Workplace Investigations

As part of an investigation, the investigator may want to collect evidence such as camera footage from CCTV, swipe card records, computer records, telephone records or recordings and GPS tracking. There are state-based workplace surveillance laws that operate in each jurisdiction in Australia. The laws recognise that employers are justified in monitoring workplaces for proper purposes, but this is balanced against employees’ reasonable expectations of privacy.

The Privacy Act 1988 (Cth) (Privacy Act) also regulates how certain organisations handle personal information, sensitive personal information and employee records. The Privacy Act contains 13 privacy principles that regulate the collection and management of information. Employers should familiarise themselves with the privacy principles before conducting any investigation to ensure they are not in breach when gathering evidence.

All data processing must comply with the principles of article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity). Personal data may only be collected and processed for specific, lawful purposes.

The admissibility of data processing depends on whether the suspicion relates to a criminal offence or another violation of the law. If the data processing is relevant to criminal law, article 10 GDPR or section 4(3) of the Austrian Data Protection Act (DSG) applies. If the investigations are exclusively to clarify violations under civil or labour law, such as an assertion of claims for damages or if they are general investigations to establish a criminal offence, the permissibility of data processing is based on article 6 or, for data covered by article 9 GDPR, on this provision.

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

The Brazilian General Data Protection Law (LGPD) does not have specific rules or principles that apply to internal investigations conducted within private organisations. Despite that, the general principles and obligations set forth by the LGPD apply to any processing of personal data carried out within the context of such investigations. As a result, the company must ensure the transparency of such processing activities through a privacy notice addressed to the data subjects; only process the personal data that is necessary for the investigation; define the lawful basis that applies to such processing activities (especially for sensitive data); and apply any other obligations established by the LGPD.

The Civil Code of the PRC, the Personal Information Protection Law of the PRC and other laws provide for the protection of employees' personal information and privacy. Employers are often involved in checking the information and materials stored in the computers, hard disks and other electronic office equipment provided to employees in internal investigation and are likely to access the employees' personal information including personal privacy information, such as the communication records stored in instant communication software such as WeChat, QQ or other instant communication software or to and from private email boxes. According to the Personal Information Protection Law of the PRC, employers are required to perform the obligation of informing and obtain the individuals' consent prior to the processing of personal information, i.e. the principle of informing + consent. Moreover, the Civil Code of the PRC stipulates that no organization or individual may process any person's private information, except as otherwise provided by law or with the explicit consent of the right holder.

Therefore, the legitimacy of obtaining data evidence can be enhanced and guaranteed only if it is explicitly stated in the relevant rules and regulations that the employer shall have the right to the work equipment provided to the employees or obtains the employees' personal consent.

Generally, the basic principles set out by the GDPR and the Finnish Data Protection Act apply to data processing in connection with investigations, including evidence gathering: there must be a legal basis for processing, personal data may only be processed and stored when and for as long as necessary considering the purposes of processing, etc.

Additionally, if physical evidence concerns the electronic communications (such as emails and online chats) of an employee, gathering evidence is subject to certain restrictions based on Finnish ePrivacy and employee privacy laws. As a general rule, an employee’s electronic communications accounts, including those provided by the employer for work purposes, may not be accessed and electronic communications may not be searched or reviewed by the employer. In practice, the employer may access such electronic correspondence only in limited situations stipulated in the Act on Protection of Privacy in Working Life (759/2004), or by obtaining case-specific consent from the employee, which is typically not possible in internal investigations, particularly concerning the employee suspected of wrongdoing.

However, monitoring data flow strictly between the employee and the employer's information systems (eg, the employee saving data to USB sticks, using printers) is allowed under Finnish legislation, provided that employee emails, chats, etc, are not accessed and monitored. If documentation is unrelated to electronic communications, it also may be reviewed by the employer. Laptops, paper archives and other similar company documentation considered "physical evidence" may be investigated while gathering evidence on the condition that any private documentation, communications, pictures or other content of an employee are not accessed.

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

When collecting data (in physical or digital form), the employer must ensure compliance with the data protection principles according to the General Data Protection Regulation (DSGVO) and the German Data Protection Act (BDSG). These principles include, among other things, that data collection must be carried out lawfully (principle of legality) and transparently (transparency principle) and must be comprehensively documented – specifically concerning the purpose of the workplace investigation – to be able to prove compliance with data protection.

The principle of legality states that data may only be collected on a legal basis (ie, there must either be a law authorising this or the employee must have consented to the collection of his data).

The transparency principle may constitute a special challenge during workplace investigations. Under the transparency principle, the employee must be generally informed about the collection of his data. This includes information on who processes the data, the purposes for which it is processed and whether the data is made available to third parties. However, there may be a risk of collusion, particularly when electronic data has to be reviewed, and thus the success of the investigation may be jeopardised if the relevant employee is comprehensively informed in advance. Accordingly, the employer should check, with the assistance of the data protection officer, whether the obligation to provide information may be dispensed with. This may be the case if providing the information would impair the assertion, exercise or defence of legal claims and the interests of the employer in not providing the information outweigh the interests of the employee. The respective circumstances and employer's considerations should be well documented in each case.

Regardless of whether the employee is informed about the investigation, to prevent data loss, the employee should be sent a so-called hold notice (ie, a prohibition to delete data). Additionally, to prevent automatic deletion, blocking mechanisms should also be implemented.

When gathering evidence by searching the employee's possessions or files, the employee's privacy rights also need to be observed (see question 8).

GDPR and the provisions of L. 4624/2019 regulate the gathering of physical evidence from a data protection perspective, providing, among other things, that personal data should be processed with transparency and to the extent necessary for the investigation.

