Workplace Investigations

As part of an investigation, the investigator may want to collect evidence such as camera footage from CCTV, swipe card records, computer records, telephone records or recordings and GPS tracking. There are state-based workplace surveillance laws that operate in each jurisdiction in Australia. The laws recognise that employers are justified in monitoring workplaces for proper purposes, but this is balanced against employees’ reasonable expectations of privacy.

The Privacy Act 1988 (Cth) (Privacy Act) also regulates how certain organisations handle personal information, sensitive personal information and employee records. The Privacy Act contains 13 privacy principles that regulate the collection and management of information. Employers should familiarise themselves with the privacy principles before conducting any investigation to ensure they are not in breach when gathering evidence.

All data processing must comply with the principles of article 5 GDPR (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity). Personal data may only be collected and processed for specific, lawful purposes.

The admissibility of data processing depends on whether the suspicion relates to a criminal offence or another violation of the law. If the data processing is relevant to criminal law, article 10 GDPR or section 4(3) of the Austrian Data Protection Act (DSG) applies. If the investigations are exclusively to clarify violations under civil or labour law, such as an assertion of claims for damages or if they are general investigations to establish a criminal offence, the permissibility of data processing is based on article 6 or, for data covered by article 9 GDPR, on this provision.

Here, the investigation “collides” with the right to privacy of the persons involved.

First, the rules and principles of the GDPR will apply if personal data is involved. Therefore, the employer will have to find a data-processing ground, which could be his or her legitimate interest or the fact that the investigation could lead to legal proceedings, etc. The data processing should also be limited to what is proportionate and the data subjects should be informed. Due to this obligation, it is arguable that the GDPR policy already provides the necessary information for the employees not to jeopardise the investigation. In any case, data subjects should not be able to use their right to access data to ascertain the preliminary findings of the investigation (which are confidential) or any confidential identities involved (eg, in the whistleblower procedure, the identity of the report should be protected at all times).

Also, the employer should follow the procedure of Collective Bargaining Agreement No. 81 on searching the e-mails or computer files and internet searches of employees. This CBA limits the purposes for searches and lays down a double-phase procedure that needs to be followed if private data is involved. Next to this, the employer should also take into account the case law of the European Court of Human Rights, which only allows e-mail and computer searches based on the following:

• whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence and the implementation of such measures;
• the extent of the monitoring and the degree of intrusion into the employee’s privacy (including a distinction between the monitoring of the flow or the content of the communications);
• whether the employer has provided legitimate reasons to justify monitoring of the communications and accessing of their actual content; and
• whether it would have been possible to establish a monitoring system based on less intrusive measures, the consequences of the monitoring for the employee who is subject to it, and whether the employee had been provided with adequate safeguards.

Next, if the employer wants to use camera images, the rules of Collective Bargaining Agreement No. 68 should have been followed when installing cameras. If not, the images might have been collected illegally.

The Brazilian General Data Protection Law (LGPD) does not have specific rules or principles that apply to internal investigations conducted within private organisations. Despite that, the general principles and obligations set forth by the LGPD apply to any processing of personal data carried out within the context of such investigations. As a result, the company must ensure the transparency of such processing activities through a privacy notice addressed to the data subjects; only process the personal data that is necessary for the investigation; define the lawful basis that applies to such processing activities (especially for sensitive data); and apply any other obligations established by the LGPD.

The Civil Code of the PRC, the Personal Information Protection Law of the PRC and other laws provide for the protection of employees' personal information and privacy. Employers are often involved in checking the information and materials stored in the computers, hard disks and other electronic office equipment provided to employees in internal investigation and are likely to access the employees' personal information including personal privacy information, such as the communication records stored in instant communication software such as WeChat, QQ or other instant communication software or to and from private email boxes. According to the Personal Information Protection Law of the PRC, employers are required to perform the obligation of informing and obtain the individuals' consent prior to the processing of personal information, i.e. the principle of informing + consent. Moreover, the Civil Code of the PRC stipulates that no organization or individual may process any person's private information, except as otherwise provided by law or with the explicit consent of the right holder.

Therefore, the legitimacy of obtaining data evidence can be enhanced and guaranteed only if it is explicitly stated in the relevant rules and regulations that the employer shall have the right to the work equipment provided to the employees or obtains the employees' personal consent.

Generally, the basic principles set out by the GDPR and the Finnish Data Protection Act apply to data processing in connection with investigations, including evidence gathering: there must be a legal basis for processing, personal data may only be processed and stored when and for as long as necessary considering the purposes of processing, etc.

