Workplace Investigations

The starting position is that there is no general right for an employer to search an employee’s possessions. However, an employer may be able to undertake a search in circumstances where:

• the employee consents to the search;
• there is a “right to search” contained in a contract, policy, procedure or industrial instrument; or
• the request to search constitutes a lawful and reasonable direction.

If an employee agrees to a search of their possessions, this consent should be confirmed in writing. If the employee does not consent then the employer can issue a direction to the employee. If the direction is lawful and reasonable, and the employee does not comply, then disciplinary action may be considered.

In general, it is advisable to back up data, documents, emails and other records promptly to prevent their deletion. Admissibility depends on whether the data originates from personal or professional records and whether they are legally relevant. If internal investigations are carried out based on a specific suspicion of a criminal offence, it is the processing of legally relevant data. In general, the processing of professional emails or documents is permissible. If there is no professional connection, access to private files and documents is only permitted in exceptional cases.

If, for example, using a business email account for private purposes is not allowed, the employer can usually assume that the data processed is only "general" data within the meaning of article 6 GDPR and that such data processing is justified by a balancing of interests. However, if private use is allowed, the data may still be part of a special category within the meaning of article 9 GDPR. In such cases, the justification for its use must be based on one of the grounds explicitly mentioned in article 9(2) GDPR.

The employer must protect the employee's rights under section 16 of the ABGB and must consider the proportionality of the interference. Only the least restrictive means – the method that least interferes with the employee's rights – may be used to obtain the necessary information. The employer's interest in obtaining the information must outweigh the employee's interest in protecting his or her rights. The implementation or initiation of controls by the employer does not automatically constitute an interference with personal rights, as being subject to the employer's rights of control is part of the position as an employee.

The employer is, in principle, not entitled to search the employee’s private possessions, except with the explicit consent of the employee. Digital files on the computer or laptop of an employee can be searched under the rules of CBA No. 81 (see question 7) and other privacy rules.  

No; employers are only generally allowed to search the work tools they provide to employees, such as company mobile phones, electronic files, and company email and other electronic communications. However, they may also request that employees turn over any company documents in their possession.

Searches of employees’ private possessions or files during an investigation can only occur with the verifiable consent of the employee.   

Article 13 of the Constitution of the PRC provides that the lawful private property of the citizens shall not be violated. Therefore, during the process of investigation, without the employees' consent, the employer has no right to search the employees' personal possessions or files. If it is necessary to search the employees' personal possessions or files, the employer may require the employees to sign a Letter of Informed Consent before searching; or the employer may call the police and the search will be conducted under the escort of the public security authorities or directly by the public security authorities.

Only the police can search employees' possessions (assuming that the prerequisites outlined in the legislation are met).

In internal investigations, the fundamental rights and freedoms of employees are at stake,  including the right to privacy, respect for the privacy of home life and correspondence, freedom of expression, and the obligation of loyalty in searching for evidence.

In principle, work emails and files can be reviewed, even without the employee's consent, prior knowledge or warning. This includes: work email accounts; files stored on a work computer or a USB key connected to a work computer; and SMS messages and files stored on a work mobile phone and documents stored in the workplace unless they are labelled as “personal”. On the other hand, it is not permissible for an employer (or an investigator) to review “personal” emails and files, such as documents or emails identified as “personal” by the employee, or personal email accounts (Gmail, Yahoo, etc), even if accessed from a work computer.

There are certain exceptions to the above principle. An employer is allowed to check “personal” emails or data in any of the following cases:

• if the employee is present during the review;
• if the employee is absent, but was duly notified and invited to be present;
• if there is a particularly serious “specific risk or event”;
• if the review is authorised by a judge (this means having to prove a legitimate reason justifying not informing the employee).

When documents or emails are not marked as “personal” but contain information of a personal nature, the employer may open and review the data but may not use such documents or emails to justify applying disciplinary measures to the employee or use such documents or emails as evidence in court if they indeed relate to the employee’s private life.

