaliation towards them by other employees.   

The employer should first identify which individuals may have protection as whistleblowers. This could be a current or former employee who raises the initial complaint, a co-worker who gives evidence as part of the investigation, or the accused employee.

In each case, consider whether a “protected disclosure” has been made (under Part IVA ERA 1996). This requires analysis of the subject matter of the disclosure, how it is made, and a reasonable belief that it is made in the public interest.

Employers must then ensure there is no detrimental treatment or dismissal of any worker on the grounds of their protected disclosure. Although the causation test for these purposes is not straightforward, as a general rule if the protected disclosure has a “material influence” on the decision to discipline or dismiss, there may be liability. Individual managers may be personally liable alongside the employer. Compensation for whistleblowing cases is uncapped, meaning businesses and individuals can face significant financial and reputational exposure.

What this means in practical terms is that the employer should promote a “speak-up” culture and, where protected disclosures are made, ensure they are handled by a team who are properly trained in how to do so.

Several federal, state, and local employment laws prohibit retaliation against employees who come forward with complaints or participate in corporate investigations. Employees who possess information regarding corporate misconduct may also be considered whistleblowers protected from retaliation under federal and state whistleblower laws, including but not limited to the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act, and the Consumer Financial Protection Act of 2010.

An employee generally does not need to show that he or she was terminated or demoted to bring a retaliation claim; other actions on the part of the employer may qualify if they could be seen to discourage employees from raising complaints. To protect against a potential retaliation claim, employers should make clear at the outset of an investigation that retaliation will not be tolerated and require the complaining employee (and potentially his or her manager) to bring any instances of retaliation to the investigator’s attention immediately.

It is up to the employer to determine whether or not to open an investigation after a complaint from a whistleblower. It is very important that the identity of the whistleblower is protected and that the employer also should not reveal the identity of the witness or the source of information, as the sources and witnesses may fear retaliation and feel uncomfortable or hesitant in giving information or raising concerns again.