L.4990/2022 on the protection of persons who report breaches of Union law regulates data protection issues in the context of whistleblowing investigations, mainly to safeguard confidentiality throughout the investigations.  

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

In India, the collection, disclosure, transfer and storage of personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPD Rules). Accordingly, if during an investigation any sensitive personal information (such as information relating to passwords; financial information such as a bank account, credit or debit card or other payment instrument details; a physical, physiological or mental health condition; sexual orientation; medical history; and biometric information) is collected, then the requirements under the SPD Rules will need to be complied with. This would include obtaining an individual’s “informed consent” before collecting any sensitive personal data if such information is intended to be collected or stored in an electronic format.

Under the GDPR (General Data Protection Regulation), personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023, which is a useful guide.

Employers should exercise caution when gathering physical evidence that may involve the use of CCTV or other surveillance practices. The Irish Court of Appeal in the case of Doolin v DPC examined the use by an employer of CCTV footage for disciplinary purposes and found such use constituted unlawful further processing. The original reason for processing the CCTV footage was to establish who was responsible for terrorist-related graffiti that was carved into a table in the staff tearoom. It subsequently transpired Mr Doolin, who was in no way connected to the graffiti incident, had accessed the tearoom for unauthorised breaks and a workplace investigation followed. The original reason for viewing the CCTV related to security, but further use of the CCTV footage in the disciplinary investigation was not related to the original reason. This case confirms that employers must have clear policies in place in compliance with both GDPR and the Data Protection Act 2018 specifying the purpose for which CCTV or any other monitoring system is being used. Not only that, but these policies must be communicated to employees specifying the use of such practices.

It is not only data about the investigation that must be processed fairly, but any retention of the data, which can only be further processed with good reason. It is a legitimate business reason to retain data to deal with any subsequent requests or appeals under various internal or statutory processes, provided employees have been advised of the relevant retention period.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

When collecting physical evidence that contains personal information, the Personal Information Protection Law and its related guidelines apply. In addition, when collecting physical evidence that contains privacy information or an employee's photograph, care must be taken to ensure that the right to privacy and the image rights are not violated.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

When gathering evidence, the person being investigated is protected by the Constitution, the Freedom of Information Act and the Nigerian Data Protection Regulation (NDPR), among others.

The Constitution, particularly section 37, guarantees the right of a person to privacy.

The NDPR is the main data protection regulation in Nigeria. It regulates the processing and transfer of personal data.

Further, the Freedom of Information Act, 2011 prohibits the disclosure of information gathered during an investigation to the public.

The procedure for gathering physical evidence is governed primarily by company policy. Nevertheless, the Data Privacy Act of the Philippines protects all data subjects from unlawful processing of their personal information without consent.

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

Whenever employers process personal data in the course of an investigation, they need to comply with Regulation (EU) 2016/679 (the GDPR) and Law 58/2019, which implements the GDPR in Portugal (jointly the Data Protection Regulations). If the gathering of physical evidence includes the collection and processing of sensitive data (eg, related to the employee’s health or any other category outlined in article 9 of the GDPR), additional safety measures should be in place to safeguard the adequate and confidential nature of such information.

The employer may collect the personal data of an individual without the individual’s consent or from a source other than the individual, where it is necessary for any investigation according to section 17(1) read with paragraph 4 of Part 3 of the Third Schedule of the Personal Data Protection Act 2012 (PDPA). Under section 2(1) of the PDPA, “investigation” means an investigation relating to:

• a breach of an agreement;
• a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in the exercise of its powers under any written law; or
• a circumstance or conduct that may result in a remedy or relief being available under any law.

Under the Banking Act 1970, a bank and its officers cannot disclose customer information to third parties, subject to certain exceptions. An employer carrying out a workplace investigation does not fall within any of the exceptions.

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

To the extent the gathering of physical evidence includes the processing of personal data, please see question 1.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The basic premise is that all evidence is admissible unless it violates the law of admissibility and production of evidence, which may vary depending on the jurisdiction. In a criminal court, for example, evidence gathered in violation of the fruit of the poisonous tree doctrine would be typically inadmissible, yet in a civil court, this doctrine would not be an exclusionary rule.

The Personal Data Protection Act, BE 2562 (2019) (PDPA), which is the main data protection law in Thailand, applies when collecting, using, and disclosing pieces of evidence containing the personal data of employees. If the investigation requires sensitive information of the employee under investigation, for example, race, ethnic origin, political opinion, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data and biometric data, consent from the employee should be obtained.

The conditions applicable to gathering physical evidence mainly stem from the precedents of the Turkish Constitutional Court about employment disputes and the rules set forth under Turkish Law No. 6698 on the Protection of Personal Data (DPL). It is generally accepted that employers can gather physical evidence for certain legitimate purposes, such as disciplinary investigations, the prevention of bribery and corruption, fraud or theft, money laundering, and employee performance monitoring and compliance. In doing so, employers must, however, comply with the fundamental principles of the Turkish Constitutional Court as briefly described below:

• The grounds for the gathering of evidence must be legitimate. The definition of the legitimate interests of the employer may change depending on the characteristics of the business, workplace and employee job description, as well as the specific circumstances of the case. Therefore, it is advisable to carry out a balancing test between the legitimate interest the employer is seeking to protect and the employee’s interest in the protection of their privacy.
• The collection activities must be proportionate, in the sense that the measure implemented by the employer must be appropriate and reasonably necessary to achieve the legitimate purpose, without infringing upon the fundamental rights and freedoms of the employees. For instance, e-mail monitoring to collect evidence may not be proportionate if it is determined that e-mails that are not related to the incident subject to investigation are also accessed. To achieve this, certain keywords or algorithms can be used while monitoring e-mails during a disciplinary investigation.
• The collection process must be necessary to achieve the purpose. In other words, the collection of physical evidence must only be carried out to the extent there are no other measures allowing the employer to achieve its purpose, such as witness testimony, workplace records, or examining the results of projects. If the purpose can be achieved through less invasive means, the collection of physical evidence may not comply with the principles established by the decisions of the Constitutional Court.