Special attention must be given to employee representatives who must be entirely free to carry out their duties.

Files and documents that are purely business-related – whether in physical or digital form – may, in principle, be inspected by the employer without restriction. The employee has no right to refuse inspection.

When searching business laptops, computers, phones and e-mail accounts, a distinction must be made as to whether private use is permitted (or at least tolerated) or not: if the employee is allowed to use the items exclusively for business purposes, the employer may monitor and control them. If private use is permitted, the employee's right to privacy must be observed for private files, as must the protection of the secrecy of correspondence. Accordingly, the employer must avoid accessing private documents, files and e-mails. However, a review of private documents, files and e-mails may be permissible in the event of particularly serious violations if the employer's interest in the review outweighs the employee's interest in safeguarding his right to privacy. Generally, employers should allow private use of electronic devices only if employees have previously consented to the terms of use (including searches in certain cases).

A search of the employee's workplace by the employer is, in principle, permissible. However, a search of personal items (eg, bags, clothes, personal mobile phone) is generally only permissible with the employee's consent. Similarly to the review of digital personal data, a search of personal items may be permitted, however, in the event of particularly serious violations if the employer's interest in the search outweighs the employee's right to privacy.

As a first step, the employer should ask for the employee’s permission to access their possessions and files. Employment contracts and internal labour regulations may include provisions regarding an employer’s access to employees’ documents created and kept for business purposes or related to business activity.

As part of an investigation, an employer may search objects or files that are the company’s property (eg, electronic devices given by the employer for business purposes and emails or messages stored on the company’s server) without prior notice and the employee’s consent is not needed. The employer, however, has no right to search an employee’s possessions (eg, a private smartphone) without the employee’s consent.

To avoid arguments as to who a particular object belongs to, employers may specify in internal policies what is to be regarded as a corporate asset and could be subject to a search in a workplace investigation.

Concerning an employee’s possessions, even if he or she consents to a search, it is good practice for the employer to conduct the search in the presence of the employee or an independent third party who can act as a witness to the search. If the employer suspects that a criminal offence has been committed and that a search of the employee’s possessions would reveal evidence, the employer should consider reporting its suspicion to the police, as they have wider legal powers to search.[1]

Yes, an employer can search its employees’ official possessions and files as part of an investigation. It may be difficult, however, to seize personal assets or possessions of an employee (such as the individual’s mobile phone or personal laptop).

Employers should expressly create policies that address key issues associated with employee surveillance, forensic searches and investigations, such as:

• whether or not the official assets and infrastructure of the company can be used for personal purposes by employees;
• the organisation's right to monitor, surveil or search any authorised or unauthorised use of its corporate assets; and
• that the employee should not have any expectation of privacy when using the companies’ resources, etc.

Any forensic review of digital data must be carried out with due regard to Indian rules of evidence to avoid situations where such evidence becomes unreliable in a future legal claim or dispute.

The first consideration here is what constitutes "employees' possessions". More often than not, employees will be using employer property and there should be clear policies in place that specify company property.

The difficulty arises if an employee is using personal equipment such as a mobile phone for work purposes. While there may be specific applications dealing with work-related matters that are accessible by the employer remotely, some applications may be device-specific and that is where issues may arise. In such instances, it is not unreasonable to ask the employee to provide such information or consent to a search of their personal property. However, this is the exception rather than the rule and all other legitimate avenues of obtaining such information should be explored first. Further, such requests for information should not be a fishing expedition as an employee has a reasonable expectation of privacy at work, which must be balanced against the rights of the employer to run their business and protect the interests of their organisation.

A search of physical items such as a desk or drawers should only be conducted in exceptional circumstances, even where there is a clear, legitimate justification to search and the employee should be present at the search.