Additionally, if physical evidence concerns the electronic communications (such as emails and online chats) of an employee, gathering evidence is subject to certain restrictions based on Finnish ePrivacy and employee privacy laws. As a general rule, an employee’s electronic communications accounts, including those provided by the employer for work purposes, may not be accessed and electronic communications may not be searched or reviewed by the employer. In practice, the employer may access such electronic correspondence only in limited situations stipulated in the Act on Protection of Privacy in Working Life (759/2004), or by obtaining case-specific consent from the employee, which is typically not possible in internal investigations, particularly concerning the employee suspected of wrongdoing.

However, monitoring data flow strictly between the employee and the employer's information systems (eg, the employee saving data to USB sticks, using printers) is allowed under Finnish legislation, provided that employee emails, chats, etc, are not accessed and monitored. If documentation is unrelated to electronic communications, it also may be reviewed by the employer. Laptops, paper archives and other similar company documentation considered "physical evidence" may be investigated while gathering evidence on the condition that any private documentation, communications, pictures or other content of an employee are not accessed.

GDPR principles fully apply to data gathering, as well as case law protecting the right to respect one’s private life and the secret of correspondence.

When collecting data (in physical or digital form), the employer must ensure compliance with the data protection principles according to the General Data Protection Regulation (DSGVO) and the German Data Protection Act (BDSG). These principles include, among other things, that data collection must be carried out lawfully (principle of legality) and transparently (transparency principle) and must be comprehensively documented – specifically concerning the purpose of the workplace investigation – to be able to prove compliance with data protection.

The principle of legality states that data may only be collected on a legal basis (ie, there must either be a law authorising this or the employee must have consented to the collection of his data).

The transparency principle may constitute a special challenge during workplace investigations. Under the transparency principle, the employee must be generally informed about the collection of his data. This includes information on who processes the data, the purposes for which it is processed and whether the data is made available to third parties. However, there may be a risk of collusion, particularly when electronic data has to be reviewed, and thus the success of the investigation may be jeopardised if the relevant employee is comprehensively informed in advance. Accordingly, the employer should check, with the assistance of the data protection officer, whether the obligation to provide information may be dispensed with. This may be the case if providing the information would impair the assertion, exercise or defence of legal claims and the interests of the employer in not providing the information outweigh the interests of the employee. The respective circumstances and employer's considerations should be well documented in each case.

Regardless of whether the employee is informed about the investigation, to prevent data loss, the employee should be sent a so-called hold notice (ie, a prohibition to delete data). Additionally, to prevent automatic deletion, blocking mechanisms should also be implemented.

When gathering evidence by searching the employee's possessions or files, the employee's privacy rights also need to be observed (see question 8).

GDPR and the provisions of L. 4624/2019 regulate the gathering of physical evidence from a data protection perspective, providing, among other things, that personal data should be processed with transparency and to the extent necessary for the investigation.

L.4990/2022 on the protection of persons who report breaches of Union law regulates data protection issues in the context of whistleblowing investigations, mainly to safeguard confidentiality throughout the investigations.  

If physical evidence contains data relating to an individual, from which the identity of the individual can be ascertained,[1] the data would constitute personal data under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO). The PDPO sets out several data protection principles that the employer must comply with while processing personal data, including:[2]

• personal data must be collected for a lawful purpose related to a function or activity of the employer and should not be excessive for this purpose. An internal investigation would be regarded as a lawful purpose;
• personal data must be accurate and not kept longer than is necessary;
• personal data must not be used for a purpose other than the internal investigation (or other purposes for which the data was collected) unless the employee consents to a new use or the new use falls within one of the exceptions provided in the PDPO;
• personal data must be safeguarded against unauthorised or accidental access, processing or loss; and
• the employee whose personal data has been collected has the right to request access to and correction of his or her personal data retained by the employer.

If an employer wants to gather evidence through employee monitoring, it should ensure that the act of monitoring complies with the data protection principles of the PDPO if the monitoring activity would amount to the collection of personal data. The Privacy Commissioner for Personal Data has issued guidelines to employers on the steps they can take in assessing whether employee monitoring is appropriate for their businesses.[3] As a general rule, employee monitoring should be conducted overtly. Further, those who may be affected should be notified in advance of the purposes the monitoring is intended to serve, the circumstances in which the system will be activated, what personal data (if any) will be collected and how the personal data will be used.

Covert surveillance of employees should not be adopted unless it is justified by relevant special circumstances. Employers should consider whether there is reason to believe that there is an unlawful activity taking place and the use of overt monitoring would likely prejudice the detection or collection of evidence.[4] Even if covert monitoring is justified, it should target only those areas in which an unlawful activity is likely to take place and be implemented for a limited duration of time.