Separately, depending on the type of physical evidence collected, the collection process may lead to the processing of the concerned employees’ personal data. Under the DPL, personal data collected in Turkey can only be processed if the explicit consent of the data subject is obtained; or the data is processed based on one of the exceptions to consent provided by the law. To the extent the data processing can be deemed to be based on the pursuit of a legitimate interest of the employer, it should also meet the following conditions:

• it should be the most convenient and efficient method to identify any employee wrongdoing to protect the legitimate interests of the company; and
• the data processing should not harm the fundamental rights and freedoms of the employees.

The employer should in any case comply with the obligation to inform employees before the processing of their data, through a privacy notice containing mandatory information required by the DPL.

In addition, as a general principle, the evidence-gathering process should always be conducted based on the assumption that the internal investigation can lead to litigation. Any evidence that will be used in litigation needs to have been gathered in compliance with the law. In both criminal and civil litigation, the courts will review each piece of evidence to confirm whether it was gathered through lawful methods and disregard any evidence that fails to comply with due process.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.

Decree No. 13/2023/ND-CP on personal data protection is the main data protection regulation in Vietnam. It regulates the processing of personal data, including the collection or gathering of data. If the physical evidence contains personal data of an individual, the gathering of physical evidence must comply with this decree.

Confidentiality protects the interests of the persons involved in the investigation as well as the integrity of the investigation. Before providing information as part of the investigation, employers should direct the complainant, respondent or witnesses to sign confidentiality agreements. This agreement should direct the person to refrain from discussing the investigation or matters that are the subject of the investigation with any person other than the investigator.

It is also best practice for participants in the investigation to be directed not to victimise (threaten or subject to any detriment) any persons who are witnesses to or are otherwise involved in the investigation.

After an investigation, employers should write to the complainant, respondent and any witnesses reminding them of their ongoing confidentiality obligations.

If the report and the whistleblower fall within the scope of the Whistleblowing Directive, his or her identity must be protected. From a data protection perspective, the principles of the DSG must be observed to protect the legitimate confidentiality of the individuals concerned.

Furthermore, the employer should ensure that information is only disclosed to trustworthy persons to avoid pre-judgements.

A workplace investigation is often a sensitive matter that requires necessary confidentiality to find out the truth discreetly and objectively. Nevertheless, there is often pressure from employees, trade unions or even the media and general public to be transparent and communicate about the case. From a legal perspective, it is not recommended to communicate openly about an ongoing investigation, as this can jeopardise the investigation or the possibility of taking disciplinary measures.

Whistleblower investigations will be bound by a strict duty of confidentiality regarding anything that could reveal the identity of the reporter.

In complaints due to sexual harassment, violence or bullying at work, the prevention adviser is bound by professional secrecy. Consequently, he or she may not disclose to third parties any information about individuals that have come to his or her knowledge in the performance of his or her duties. However, he or she still has the freedom to inform the people concerned to carry out his or her tasks in the procedure.

Law 14.457/2022 states that companies must guarantee the anonymity of accusers. As a result, it is best practice that companies allow for anonymous submissions, or allow accusers to voluntarily disclose their identity while acknowledging that they agree that it will be kept confidential to the extent required by the investigation.

Also, companies should have internal rules stating that all parties involved in an investigation (accusing party, accused party, witnesses, investigators, and any other person that has any contact with the investigation) must keep the existence of the investigation and of the events related to the investigation confidential to the extent required by the investigation, and discipline any individuals that violate this.

Although there are no specific laws or regulations regulating the extent of confidentiality obligation employers or the investigators shall comply with, in practice, the confidentiality obligation of both parties usually originates from the confidentiality agreement between the employee and the employer, as well as general provisions on protection of personal information and right of privacy, etc.

In this regard, it is advisable to require the relevant personnel responsible for handling the suspension for investigation to sign a confidentiality agreement or a letter of commitment, and require them to pay attention to the protection of the personal information and privacy of the complainant and other relevant personnel, for the purpose of avoiding extra losses caused by the occurrence of disputes relating to right of reputation, right of privacy and personal information leakage during the investigation.

Concerning a workplace investigation, there is no specific legislation in force at the moment regarding confidentiality obligations. All normal legal confidentiality obligations (eg, obligations outlined in the Trade Secrets Act (595/2018)), and if using an external investigator, the confidentiality obligations outlined in the agreement between the employer and the external investigator, apply. Attorneys-at-law always have strict confidentiality obligations as per the Advocates Act (496/1958).

Interviewers, investigators, interviewees or any others involved in the investigation are often bound by a reinforced confidentiality obligation, particularly when the internal investigation is triggered by a whistleblower alert. In addition, every person that comes to know of the investigation, facts or people involved is bound by an obligation of discretion. Furthermore, investigators should specifically be trained for interviews and be reminded of their obligations relating to the investigation.