In light of the legal and case-law principles as outlined above:

• see question 7 regarding employee “physical inspections and inspections on the employee’s belongings”;
• regarding “audiovisual equipment and other instruments from which the possibility of remote control of employees’ activities also arises”, article 4 of the Workers’ Statute provides for:
  • the prohibition of the use of audiovisual equipment and instruments of “direct” remote control (ie, whose sole purpose is to verify the manner, quality and quantity of working performance (eg, a camera installed in an office to film employees’ working activities, without any other purpose));
  • the possibility of carrying out controls through audiovisual equipment and “indirect” remote instruments (ie, instruments that serve different needs (organisational, production, work safety or company assets’ protection), but which indirectly monitor working activities (eg, a camera installed in a warehouse to prevent theft, but which indirectly monitors the activity of warehouse workers), which may only be installed with a trade union agreement (or National Labour Inspectorate authorisation);
  • the possibility of carrying out checks using working tools in the employee’s possession (e.g., PCs, tablets, mobile phones, e-mail), which may be carried out even in the absence of any trade union agreement, provided that the employee is given adequate information on how to use the tools and how checks may be carried out on their use (according to privacy law strictly related to the employment relationship).

Furthermore, based on case law, the employer can carry out so-called defensive controls (ie, actions carried out in the absence of the guarantees provided for in article 4, to protect the company and its assets from any unlawful conduct by employees). These “defensive controls” can be carried out if:

• they are intended to determine unlawful behaviour by the employee (ie, not simply to verify his or her working performance);
• there is a “well-founded suspicion” that an offence has been committed;
• they take place after the conduct complained of has been committed; and
• adequate precautions are nevertheless put in place to guarantee a proper balancing between the need to protect company assets and safeguarding the dignity and privacy of the employee.

Since inspections of personal belongings may potentially undermine employees' fundamental human rights, they would not become lawful simply because they are conducted under employment regulations.

Inspections of personal belongings must be conducted uniformly among employees in the workplace based on reasonable grounds, in a generally reasonable manner and to a generally reasonable degree, and based on the work rules, etc.

When inspections of personal belongings are conducted under employment regulations, etc, employees must agree to the inspection except in special circumstances, such as the method or degree of the inspection being unreasonable.

On the other hand, an investigation of information stored on a company network system may constitute an infringement of the right to privacy. If there is a provision in the employment regulations regarding the use of the internet and monitoring, it is possible to investigate under such a provision. A Japanese court case on the illegality of reading e-mails in the absence of a monitoring provision stated that private use of e-mails also carries a certain right to privacy, but also stated that "considering the fact that the system is maintained and managed by the company, the protection of the employee's privacy can only be expected within a reasonable range according to the specific circumstances of the system," and that the act of reading e-mails was not illegal because the extent of private use of e-mails was beyond the limit, which was outside the reasonable range of socially accepted ideas. The court also ruled that the monitoring of the employee's abusive private use of e-mail, which was discovered in the course of an investigation of slanderous e-mails within the company, was not illegal because even if the monitoring was conducted without notice, there was suspicion of a violation of the duty of devotion to duty and corporate order. The court also stated that the investigation was necessary and that the scope of the investigation did not exceed its limit.

When conducting an internal investigation (which must have a legitimate purpose), the employer must act in accordance with the principles of proportionality and subsidiarity. In line with these principles, the means of collecting and processing personal data during an internal investigation as well as the data that is searched, collected or processed, should be adequate, relevant and not excessive given the purposes for which the data is being collected or subsequently processed. These principles can be complied with by, for example, using specific search terms when searching electronic data, limiting the investigation’s scope (subject matter, period, geographic locations) and, in principle, excluding an employee's private data.

The employer is, in principle, allowed to access documents, emails and internet connection history saved on computers that were provided to the employees to perform their duties, provided the requirements of proportionality and subsidiarity are taken into account. In other words, reading the employee's emails or searching electronic devices provided by the employer must serve a legitimate purpose (e.g. tracing suspected irregularities or abuse) and the manner of review or collecting and processing the data contained in such emails should be in accordance with the principles of proportionality and subsidiarity.