In India, the collection, disclosure, transfer and storage of personal data is regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPD Rules). Accordingly, if during an investigation any sensitive personal information (such as information relating to passwords; financial information such as a bank account, credit or debit card or other payment instrument details; a physical, physiological or mental health condition; sexual orientation; medical history; and biometric information) is collected, then the requirements under the SPD Rules will need to be complied with. This would include obtaining an individual’s “informed consent” before collecting any sensitive personal data if such information is intended to be collected or stored in an electronic format.

Under the GDPR (General Data Protection Regulation), personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Data Protection Commission published Data Protection in the Workplace: Employer Guidance in April 2023, which is a useful guide.

Employers should exercise caution when gathering physical evidence that may involve the use of CCTV or other surveillance practices. The Irish Court of Appeal in the case of Doolin v DPC examined the use by an employer of CCTV footage for disciplinary purposes and found such use constituted unlawful further processing. The original reason for processing the CCTV footage was to establish who was responsible for terrorist-related graffiti that was carved into a table in the staff tearoom. It subsequently transpired Mr Doolin, who was in no way connected to the graffiti incident, had accessed the tearoom for unauthorised breaks and a workplace investigation followed. The original reason for viewing the CCTV related to security, but further use of the CCTV footage in the disciplinary investigation was not related to the original reason. This case confirms that employers must have clear policies in place in compliance with both GDPR and the Data Protection Act 2018 specifying the purpose for which CCTV or any other monitoring system is being used. Not only that, but these policies must be communicated to employees specifying the use of such practices.

It is not only data about the investigation that must be processed fairly, but any retention of the data, which can only be further processed with good reason. It is a legitimate business reason to retain data to deal with any subsequent requests or appeals under various internal or statutory processes, provided employees have been advised of the relevant retention period.

Several legal and case-law principles may be relevant depending on the kind of investigation, including the following:

• gathering evidence through employee “physical inspections and inspections on the employee’s belongings”: according to article 6 of the Workers’ Statute, these inspections are generally prohibited. They are permitted only where necessary to protect company assets (in such cases, corporal inspections may be carried out, subject to trade union agreement or National Labour Inspectorate authorisation, provided that, for example, they are carried out outside the workplace, that employees are selected with an automatic selection tool, and that the dignity and confidentiality of employees are protected);
• gathering evidence through “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities arises”: according to article 4 of the Workers’ Statute, remote systems cannot be directly aimed at controlling employees’ activity, but can only be put in place for organisational, production, work safety or asset-protection needs (which may result in an indirect control over employees’ activity), and may be installed before a trade union agreement or with previous authorisation from the National Labour Inspectorate; however, these rules do not apply to working tools in an employee’s possession (see question 8) and, in any case, employees must be informed of the possibility of remote control;
• gathering physical evidence through so-called defensive controls: according to the most recent case law, “defensive controls” can be defined as investigations carried out by the company where it has a suspicion of unlawful conduct by its employees. These controls can be carried out within certain limits and restrictions provided by case law – even in the absence of the guarantees provided for in article 4 of the Workers’ Statute.

In addition, when gathering physical evidence, there may be other provisions of law not strictly related to employment law that must be followed, for example, regarding privacy regulations (eg, minimisation of the use of personal data, collection of data only for specific purposes, and adoption of safety measures).

When collecting physical evidence that contains personal information, the Personal Information Protection Law and its related guidelines apply. In addition, when collecting physical evidence that contains privacy information or an employee's photograph, care must be taken to ensure that the right to privacy and the image rights are not violated.

Dutch data protection rules are based on the EU Data Protection Directive. The employer has to notify the Dutch Data Protection Authority when processing personal data as part of an internal investigation. Given that the notification can be accessed publicly, it is recommended that the employer give a sufficiently high-level description of the case. In addition, the description should be sufficiently broad to include the entire investigation, and any future expansions of the scope of the investigation. Often companies make filings for all future internal investigations, without referring to specific matters.

The employer has to notify employees whose personal data is being processed about – among other things – the purposes of the investigation and any other relevant information. According to the Dutch Data Protection Act, this information obligation may only be suspended on restricted grounds, i.e. if the purpose of the investigation is the prevention, detection and prosecution of crimes and postponement is necessary for the interests of the investigation (e.g., because there is a risk of losing evidence, or collusion by individuals coordinating responses before being interviewed)). These exceptions on the duty to inform involved persons must be interpreted very restrictively. As soon as the reason for postponement is no longer applicable (e.g., because the evidence has been secured), the individuals need to be informed.

Dutch data protection law does not require the consent of employees. Consent given by employees, however, also cannot compensate for a lack of legitimate purpose or unnecessary or disproportionate data processing, as the consent given by an employee to its employer is not considered to be voluntary given the inequality of power between them.

Furthermore, internal company policies may contain specific data protection rules.