The investigators will need to determine the order of the tasks to be carried out in the investigation, as this will have a significant impact on confidentiality management. Should they start with the hearings or a review of documents? The answer may depend on the subject matter of the investigation. It is advisable to first review the documentation before organising interviews, particularly to avoid the destruction of certain documents by employees acting in bad faith or by those wishing to erase the traces of alleged wrongdoing. Sometimes, however, it is possible to start with the interviews, especially in the case of harassment, as there may be no documents to review. If the decision is taken to conduct the documentation review after the interviews, it could be useful to ask the employees involved to sign a document stating that they must preserve and retain documents, meaning that if they delete or destroy documents, they would be acting against the company and in breach of the law.

Depending on the subject of the investigation and the severity and significance of the suspected violation, employees who are involved in the workplace investigation may already have to maintain confidentiality based on their contractual duties. The prerequisite for this is that the employer has a legitimate interest in maintaining confidentiality. Criminal acts are not subject to confidentiality, but there is also no general obligation for the employee to report or disclose a criminal act to the authorities or the public prosecutor. However, reporting to the competent authorities may be required in certain cases (see question 25).

Lawyers are bound by professional confidentiality and are generally not allowed to provide information about any information they receive from their clients. An exception exists, for example, if the lawyer must provide information to defend himself in court proceedings. There is also no absolute protection against the seizure of documents at an attorney’s office (see question 14).

Confidentiality applies as a general principle in disciplinary investigations.

Moreover, L. 4990/2022, which transposed EU Directive 2019/1937 into Greek Law, regulates the issue of confidentiality during investigations that start based on an internal report. The managers conducting the investigation must respect and abide by the rules of confidentiality regarding the information they have become aware of when exercising their duties[1]. They must also protect the complainant’s and any third party’s (referred to in the report) confidentiality by preventing unauthorised persons from accessing the report[2].

Finally, L. 4808/2021 provides that employers must create a procedure that should be communicated to employees regarding all the necessary steps of an investigation following a complaint. Throughout the whole process, the employer, managers and the employer’s representatives responsible for the investigation must respect and abide by the rules of confidentiality in a manner that safeguards the dignity and personal data of the complainant and the person under investigation[3].

Workplace investigations should usually be conducted on a confidential basis to preserve the integrity of the investigation, avoid cross-contamination of evidence and maintain the confidentiality of the employee under investigation. This means that those involved in the investigation (ie, the subject employee and any material witnesses) should be made aware of the fact and substance of the investigation on a need-to-know basis.

While the extent of the confidentiality obligations are usually governed by the employer’s internal policies and the employment contract, there are circumstances where the employer has a statutory duty to keep information unearthed in the investigation confidential. For instance, if it is found that certain property represents proceeds of an indictable offence[1] or drug trafficking[2], or is terrorist property[3], the employer should report its knowledge or suspicion to the Joint Financial Intelligence Unit (JFIU) as soon as is reasonably practicable and avoid disclosure to any other person as such disclosure may constitute “tipping off”. Another example is if a workplace investigation is commenced in response to a regulatory enquiry, the employer may be bound by a statutory secrecy obligation and may not be at liberty to disclose anything about the regulatory enquiry to anyone including those who are subject to the workplace investigation. For example, section 378 of the Securities and Futures Ordinance (SFO) imposes such a secrecy obligation on anyone who is under investigation or assists the Securities and Futures Commission (SFC) in an investigation.[4]

Indian labour statutes do not contain any specific confidentiality obligations concerning investigations. However, in practice, the records of investigative or disciplinary proceedings should be kept confidential and shared only on a need-to-know basis to ensure that the parties do not suffer prejudice. The internal policies should also include provisions on confidentiality.

The SH Act, however, provides that certain information must not be published or made known to the public, press and media such as:

• the contents of the SH complaint;
• the identity and addresses of the complainant, accused and witnesses;
• any information on the conciliation and inquiry process;
• the recommendations of the IC; and
• action to be taken by the employer.

The SH Act permits the dissemination of information regarding remedies extended to any victim without disclosing the name, address or identity of the victim or witnesses. The SH Act also outlines punishments for violating confidentiality obligations.

This will depend on the nature of the investigation but, generally, investigations should be conducted on a confidential basis. All who participate in the investigation should be informed and reminded that confidentiality is a paramount consideration taken very seriously. However, it should be borne in mind that confidentiality cannot be guaranteed by an employer as the respondent in an investigation is entitled to know who has made complaints against them. Furthermore, the respondent is entitled to cross-examine the complainant and any witnesses, although in practice this right is rarely invoked strictly and is facilitated by the investigator, with questions from the respondent being put to the complainant and other witnesses.

On occasion, a breach of confidentiality may warrant disciplinary action, but this will depend on the circumstances. Exceptions to the requirement to keep matters confidential will of course apply where employees seek support and advice from others such as companions, trade union representatives or legal advisors. It may also not be possible to maintain confidentiality where regulators or the authorities are informed of the investigation.

Also, confidentiality may not be maintained if it is in the interests of the employer to communicate the complaint and any subsequent investigation, for example on a health and safety basis.

From an employment law perspective, confidentiality obligations may be seen from two different points of view:

• as a general duty of the employee related to the employment relationship, according to article 2105 of the Italian Civil Code, a “loyalty obligation”, which includes confidentiality obligations. On top of these, there are usually further confidentiality clauses in individual employment contracts; and
• as a general duty (linked to the outcome of the investigation) of the employer to keep confidential the identity of the employee who cooperates during the investigation (as whistleblower or a witness) to protect him or her.

In defensive criminal law investigations, the witness can’t reveal questions or answers given in his or her interview to a third party.

With regards to the confidentiality applicable to the whistleblower, see above under question 9 and below under question 12.