The employer can ask the employee to hand over an employee's USB stick for an investigation. Depending on company policies and (individual or collective) employment agreements, an employee is, in principle, not obliged to comply with such a request. A refusal from an employee, when there is a strong indication that this USB stick contains information that is relevant to an investigation into possible irregularities, may be to the disadvantage of an employee, for example in a dismissal case.

The following factors, which derive from the Bărbulescu judgment of the European Court of Human Rights, are relevant to the question of whether an employee's e-mail or internet use can be monitored:

• whether the employee has been informed in advance of (the nature of) the possible monitoring of correspondence and other communications by the employer;
• the extent of the monitoring and the seriousness of the intrusion into the employee's privacy;
• whether the employer has put forward legitimate grounds for justifying the monitoring;
• whether a monitoring system using less intrusive methods and measures would have been possible;
• the consequences of the monitoring for the employee; and
• whether the employee has been afforded adequate safeguards, in particular in the case of intrusive forms of monitoring.

These requirements can sometimes create a barrier for employers, as seen in a ruling by the District Court Midden-Nederland (16 December 2021, ECLI:NL:RBMNE:2021:6071) in which the employer had used information obtained from the employee's e-mail as the basis for a request for termination of the employment contract. In the proceedings, the employee argued that his employer did not have the authority to search his e-mail.

According to the District Court, it was unclear whether the employer had complied with the requirements of Bărbulescu regarding searching the employee's e-mail. The regulations submitted by the employer only described the processing of data flows within the organisation in general. Therefore, the District Court found that the employer did not have a (sufficient) e-mail and internet protocol and the employee was not properly informed that his employer could monitor him. In addition, according to the District Court, it was unclear what exactly prompted the employer to search the employee's e-mail, as the employer did not provide any insight into the nature and content of the investigation. As a result, the District Court was unable to determine whether the employer had legitimate grounds to search the employee's e-mail. On this basis, the District Court disregarded the (possibly) illegally obtained evidence and ruled against the employer's termination request.

Yes, an employer can search the possessions or files of an employee as part of an investigation where the employee’s contract or handbook authorises such a search and there is a reasonable suspicion of wrongdoing.

Subject to the employees’ reasonable expectation of privacy, gathering physical evidence within the premises of the workplace and through company-issued property has been upheld to be legally permissible in pursuit of the employer’s right to conduct work-related investigations. The search, however, should be limited to the alleged acts complained of and must not be used as a fishing expedition to find incriminating information about the erring employee.

It depends on whether the employer implemented rules of personal control at the workplace. If yes, such rules are applicable. If not, in our opinion if there is suspicion of a serious violation, it is possible to carry out an ad hoc inspection but its scope should be limited only to necessary activities and should not concern an employee’s private files or correspondence, so as not to infringe on personal rights. If there is an ad hoc inspection, an employee should be informed in advance, and it should take place in the presence of the employee or employee’s representative, observing the rules of fairness and equity.

The employer is allowed to search an employee’s possessions or files, provided that they are work instruments or of a professional nature.

When performing these searches, employers should consider the specific provisions of the Data Protection Regulations as well as Resolution No. 1638/2013 of the Portuguese Data Protection Authority (CNPD), which contains rules on monitoring phone calls, e-mail and internet usage by employees. The CNPD understands that for the employer to access the employees’ professional data (e-mails, documents and other information stored on electronic devices), the latter should be present during the monitoring, to identify any information of a personal nature that should not be accessed by the employer (the employer must comply with these directions and should not access that email). In addition, review of the data should respect specific protocols to avoid potential access to personal data (eg, review of subject, recipients, data flow and type of files attached).

Body searches or the seizure of personal belongings or documents belonging to the employee are not permitted within the scope of a disciplinary procedure.