When gathering evidence, the person being investigated is protected by the Constitution, the Freedom of Information Act and the Nigerian Data Protection Regulation (NDPR), among others.

The Constitution, particularly section 37, guarantees the right of a person to privacy.

The NDPR is the main data protection regulation in Nigeria. It regulates the processing and transfer of personal data.

Further, the Freedom of Information Act, 2011 prohibits the disclosure of information gathered during an investigation to the public.

The procedure for gathering physical evidence is governed primarily by company policy. Nevertheless, the Data Privacy Act of the Philippines protects all data subjects from unlawful processing of their personal information without consent.

If personal data is involved – the rules and principles of the GDPR will apply. If the physical evidence includes e-mail correspondence, files, or an employee’s equipment and possessions, the Labour Code will apply (ie, as a general rule, to monitor it, a monitoring policy must be implemented at that working establishment). Such a policy must strictly determine the aim of the surveillance and an employer must only apply surveillance in situations that reflect this aim. Also, when it comes to monitoring correspondence, it must not infringe on the secrecy of the correspondence, which in practice means that the employer should not check employees’ private correspondence when checking their business mailboxes.

Whenever employers process personal data in the course of an investigation, they need to comply with Regulation (EU) 2016/679 (the GDPR) and Law 58/2019, which implements the GDPR in Portugal (jointly the Data Protection Regulations). If the gathering of physical evidence includes the collection and processing of sensitive data (eg, related to the employee’s health or any other category outlined in article 9 of the GDPR), additional safety measures should be in place to safeguard the adequate and confidential nature of such information.

The employer may collect the personal data of an individual without the individual’s consent or from a source other than the individual, where it is necessary for any investigation according to section 17(1) read with paragraph 4 of Part 3 of the Third Schedule of the Personal Data Protection Act 2012 (PDPA). Under section 2(1) of the PDPA, “investigation” means an investigation relating to:

• a breach of an agreement;
• a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in the exercise of its powers under any written law; or
• a circumstance or conduct that may result in a remedy or relief being available under any law.

Under the Banking Act 1970, a bank and its officers cannot disclose customer information to third parties, subject to certain exceptions. An employer carrying out a workplace investigation does not fall within any of the exceptions.

It may be difficult for a company to search and collect physical items that personally belong to the employee.

While the company may search and gather electronic data, such as emails or files stored in work laptops or company servers, there are requirements and restrictions under the Criminal Code, the Personal Information Protection Act (PIPA), and the Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (Network Act), among other laws. 

Article 316(2) of the Criminal Code states that accessing the contents of another person’s documents, pictures, special media records, etc, that are sealed or designated as secret using technical means may constitute the crime of accessing electronic records.

Under the PIPA, consent must be obtained from the information owner to collect or use personal information, or to provide such information to a third party. Consent must be separately obtained for sensitive information or unique identification information. There are strict requirements as to the format and contents of the consent forms under the PIPA.

The Network Act prohibits accessing an information and communications network without rightful authority or any intrusion that goes beyond the permitted authority for access. Although this may not be an issue if a company directly manages the email accounts at issue, if an employee’s email account is protected by a password or through other means, accessing emails from that account without obtaining the employee’s consent could constitute unlawful intrusion under the Network Act as well as under the Criminal Code as discussed above.

The General Data Protection Regulation and the Spanish Data Protection Law apply when gathering any type of evidence, including physical evidence. This means that companies may only process personal data when they have lawful grounds to do so and within the limits set forth for special categories of personal data (health, union affiliation, criminal records, etc.).

The Spanish Statute of Workers specifically states that employees and their possessions may be registered when it is necessary to protect the companies’ property (or the property of other co-workers). This registration must:

• be conducted in the workplace and during working hours;
• respect the employee’s privacy and dignity; and
• be performed in front of an employee representative or, if not possible, in the presence of another employee of the company.

To the extent the gathering of physical evidence includes the processing of personal data, please see question 1.

The Swiss Federal Act on Data Protection applies to the gathering of evidence, in particular such collection must be lawful, transparent, reasonable and in good faith, and data security must be preserved.[1]

It can be derived from the duty to disclose and hand over benefits received and work produced (article 321b, Swiss Code of Obligations) as they belong to the employer.[2] The employer is, therefore, generally entitled to collect and process data connected with the end product of any work completely by an employee and associated with their business. However, it is prohibited by the Swiss Criminal Code to open a sealed document or consignment to gain knowledge of its contents without being authorised to do so (article 179 et seq, Swiss Criminal Code). Anyone who disseminates or makes use of information of which he or she has obtained knowledge by opening a sealed document or mailing not intended for him or her may become criminally liable (article 179 paragraph 1, Swiss Criminal Code).