See question 9 for the confidentiality obligations of a whistleblower response service employee.

Other than the above, there is no specific legal obligation to maintain confidentiality for persons in charge of investigations, etc. However, if the information falls under the category of confidential information obtained by employees in the course of their work, compliance is required as an obligation attached to a labour contract, and many employment regulations stipulate a duty to keep information obtained in the course of work confidential.

The principle of due care requires employers to act prudently when it comes to sharing the identity of persons involved, such as complainants and implicated persons; and investigative findings, notably when certain employees may be implicated. As a result, such information is usually shared within an employer to designated departments on a need-to-know basis only. Additional safeguards as to the protection of whistleblowers' identities apply since the Whistleblower Directive (see question 9) was implemented in Dutch law. Also, see question 13 for the confidentiality obligations of employees vis-à-vis their employer.

Workplace investigations should be kept strictly confidential to protect the parties involved in the investigation from victimisation. Some of the confidential obligations that apply during investigations are the identities of the parties involved in the process (whether as a complainant, respondent or witnesses), the confidentiality of reports, recordings and other documents generated or discovered during the investigation, as well as attorney-client privilege between the employee and his or her attorney, provided that such privilege is within the bounds of the law.

Since the right to investigate ultimately belongs to the employer, it may impose strict confidentiality obligations upon the individuals involved, not only to ensure unhampered investigation proceedings but also and more importantly for the protection of the company and employees involved.

The law does not cover this issue, apart from whistleblower regulations, as it should be regulated by the employer in their internal rules. The employer should ensure all participants of the investigation keep information related to it secret, as long as is necessary for the investigation (or even longer, if required by law concerning personal data or other specially protected information). Reputation, personal data and the personal rights of other people cannot be breached during the proceedings and this should be protected.

Moreover, according to the Draft Law – a whistleblower’s personal data should be kept confidential. It can only be disclosed if law enforcement authorities require it. Also, confidentiality should be guaranteed for the subject and other interested persons.

The Portuguese Labour Code does not specifically provide for any confidentiality obligations concerning disciplinary procedures. On the contrary, it states that the employee should have access to any information included in the disciplinary procedure. Otherwise, the employee’s defence rights could be jeopardised, which would make the disciplinary procedure (and possible disciplinary sanctions) null and void.

As for the witnesses, even though there is no specific provision on confidentiality, employees are generally bound by a duty of loyalty vis-a-vis the employer, which includes not disclosing information that should be kept reserved,

However, in the cases of whistleblowing, it is mandatory to ensure the confidentiality of the complainant, as per question 9.

The existence and scope of any confidentiality obligations would generally depend on the specific terms of the employment contract, employee handbook or the employer’s internal policies and procedures in dealing with the investigations.

In the context of investigations into workplace harassment issues, the Tripartite Advisory on Managing Workplace Harassment issued by the MOM provides that the identities of the alleged harasser, affected persons and the informant should be protected unless the employer assesses that disclosure is necessary for safety reasons.

This may change with the enactment of the Workplace Fairness Legislation referred to in question 1. The Tripartite Committee on Workplace Fairness recommended, among other things, that employers should protect the confidentiality of the identity of persons who report workplace discrimination and harassment, where possible. As such, it is expected that the upcoming Workplace Fairness Legislation may impose certain confidentiality obligations on an employer during an investigation.

It is general practice in Korea for a company to require interviewees to maintain confidentiality concerning a workplace investigation and instruct them that they are not permitted to discuss the matter under investigation with other employees, etc. If an employee violates this instruction, it may be possible for the company to take disciplinary action against them under the company’s rules.

Further, the company or its employees who have engaged in an investigation for sexual harassment or workplace harassment in the workplace are obliged to maintain the confidentiality of the investigation. Failure to comply with such requirements may lead to an administrative fine from the Ministry of Employment and Labour for the company or its registered representative.

There may be some exceptions to the confidentiality obligation, such as when an employee is required by government authorities to provide relevant information in a parallel investigation.

Companies and employees are not bound by any statutory confidentiality obligation in the context of workplace investigations. However, if a company’s enquiry has the potential to examine employees’ private affairs, then the company must ensure the confidentiality of the investigation.

This confidentiality obligation would not arise from the investigation itself, but from the company’s obligation to safeguard its employees’ rights.

If the Swedish Whistleblowing Act applies, the persons or entities handling the investigation have a duty of confidentiality and may not, without permission, disclose any information that could reveal the identity of the reporting person, any person subject to the report or any other person mentioned in the report or during the investigation of the report. Access to personal data is limited to designated competent entities or persons. Investigative material including personal data may not be shared with other persons or entities during the investigation. Once the investigation has reached actionable conclusions, investigative material may be shared with other persons or entities, such as HR or the police, provided that such sharing is necessary to take action on the outcome of the investigation. Investigative material may also be shared if it is necessary for the use of reports as evidence in legal proceedings or under the law or other regulations.

If the Swedish Whistleblowing Act does not apply, there are no particular confidentiality obligations for employers. Yet, an employer needs to consider what information is suitable to share during an investigation, how this is done and to whom it is shared. An employer must also respect employees’ privacy in line with what is generally considered good practice in the labour market. This means that an employer should be careful as to what sensitive and personal information is shared during an investigation. Furthermore, the spreading of damaging information (even if true) about an employee to a wider group may be a criminal offence under the Swedish Criminal Code.