The employer is not allowed to search employees’ personal possessions or files as part of an investigation without the employee’s consent. However, such consent may be explicitly provided for in the terms of employment (as may be contained in the employment contract, employee handbook or the employer’s internal policies and procedures in dealing with the investigations, etc). The employer may, however, search the employees’ company email accounts and files if these are stored on the company’s internal systems or devices.

As discussed in question 7, it may be difficult for a company to search an employee’s personal possessions. The company may search and gather electronic data stored in work laptops or company servers, subject to legal requirements and restrictions (eg, obtaining consent). 

The PIPA provides specific guidance on the requirements for obtaining consent. Under the PIPA, to collect or use an individual’s personal information, the information holder must be informed of and consent to:

• the purpose of the collection or use;
• the personal information that will be collected;
• the period of retention and use; and
• his or her right to refuse to provide consent and any disadvantages that may result from such refusal.

There are separate requirements for obtaining consent to provide an individual’s personal information to a third party. Also, consent must be obtained separately for the collection, use or provision of sensitive or unique identification information.

Under limited circumstances, personal information may be collected, used, or provided to third parties without obtaining the consent of the information holder. For instance, a company may collect and use personal information without obtaining consent where obtaining the information is necessary to achieve the company’s “legitimate interests”, which clearly exceed the information holder’s right to his or her personal information, and the collection and use are carried out within reasonable bounds. The term “legitimate interests” in this context is generally understood as a concept similar to “justifiable act” under the Criminal Code. The Korean Supreme Court has held that under exceptional circumstances such as the following, the company’s collection and review of employee data may constitute a “justifiable act” under the Criminal Code:

1. the company had specific and reasonable suspicion that the employee had committed a crime and the company had an urgent need to verify the facts;
2. the scope of the company’s review was limited to the suspected crime through the use of keywords, etc;
3. the employee had signed an agreement stating that he or she would not use work computers in an unauthorised manner and that all work products would belong to the company; and
4. the company’s review uncovered materials that could be used to verify whether the employee committed the alleged crime.

Please see question 7.

An employer can search an employee’s personal possessions (eg, handbag, pockets and locker) if the employer has a legitimate interest in a search. This could, for example, include a reasonable suspicion of theft of employer property. Furthermore, an employer may search, but not continually monitor, an employee’s computer and email provided that it is in accordance with GDPR requirements. For the processing to be lawful under the GDPR, the employer has to establish a purpose and a legal basis for the processing of personal data. Furthermore, data subjects must have received information on the legal basis for and purpose of the processing of personal data beforehand. If the data subjects have not received such information, the employer’s right to process their data is limited. However, if the employer has reasonable grounds to believe that trade secrets or similar has been copied and stolen, no such requirements would typically apply.

Investigations into an employee's possessions may, under certain circumstances, also be carried out by the Swedish authorities.

The basic rule is that the employer may not search private data during internal investigations.

If there is a strong suspicion of criminal conduct on the part of the employee and a sufficiently strong justification exists, a search of private data may be justified.[1] The factual connection with the employment relationship is given, for example, in the case of a criminal act committed during working hours or using workplace infrastructure.[2]

Electronic information created during employment would generally be owned by the employer and would be the employer’s assets. If an employee is given a computer or laptop to use for work, the employer has the right to log into that device and take any data that is stored therein, provided that the data does not contain sensitive information of that employee and PDPA requirements are met.

To avoid any potential issues regarding physical data such as documents on the employee’s desk, it is advisable to search those areas with the subject employee to show good faith. In practice, the employee normally agrees to search those areas with the employer, or allows the employer to search alone.

There is no explicit answer to this question. However, it is important to make a distinction between employees’ possessions and files that are strictly personal and employees’ possessions and files that are found on devices or files provided for company use. For the first category, the employer does not have the right to search employees’ possessions and files. For the latter category though, justifications need to be established, by observing the requirements explained in question 7. Furthermore, the employers must also ensure that employees are fully and explicitly informed in advance of the monitoring operations, either through a provision included in the employment agreement, or in a separate notice or employee policy, the receipt of which should be duly acknowledged by the employee.