It is advisable to state in internal regulations that the workplace might be searched as part of an internal investigation and in compliance with all applicable data protection rules if this is necessary as part of the investigation.

The basic premise is that all evidence is admissible unless it violates the law of admissibility and production of evidence, which may vary depending on the jurisdiction. In a criminal court, for example, evidence gathered in violation of the fruit of the poisonous tree doctrine would be typically inadmissible, yet in a civil court, this doctrine would not be an exclusionary rule.

The Personal Data Protection Act, BE 2562 (2019) (PDPA), which is the main data protection law in Thailand, applies when collecting, using, and disclosing pieces of evidence containing the personal data of employees. If the investigation requires sensitive information of the employee under investigation, for example, race, ethnic origin, political opinion, religious or philosophical beliefs, sexual behavior, criminal records, health data, disability, genetic data and biometric data, consent from the employee should be obtained.

The conditions applicable to gathering physical evidence mainly stem from the precedents of the Turkish Constitutional Court about employment disputes and the rules set forth under Turkish Law No. 6698 on the Protection of Personal Data (DPL). It is generally accepted that employers can gather physical evidence for certain legitimate purposes, such as disciplinary investigations, the prevention of bribery and corruption, fraud or theft, money laundering, and employee performance monitoring and compliance. In doing so, employers must, however, comply with the fundamental principles of the Turkish Constitutional Court as briefly described below:

• The grounds for the gathering of evidence must be legitimate. The definition of the legitimate interests of the employer may change depending on the characteristics of the business, workplace and employee job description, as well as the specific circumstances of the case. Therefore, it is advisable to carry out a balancing test between the legitimate interest the employer is seeking to protect and the employee’s interest in the protection of their privacy.
• The collection activities must be proportionate, in the sense that the measure implemented by the employer must be appropriate and reasonably necessary to achieve the legitimate purpose, without infringing upon the fundamental rights and freedoms of the employees. For instance, e-mail monitoring to collect evidence may not be proportionate if it is determined that e-mails that are not related to the incident subject to investigation are also accessed. To achieve this, certain keywords or algorithms can be used while monitoring e-mails during a disciplinary investigation.
• The collection process must be necessary to achieve the purpose. In other words, the collection of physical evidence must only be carried out to the extent there are no other measures allowing the employer to achieve its purpose, such as witness testimony, workplace records, or examining the results of projects. If the purpose can be achieved through less invasive means, the collection of physical evidence may not comply with the principles established by the decisions of the Constitutional Court.

Separately, depending on the type of physical evidence collected, the collection process may lead to the processing of the concerned employees’ personal data. Under the DPL, personal data collected in Turkey can only be processed if the explicit consent of the data subject is obtained; or the data is processed based on one of the exceptions to consent provided by the law. To the extent the data processing can be deemed to be based on the pursuit of a legitimate interest of the employer, it should also meet the following conditions:

• it should be the most convenient and efficient method to identify any employee wrongdoing to protect the legitimate interests of the company; and
• the data processing should not harm the fundamental rights and freedoms of the employees.

The employer should in any case comply with the obligation to inform employees before the processing of their data, through a privacy notice containing mandatory information required by the DPL.

In addition, as a general principle, the evidence-gathering process should always be conducted based on the assumption that the internal investigation can lead to litigation. Any evidence that will be used in litigation needs to have been gathered in compliance with the law. In both criminal and civil litigation, the courts will review each piece of evidence to confirm whether it was gathered through lawful methods and disregard any evidence that fails to comply with due process.

Most forms of workplace surveillance involve the processing of personal data that is regulated by the UK GDPR and DPA 2018. The UK GDPR requires that personal data must be processed lawfully, fairly and in a transparent manner; it also must be adequate, relevant and limited to what is necessary concerning the purposes for which it is processed.

Employers should ensure that they have undertaken a data protection impact assessment (DPIA) to document the lawful basis for processing data, and informed employees that their files may be searched before proceeding. They should also ideally have a clear policy on the use of electronic communications systems, detailing when, how and for what purpose they may be monitored by the employer. In Q3 2023 the ICO produced new guidance on monitoring workers (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/) and on email and security (https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/) which employers should bear in mind during investigations. Employers should also be prepared to make the data collected through employee monitoring available to employees, should the employee submit a data subject access request under the DPA 2018.

The IPA 2016 makes it unlawful in certain circumstances to intercept a communication (such as one on an employer’s telephone or computer network) in the course of its transmission in the UK. The IPA Regs 2018 set out the circumstances where, in a business context, such interception will be lawful. These include monitoring or recording communications without consent to: establish the existence of facts; ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business; ascertain or demonstrate standards which are or ought to be achieved by persons using the system; and prevent or detect crime.