Besides the employee's duty of performance (article 319, Swiss Code of Obligations), the employment relationship is defined by the employer's duty of care (article 328, Swiss Code of Obligations) and the employee's duty of loyalty (article 321a, Swiss Code of Obligations). Ancillary duties can be derived from the two duties, which are of importance for the confidentiality of an internal investigation.[1]

In principle, the employer must respect and protect the personality (including confidentiality and privacy) and integrity of the employee (article 328 paragraph 1, Swiss Code of Obligations) and take appropriate measures to protect the employee. Because of the danger of pre-judgment or damage to reputation as well as other adverse consequences, the employer must conduct an internal investigation discreetly and objectively. The limits of the duty of care are found in the legitimate self-interest of the employer.[2]

In return for the employer's duty of care, employees must comply with their duty of loyalty and safeguard the employer's legitimate interests. In connection with an internal investigation, employees must therefore keep the conduct of an investigation confidential. Additionally, employees must keep confidential and not disclose to any third party any facts that they have acquired in the course of the employment relationship, and which are neither obvious nor publicly accessible.[3]

Unless the investigation is handled by a qualified professional (eg, attorney or auditor) where certain privileges apply, confidentiality obligations are generally subject to the contractual arrangement between the parties involved in the investigation. The employers need to inform any persons, including the investigators, to respect confidentiality obligations because a leak of the information gathered from the investigations could cause damage to relevant parties.

As a general practice, workplace investigations need to be kept confidential for the integrity of the process. In some cases, employees can specifically request their identity or involvement be kept confidential. In such cases, additional measures need to be taken to protect confidentiality. In any case, obligations and rights arising from the DPL and Labour Law must be respected and complied with by the employer and the investigation team.

Workplace investigations should usually be conducted on a confidential basis, so that only those involved in the investigation are aware of its existence and subject matter. The need to maintain confidentiality about both the fact of the investigation, and any content discussed with an investigator, should be emphasised to all those involved. It may also be necessary to explain that a breach of confidentiality could be viewed as a disciplinary matter. Appropriate exceptions must, however, be made to allow employees to speak to any relevant employee or trade union representative, legal adviser and potentially the police or other regulators. Confidentiality provisions cannot override the rights of workers to make protected disclosures (see question 9).

In some situations, such as those involving a wide-ranging investigation into the organisation’s working practices and culture, it may be more appropriate to investigate a more “open” basis, and inform employees and other stakeholders.

Information arising from the initial complaint, interviews and records should be kept as confidential as practically possible while still permitting a thorough investigation. Although an employer must maintain confidentiality to the best of its ability, it is often not possible to keep confidential the identity of the complainant or all information gathered through the investigation process. An employer should therefore not promise absolute confidentiality to any party involved in an internal investigation, including the complainant. The investigator should instead explain at the outset to the complaining party and all individuals involved that information gathered will be maintained in confidence to the extent possible, but that some information may be revealed to the accused or potential witnesses on a need-to-know basis to conduct a thorough and effective investigation.

Workplace investigations should be conducted in a strictly confidential manner to preserve the integrity and professionalism of the investigation and to protect the identity of the employee under investigation. This means that all information gathered, received, and shared during the investigation (ie, the subject employee and any material witnesses) should only be disclosed on a need-to-know basis.

To ensure procedural fairness, the allegations must be put to the respondent in writing in advance of the investigation interview. The allegations must be specific, but the respondent does not need to be provided with a copy of the original complaint. The respondent should also be informed that if the allegations are substantiated they may result in disciplinary action up to and including the termination of the employee’s employment.

The purpose of internal investigations would be jeopardised by fully informing a suspected employee beforehand, as it would allow him or her to hide or destroy possible evidence, plan his testimony or coordinate with other employees.

There is no legal requirement to inform the employee of the allegations or suspicions.

In general, the employee should be informed that there is an ongoing investigation (unless this could jeopardise the investigation, in which case disclosure could be postponed until this is no longer the situation). Next, before imposing measures or sanctions, the employee should be allowed to be heard or to give his or her version of the facts. Of course, the employee can only do this if he or she is aware of the facts being investigated. It is not necessary to give the employee a full insight into the investigation, only the necessary facts that allow him or her to offer a defence are sufficient.

There is no obligation to inform an employee under investigation that this is the case, and it should not happen automatically.

While some policies require that the investigated employee be informed about the allegations against them at the beginning of the investigation, from a local perspective it is recommended that the accused employee be notified about the existence of the allegations if, after a reasonable review, there are elements that suggest that the accusation may be material.

In this context, the employee should be informed about the accusation and be allowed to confirm, deny, provide further context or justify each reported or identified event; offer evidence; and indicate persons or sources of information that could corroborate his or her defence. Information about the accusation must be focused on facts rather than on how the company obtained the information.

If the accusation is found to be groundless after initial review, involving the accused employee at the beginning of the process may have triggered unjust and unnecessary stress and a disruption in the employment relationship that may not be satisfactorily repaired by a determination that the accusation was void. This may result in a legal liability for the company or HR issues that could otherwise have been avoided.

Although there are no explicit provisions of law or policy requiring employers to provide specific information of allegations to investigated employees, in practice, at the early stage of investigation, in order to avoid alerting the investigated employee and reduce the possibility that the investigated employee may destroy the relevant evidence, the employer usually will not disclose the information of allegations to the investigated employee at the beginning of investigation. At the later stage of an investigation, when the employer has already obtained main evidence, the employer usually will properly disclose to the investigated employee the allegations that are clearly known by the employer and have sufficient evidence, and listen to the counterparty's opinions or argument, for the purpose of obtaining more information or getting the employee's confession.

The process must be transparent and impartial, and therefore all the information that may influence the conclusions made during the investigation should be shared with the employee.