It may sometimes be difficult to draw a clear distinction between the property of the employer and employees’ personal property, both physical and electronic, particularly where employees are increasingly working from home. Employers should ideally have a clear policy to delineate what is the employer’s property.

Employees typically have a reasonable expectation of privacy at work, although how far this extends will depend on the circumstances of each case and the employer’s policies.

When it comes to employees’ personal possessions, a search should only be conducted in exceptional circumstances where there is a clear, legitimate justification. The employer should always consider whether it is possible to establish the relevant facts through the collection of other evidence. Even if the employee’s contract specifies that it is permitted, employers would usually require explicit employee consent for the search to be lawful. The employee should be invited to be present during the search; if this is not feasible, another independent third party (such as a manager) should be present.  

If the employee refuses to consent to a search of their personal possessions, their refusal should not be used to assume guilt; the investigator should explore why the employee has refused and seek to resolve their concerns if possible.

If the employer believes that a criminal offence has been committed it should consider involving the police, since they have wider powers to search individuals and their possessions. 

As there is no unified data protection regime, privacy protections stem from a patchwork of federal and state privacy laws which impose limits on the extent to which an employer can collect information from its employees in connection with an internal investigation. Whether specific conduct violates an employee’s rights is a very fact-specific inquiry requiring the application of relevant state laws and a regulatory regime. 

In most circumstances, an employer is free to conduct searches of its workplace and computer systems in the course of investigating potential wrongdoing. Such searches are generally not protected by personal privacy laws because workspaces, computer systems and company-issued electronic devices are often considered company property. Many companies explicitly address this in written corporate policies and employment agreements. Employees who use their own electronic devices for work should be aware that work-related data stored on those devices is generally considered to belong to the employer (as a matter of best practice, employers should generally prohibit or at least advise employees against using personal devices for work and to maintain separate work devices, where possible).

These broad investigatory powers notwithstanding, the ability of an employer to conduct searches in furtherance of an internal investigation is not unlimited. For example, if an employer seeks to obtain or review work-related data from an employee’s personal device, the employer must be careful to exclude any personal data. Certain states also prohibit an employer from requiring an employee to disclose passwords or other credentials to his or her personal email and social networking accounts, but permit an employer to require employees to share the content of personal online accounts as necessary during an interview while investigating employee misconduct.

As part of an investigation, an employer may search the objects or files that are part of the company’s property (eg, company or employers’ laptops or phones for business purposes and emails or messages stored on the company’s servers) without prior notice and without the need of the consent of the employee. However, the employer has no right to search an employee’s personal possessions without consent.

To further avoid arguments or conflicts as to the right of ownership of a particular object or property, employers may specify in their internal policies, labour contracts, and handover documents what is to be regarded as the company’s assets and subject to a search in a workplace investigation.

A complaint will be a whistleblowing complaint where a complainant has reasonable grounds to suspect that the information they are disclosing about the organisation concerns misconduct or an improper state of affairs or circumstances. The information can be about the organisation or an officer or employee of the organisation engaging in conduct that:

• breaches the Corporations Act 2001 (Cth);
• breaches other financial sector laws;
• breaches any other law punishable by 12 months’ imprisonment; or
• represents a danger to the public or the financial system.

Since 2020, all public companies, large proprietary companies and trustees of registrable superannuation entities in Australia are required to have a whistleblower policy. Employers conducting an investigation will need to follow the processes outlined in their policy.

One of the key differences when conducting an investigation that involves whistleblowing is identity protection and the ability of the whistleblower to disclose anonymously and remain anonymous.

The provisions of the Whistleblowing Directive must be respected. In Austria, these have been implemented through the Whistleblower Protection Act (HSchG). If the whistleblower or the persons concerned fall within the scope of the Directive, their identity must be protected. Only authorised persons may access the report. Retaliatory measures are invalid or must be reversed. Within a maximum of seven days, the whistleblower must receive a confirmation of his or her complaint. Feedback to the whistleblower must then be provided within a maximum of three months.