Covert surveillance can lead to a breach of an employee's right to privacy under the HRA 1998. The employer will need to consider if covert surveillance is proportionate, which will depend on the facts of each case. Employers should be careful not to use the investigation as an excuse to undertake a "fishing expedition", and should avoid gathering material that is obviously personal, such as private messages and diary entries (see question 8).

Documents and instruments that set out a company’s policies (eg, employee handbooks, code of conduct or other written guidelines) often contain provisions regarding employee data and document collection, workplace searches, communication monitoring, privacy, and confidentiality. As discussed below, state and federal constitutional, statutory and common law – and in some cases foreign data privacy regimes – may provide additional protections to protect employees from an unwarranted or unreasonable invasion of privacy during an internal investigation.

Decree No. 13/2023/ND-CP on personal data protection is the main data protection regulation in Vietnam. It regulates the processing of personal data, including the collection or gathering of data. If the physical evidence contains personal data of an individual, the gathering of physical evidence must comply with this decree.

There are legal requirements related to the time you must keep certain employee records in Australia, such as pay slips and time sheets. However, there are no laws concerning disciplinary records.

Employers can rely on previous misconduct to justify an employee’s termination of employment where it can be shown it is part of a course of conduct. Accordingly, if complaints have been substantiated, and disciplinary action has been taken, these records should be maintained. However, if a significant period has elapsed since the misconduct, an employer should carefully consider whether it is appropriate to rely on this past behaviour to justify future disciplinary action for similar conduct.

Data protection law requires that personal data should not be kept longer than necessary for the purpose it was collected. Once the purpose of the internal investigation is fulfilled and the data is no longer needed, it should be deleted or anonymised. Regulations regarding this matter may also be subject to WCAs or internal policies. In any case, it is advisable to keep the results for as long as they may be needed in possible subsequent administrative or judicial proceedings.

According to the GDPR, personal data should only be stored for a proportionate amount of time. Usually, this means that it can be stored as long as it is relevant for the employment contract, and even afterwards, if there is a risk of legal proceedings (ie, regarding the dismissal of the employee).

The existence of the investigation should be kept on file for at least five years from the date of its conclusion. All information related to the investigation should be kept on file for the same period, but not on the employee’s record, to avoid the risk of accidental access by unauthorised individuals.

The relevant laws and regulations in the PRC have not clarified the retention period of the investigation findings. According to Article 19 of the Personal Information Protection Law of the PRC, unless otherwise required by laws or administrative regulations, the retention period of personal information shall be the shortest period necessary to achieve the purpose of handling the information. Since the employee's personal information is very likely to be involved in the investigation findings, such report should be retained for the shortest period necessary to achieve the purpose of handling the information. In general, once the investigation is completed, the purpose of the internal investigation has been achieved or it is no longer necessary to achieve the purpose, and the employer may, in accordance with Article 22 of the Administrative Regulations of the PRC on Network Data Security (Draft for Comments), delete or anonymize the personal information within fifteen (15) working days. If it is technically difficult to delete the personal information, or it is difficult to do so within fifteen (15) working days due to business complexity or other reasons, the employer shall not conduct any processing other than storing the personal information and adopting necessary security measures, and shall give reasonable explanations to the employee.

Please see question 7. The outcome of the investigation involving personal data may be retained only for as long as is necessary considering the purposes of the processing. In general, the retention of investigation-related data may be necessary while the investigation is still ongoing and even then the requirements of data minimization and accuracy should be considered. The data concerning the outcome of an investigation should be registered to the employee's record merely to the extent necessary in light of the employment relationship or potential disciplinary measures. In this respect, the applicable retention time depends on labour law-related rights and limitations, considering eg, the applicable periods for filing a suit.

If the outcome of the internal investigation has led to the sanctioning of an employee, this sanction may no longer be invoked to support a new sanction after three years. Moreover, under the GDPR principles, the duration of retention must be proportional to the use of the data. Therefore, the data must be retained only for a period that is “strictly necessary and proportionate”. If the employer wants to keep information about the investigation in the longer term, it is possible to archive the employee’s record even though the employer will no longer be able to use it against the employee after three years.

If there is no special statutory storage period (which is the case for investigative reports and findings), personal data may only be stored for as long as is necessary for the purposes for which they are collected. As soon as the data is no longer required, it must be deleted. In connection with workplace investigations, the question arises as to how this obligation to delete personal data relates to the company's corporate interests. From the company's perspective, there may well be legitimate interests that speak in favour of retaining existing data for as long as possible. Under the data protection regulations of the DSGVO and the BDSG, data can be stored for as long as it is required for the assertion, exercise or defence of (civil) legal claims. This means that the data can, in any event, be saved at least as long as any measures related to the workplace investigation have not yet been completed and any legal disputes have not yet been concluded.