According to the French data protection authority, the employee under investigation must be informed of the name of the person in charge of the investigation, the alleged facts that have led to the whistleblowing alert and their rights to access and rectify data collected about them. This information must be given as soon as the data collection starts, before the interviews, as per GDPR principles.

In principle, the employer does not have to inform the employees about the investigation. Furthermore, there is no obligation to inform the "suspect" about the specific content of the workplace investigation itself and the allegations against him.

However, if personal data relating to the employee is collected and reviewed, the employee must be informed under German data protection principles (see question 7).

If the employer considers issuing a notice of termination based on the suspicion of wrongdoing, the employee must be allowed to comment on the allegations against him before receiving the termination notice. This requires that the employee be properly informed about the allegations and evidence against him. However, until the time of such a hearing, which usually follows the workplace investigation, there is no obligation on the part of the employer to inform the employee concerned about ongoing investigations.

As a matter of general principle, employees under investigation must have access to the necessary information to be able to defend themselves, in the context of their fundamental right to a fair trial and hearing.

Moreover, from a data protection perspective, they may be entitled to access their personal data in the respective files.

The above rights must be balanced with confidentiality and the need to safeguard the completion of the investigation and to protect the complainant from retaliation.

According to L.4990/2022, all data and information as well as the identity of the complainant are confidential, and any disclosure is only permitted where required by the EU or national legislation or during court proceedings, and only if it is necessary for the protection of the defence rights of the employee under investigation. The section of L.4808/2021 for the elimination of workplace violence and harassment does not regulate this specifically but provides a general obligation for confidentiality.

An employer’s internal policies or the employment contract may provide that an employee under investigation should be given certain information concerning the allegations raised against him or her. Such policies or terms should be followed and failure to do so may result in a claim for breach of contract or constructive dismissal by the employee. Even where there are no express provisions, the employer still owes an implied obligation of trust and confidence towards the employee at common law, which requires the employer not to, without reasonable and proper cause, conduct itself in a manner calculated and likely to destroy or seriously damage the relationship of confidence and trust between itself and the employee.[1] In the context of an internal investigation, the implied duty would require the employer to conduct the investigation and reach its findings reasonably and rationally following the evidence available and in good faith. This would normally require that sufficient information about the allegations made against the employee be provided to him or her such that he or she has the opportunity to properly respond to the allegations before any disciplinary action is taken or any decision about his or her employment is made.

As mentioned earlier, workplace investigations are normally a precursor to the actual disciplinary process against an employee. If the individual is being suspended during the investigation, the employer is only expected to inform the individual that they are being suspended on account of an ongoing investigation along with the broad nature of allegations or concerns, and does not need to disclose specific details about the allegations until the appropriate time. Further details may be provided at the investigation stage itself when the employee may be interviewed, or at the subsequent disciplinary inquiry.

Where a disciplinary process is necessary and initiated (after the investigation), the employee will have to be given a charge sheet or notice setting out the allegations against the individual in detail and be provided with an opportunity to submit an explanation. 

In sexual harassment investigations, the SH Act mandatorily requires the IC to submit a copy of the complaint to the accused. Further, the accused should be informed of the requirement to file his or her reply to the complaint along with a list of supporting documents, evidence, names and addresses of witnesses, etc, and the timelines for submitting his response in defence.

Under the fair procedures outlined above, details of the allegations or complaints against the employee should be put to them to enable them to fully respond to the allegations raised. The employee should also be provided with any relevant policies pertaining to the allegations against them, along with all documentary evidence of the allegations and the specific terms of reference that define the scope of the investigation. The employee should also be informed of their right to be represented, see question 15.

From an employment law perspective, our legal system does not provide a specific duty for an employer to inform employees that a workplace investigation is in progress.

In addition, disclosing such information could put at risk the outcome of the workplace investigation (eg, destruction of evidence), and it would therefore be arguable that no information should be provided to employees.

On the other hand, if, upon completion of the investigation, the employer decides to bring disciplinary action against the employee, then the latter must be informed of the complaints with a letter stating the procedure (see questions 3 and 12).

There are no specific legal stipulations or requirements regarding information, etc, that must be provided to employees who are the subject of an investigation.

An implicated person is typically provided with a summary description of the scope of the investigation and, hence, the allegations against such an employee (if any). This is usually done in the interview invite sent to the relevant interviewee, which also provides an opportunity to prepare for an interview and (if relevant) seek legal advice.

An employee must be given the full details of the allegations against him or her to enable the employee to make adequate representations against the complaints made against him or her.

During the fact-finding stage of the investigation, the employees under investigation are not generally entitled to information concerning the conduct of the investigation. It is the prerogative of management to involve the employee under investigation during the fact-finding stage. When, however, the employer determines that an administrative disciplinary process must proceed, the employee’s right to due process attaches. As such, due process includes the right to be informed of the grounds relied upon by the employer and the opportunity to be heard. The first notice or notice to explain should specifically inform the employee of the charge against him or her.

There is no specific mandatory information that should be given to an employee who is the subject of an internal investigation. However, it is common practice that he or she must know what the allegations against them are, on what grounds these allegations are formulated and be given a right to discuss these allegations and the evidence or grounds for these allegations.

If, before taking disciplinary action, the employer decides to open a preliminary investigation phase, the employee does not have to be informed.

Only when the preliminary investigation leads to a formal accusation will the employee be entitled to know that enquiries were carried out and the source of the facts (eg, witnesses, documents).

However, if an employer does not need to open a formal preliminary investigation phase, it only has to serve the accusation notice to the employee.

As a rule, employees will only know that they are being investigated if they are suspended or when they are notified of the accusation.