Under the General Data Protection Regulation, employees’ personal details and information must be kept in the business records for as long as is necessary for the purposes of the employment relationship. Otherwise, stored data must be deleted. However, under L.4990/2022[14], reports remain in the relevant record for a reasonable and necessary time, and in any case until the completion of investigations or proceedings before the courts that have been initiated as a consequence of a complaint against the employee under investigation, the complainant or any third parties.

There is no legal requirement in Hong Kong on this. However, since the investigation records will likely contain personal data, employers should be mindful of the requirement under the PDPO that personal data should not be kept for longer than necessary.[1]

According to the Code of Practice on Human Resources Management published by the Privacy Commissioner for Personal Data, generally, employment data about an employee can be kept for the entire duration of his or her employment, plus a recommended period of no more than seven years after the employee leaves employment unless there is a subsisting reason that justifies a longer retention period. A longer retention period may be justified where there is ongoing litigation or a parallel investigation. Even where it is deemed necessary to retain the outcome of the investigation concerning a departed employee, the employer should ensure that other personal data on the employee’s record (that is unrelated to the purpose of retention) are erased after the expiry of the recommended retention period.

There is no statutory guidance on this. It is common for employers to retain details of disciplinary proceedings on an employee's record for the entire duration of their employment.

It is also advisable to retain the details of any investigations or disciplinary proceedings for at least three years after an individual has been dismissed on account of such proceedings, as this is the general limitation period for raising claims of unfair dismissal. In labour matters, courts in India often allow delays in filing suit after the limitation period, meaning organisations sometimes make a practical call to retain details of investigations and disciplinary proceedings for longer.

Irrespective of the outcome of the investigation, the fact that an employee was subject to an investigation is not the key issue. The key concern is whether any further action was taken as a result of the investigation. If a disciplinary process ensued, then it is the outcome of that disciplinary record and any subsequent appeal that would or would not be noted on an employee's record. If a disciplinary sanction were imposed then the length of time the sanction remains on the employee's record would depend on what is specified in the disciplinary policy.

The employer would normally keep the outcomes of the investigation for the entire duration of the employment relationship with the involved employee.

After the termination of the employment relationship, it appears reasonable to conclude that the employer would be entitled to retain this information for the time necessary to exercise its defence rights in litigation (taking into account that 10 years is the statute of limitations for contractual liability). Further requirements or restrictions under general privacy laws (and particularly the GDPR) should also be checked.

According to Art. 14 WB Decree, internal and external whistleblowing reports (including related documents) must be kept for as long as necessary for report processing, but no more than five years from the date of transmission of the procedure's final outcome.

Records related to responses to whistleblowing must be kept for an appropriate period, but there is no legal stipulation on the retention period. Each entity is required to set an appropriate period after considering the need for evaluation and inspection, and the handling of individual cases. There is no legally stipulated retention period for other investigation results.

The outcomes are usually kept in the records until termination of the employment agreement and only deleted when personal records are deleted.

The law does not provide for the time the outcome of the investigation may remain on the employee’s record. However, this will depend on the employer’s record-retention policies, which must comply with applicable data protection laws.

The outcome of the investigation should only remain on the employee’s record for as long as is necessary, but shall not be less than three years as this is the record-keeping requirement under the Philippine Labor Code. If circumstances deem that such a report ceases to have any purpose whatsoever, it should be struck out of the employee’s record.

Neither Polish law nor the Draft Law specifically provide for a mandatory period during which the outcome of the investigation should be kept on the employee’s record.

At the same time, the Draft Law indicates that the register of whistleblowing reports, which should also contain information about follow-up actions undertaken as a result of the report, should be kept for 15 months starting from the end of the calendar year in which the follow-up actions have been completed, or the proceedings initiated by those actions have been terminated.

Also, while determining how long the outcome of an internal investigation should be kept, additional legal considerations can be taken into account, especially data privacy.

The GDPR does not specify precise storage time for personal data. The employer must assess what will be an appropriate time for storage of the data, taking into consideration the necessity of keeping personal data concerning the purpose of the processing in question. Employees' personal data should be kept for the period necessary for the performance of the employment relationship and may be kept for a period appropriate for the statute of limitations for claims and criminal deeds. A longer retention period may result from applicable laws. Following the Regulation of the Minister of Family, Labour and Social Policy on employee documentation, the employer may keep a copy of the notice of punishment and other documents related to the employee’s incurring of disciplinary responsibility in the employee record.

There are different retention periods for the data contained in employee files:

• 10 years if the employee was hired on or after 1 January 2019;
•  if the employment relationship began between 1 January 1999 and 1 January 2019, the retention period is 50 years, but may be reduced to 10 years if the employer provides the Polish Social Insurance Institution with certain mandatory information; and
•  for 50 years if the employee was hired before 1 January 1999. It does not matter whether the person is still working or not.

There are no specific rules in the Portuguese Labour Code on this matter.

However, article 332 of the PLC states that the employer should keep an updated record of disciplinary sanctions, so the competent authorities can easily verify compliance with applicable provisions. Accordingly, it is advisable to maintain a record of disciplinary sanctions during the entire employment relationship.

Also, please note that some collective bargaining agreements state that the disciplinary register must be deleted from the employee’s record periodically.

This depends on the company’s internal disciplinary policy and the severity of the offence. For instance, a written warning issued against an employee for minor misconduct is usually kept in the respondent employee’s file for one year and if the employee does not commit any further breaches during this time, the written warning will be expunged. However, if there is a finding of serious misconduct, particularly if such a determination results in the dismissal of the employee, these records are generally kept in the employee’s file for the duration of time such records are statutorily required to be maintained.  

There is no legal requirement on how long the records of the investigation (eg disciplinary action) should be maintained by the company. Many companies maintain a record of disciplinary action throughout the employment period.

The outcome of the investigation will contain personal data of the affected employee. For this reason, this information should only be kept for as long as a legal obligation or liability in connection with the information could arise for the company. Since the general statute of limitations for employment liability is one year, this is a good guideline.

In addition to the above, two specific rules apply:

• once the information becomes irrelevant for the purpose for which it was obtained and processed, the information should no longer be stored on the employee’s record or elsewhere; and
• the employees’ information (including those of the reporter and the affected employees) should only be stored in whistleblower systems during the time that is necessary to decide on whether the facts need to be investigated or not and, in any case, for a maximum period of three months.

Under the GDPR personal data may not, according to the general principle on storage limitation, be retained for longer than is necessary for the purposes for which the personal data are processed. The GDPR does not stipulate a generally applicable storage limitation period. Such a regulation is, on the other hand, included in the Swedish Whistleblowing Act. If the Swedish Whistleblowing Act applies, the outcome of the investigation and all personal data should be retained for as long as necessary, but not for longer than two years after the investigation has been closed.

From an employment law point of view, there is no statute of limitations on the employee's violations. Based on the specific circumstances (eg, damage incurred, type of violation, basis of trust or the position of the employee), a decision must be made as to the extent to which the outcome should remain on the record.

From a data protection point of view, only data that is in the interest of the employee (eg, to issue a reference letter) may be retained during the employment relationship. In principle, stored data must be deleted after the termination of the employment relationship. Longer retention may be justified if rights are still to be safeguarded or obligations are to be fulfilled in the future (eg, data needed regarding foreseeable legal proceedings, data required to issue a reference letter or data in relation to a non-competition clause).[1]

There is no period required by law for keeping the outcome of the investigation on the employee’s record. However, if termination of employment is the outcome of the investigation, an employer should keep details of the investigation for at least 10 years, in line with the prescribed period for an employee to file an unfair dismissal claim against an employer. An employer may use the details of an investigation to defend such a claim. For other disciplinary action, the retention of investigation details on the employee’s record is at the employer’s discretion.

There is no provision in the legislation setting forth a specific duration for keeping the outcome of the investigation findings in personnel files. However, based on general principles, the outcome of the investigation can remain on the employee’s personnel files as long as the employer has a lawful interest in such processing without unnecessarily harming the privacy rights of the employee.

The investigation outcome may not need to be noted on the accused employee’s record at all. Usually only the outcome of any subsequent disciplinary or grievance process would be noted, rather than the prior investigation.

The employer should keep the investigation report for as long as it remains relevant. This would usually be no longer than six years, unless regulatory obligations dictate otherwise. The report along with all documentation and witness statements gathered during the investigation should be retained securely and confidentially but for no longer than is absolutely necessary under the requirements of the DPA 2018 and the employer's data protection policies and procedures. There may be additional retention requirements in a regulated context; the position for each particular business and employee should be checked.

There is no requirement for the results of a workplace investigation to remain on an employee’s record for any specific period. It is often helpful, however, for information relating to the outcome of such an investigation (regardless of whether the allegations are substantiated) to be accessible to the human resources or legal functions such that during the initial complaint intake process described above, any prior complaints and investigations relating to the same individual or group of individuals can be taken into account to identify any recurring issues or systemic violations.

Vietnamese law does not provide for a period during which the outcome of the investigation should remain on the employee’s records and files. However, this will depend on the employer’s record-retention policies, which must comply with applicable data protection laws.