There is no specific list of information about the allegations against the employee under investigation that must be provided to the employee under investigation. However, the information provided to the employee must be sufficiently clear and specific so that the employee understands the case being made against him or her and can respond to it. The employee should also be made aware of the evidence against him or her and be given a reasonable opportunity to respond.

There is no requirement to notify an employee under investigation concerning the allegations against him or her when requesting cooperation with a workplace investigation (eg, requesting the employee’s consent to review electronic data, or requesting an interview).

However, the company may strategically consider explaining the general purpose of the investigation before requesting consent to review electronic data or when requesting an interview. This may help increase the likelihood of cooperation and also reduce the risk of the employee raising objections to the company’s findings from the investigation by saying he or she was not properly informed of the purpose of the investigation, or that the investigation was conducted in a coercive manner.

It is not necessary to inform an investigated employee about an enquiry or of the allegations made against him or her. The obligation to disclose would only arise when:

• interviewing the employee would be the least intrusive means to investigate the facts; or
• if disciplinary measures are implemented as a result of the investigation. Since employees are entitled to challenge all disciplinary measures against them, they could request a court of law to disclose all the findings of the investigation, to assess if these findings could be useful to challenge the disciplinary measure.

According to article 14 of the GDPR, no information must be provided. The exemption in article 14.5(b) applies to the extent the obligation to provide such information is likely to render impossible or seriously impair the objectives of the processing of the personal data of the employee under investigation (ie, to diligently investigate the suspected irregularity).

If the Swedish Whistleblowing Act applies, information about where the personal data processed originates from may not be provided under article 14 of the GDPR, as the personal data must remain confidential subject to obligations under the Swedish Whistleblowing Act.

In addition to the above, an investigation should, to the extent possible and suitable, be characterised by the principles in ECHR (particularly articles 6 and 8). The employee under investigation should, among other things, be presented with sufficient information to safeguard his or her interests and be allowed to respond to the allegations. The investigation must also be compliant with the work environment responsibilities that the employer has concerning the involved parties (see questions 17 and 20).

As a result of the employer's duty of care (article 328, Swiss Code of Obligations), employees under investigation have certain procedural rights. These include, in principle, the right of the accused to be heard. In this context, the accused has the right to be informed at the beginning of the questioning about the subject of the investigation and at least the main allegations and they must be allowed to share their view and provide exculpatory evidence.[1] The employer, on the other hand, is not obliged to provide the employee with existing evidence, documents, etc, before the start of the questioning.[2]

Covert investigations in which employees are involved in informal or even private conversations to induce them to provide statements are not compatible with the data-processing principles of good faith and the requirement of recognisability, according to article 4 of the Swiss Federal Act on Data Protection.[3]

Also, rights to information arise from the Swiss Federal Act on Data Protection. In principle, the right to information (article 8, Swiss Federal Act on Data Protection) is linked to a corresponding request for information by the concerned person and the existence of data collection within the meaning of article 3 (lit. g), Swiss Federal Act on Data Protection. Insofar as the documents from the internal investigation recognisably relate to a specific person, there is in principle a right to information concerning these documents. Subject to certain conditions, the right to information may be denied, restricted or postponed by law (article 9 paragraph 1, Swiss Federal Act on Data Protection). For example, such documents and reports may also affect the confidentiality and protection interests of third parties, such as other employees. Based on the employer's duty of care (article 328, Swiss Code of Obligations), the employer is required to protect them by taking appropriate measures (eg, by making appropriate redactions before handing out copies of the respective documents (article 9 paragraph 1 (lit. b), Swiss Federal Act on Data Protection)).[4] Furthermore, the employer may refuse, restrict or defer the provision of information where the company’s interests override the employee’s, and not disclose personal data to third parties (article 9 paragraph 4, Swiss Federal Act on Data Protection). The right to information is also not subject to the statute of limitations, and individuals may waive their right to information in advance (article 8 paragraph 6, Swiss Federal Act on Data Protection). If there are corresponding requests, the employer must generally grant access, or provide a substantiated decision on the restriction of the right of access, within 30 days (article 8 paragraph 5, Swiss Federal Act on Data Protection and article 1 paragraph 4, Ordinance to the Federal Act on Data Protection).

The subject employee(s) should be informed of the details of the allegations, such as the details of wrongdoing or violations, made against them. This creates a fair opportunity for them to clarify themselves and defend against such allegations properly. Also, if there is any evidence that needs clarification from the employee, it should be shown to the employee.

Informing the employee under investigation on the subject, purpose and possible consequences of the investigation need to be evaluated by the investigation team before the interview. As a general principle, the interviewer is expected to share the information he obtained on the case with the employee, and ask for confirmation or clarification on these matters. The employee under investigation may be subject to an interview to gain information or as a confrontation if there is concrete evidence. If the evidence in hand is not based on concrete and material grounds, it would be more appropriate not to lead the interview to a confession, but inform the employee of the possible allegations. However, if the available evidence is based on concrete and material grounds, the interviewer may confront the interviewee by sharing the information that was gathered during the investigation in an attempt to obtain a confession.

The employee must be able to effectively challenge the allegations against them. They should be given the terms of reference for the investigation, and any relevant documentary evidence, including copies of witness statements.

The investigator must disclose to the employee under investigation the purpose of the investigation and, where the investigator is in-house or outside counsel, he or she should disclose that the company is the client.

There is no legal requirement as to what particular information should be stated in the allegations; however, such information must be provided to the employee under investigation. The information provided by the employer to the employee must be sufficiently clear and specific so that the latter understands the case or alleged issues against him or her and can respond to it.