If the investigation is based on a whistleblower report that falls under the scope of the upcoming rules, the investigators are bound by a strict duty of confidentiality, especially regarding the identity of the report. The rules also provide some procedural deadlines for feeding back to the reporter. Within seven days of receiving the report through an internal reporting channel, the reporting manager needs to send a receipt to the whistleblower. From that moment, the reporting manager has three months to investigate the report and give feedback and an adequate follow-up to the report. Next, the rules offer strong protection against any retaliatory measures the reporter may experience. Regardless, these rules are mostly intended to offer the necessary protection for whistleblowers and to ensure that companies take necessary investigative steps following a report, but they do not include much information about the actual procedure of the investigation besides certain deadlines, nor do they deal with other employees involved (or under investigation).

If the investigation involves matters within the scope of a specific whistleblowing policy, the policy rules should prevail against the general investigation rules if there is a conflict.

In practice, the following factors to be considered will be: (1) verification of the informant's identity; (2) whether the informant has any conflict of interest with the reported employee or whether it will affect the objectivity of their reporting; (3) how to persuade the informant to provide more information or evidence, or to cooperate in court as a witness; (4) how to increase the admissibility of evidence when the informant refuses to cooperate in court as a witness or fails to provide original evidence; (5) how to improve the evidence chain and protect the informant from being attacked or retaliated by the informant, etc.

In respect of data protection, the processing of personal data in whistleblowing systems is considered by the Finnish Data Protection Ombudsman (DPO) as requiring a data protection impact assessment (DPIA).

Evidence obtained in the context of an investigation must specify who provided it and the date it was provided. No retaliatory measures may be taken against the whistleblower for the act of whistleblowing.

In certain cases, the whistleblower report must be forwarded to the judicial authorities (eg, when there is an obligation to assist persons in imminent danger, for serious offences or a disclosure that a vulnerable person is in danger (ie, minors under 15 or a person who is unable to protect themselves)).

In 2023, Germany has implemented the EU Whistleblowing Directive into national law with the German Whistleblower Protection Act (HinSchG).

The German Whistleblower Protection Act provides that companies with at least 50 employees must establish internal reporting channels as further set out in the law. Among other things, the confidentiality of the whistleblower as well as of the individuals affected by the report must be protected.

Further, whistleblowers must be protected from negative consequences that may arise from their reports. If the employment of a whistleblower were terminated or if the whistleblower were to be denied promotion after reporting a violation, the employer would have to prove that this was not related to the whistleblowing but was based on justified reasons.

Employers should  familiarise themselves with the provisions of the new law.

L. 4990/2022 includes specific requirements regarding, among other things, the procedure of receiving and investigating respective reports, confidentiality issues (especially regarding the identity of the whistleblower), data protection issues (including restrictions to the right of access) and the employer’s right to keep a record of the relevant complaint and investigation. Such provisions are expected to be further detailed by Ministerial Decisions in future.

Hong Kong does not have a comprehensive legislative framework relating to whistleblowing. Therefore, in general, employers are free to establish whistleblowing policies and procedures and confer such protections on whistleblowers as they see fit. That said, companies listed on the Main Board of the SEHK are expected to establish a whistleblowing policy and system for employees to voice concerns anonymously about possible improprieties in the companies’ affairs. If a listed issuer deviates from this practice, it must explain the deviation.[1]

When an investigation involves whistleblowing, the employer needs to comply with the relevant policy and system and provide the whistleblower with such protections as stated in the policy. The employer should not ignore a complaint simply because it was made anonymously, and should ascertain the substance of the complaint to decide whether a full-blown investigation is warranted.

In addition, the employer should seek to establish a secure communication channel with the whistleblower to gather more information about the complaint or misconduct while maintaining the confidentiality of his or her identity. If the complaint is serious, the employer may consider referring the complaint to a law enforcement agency or regulator as they would be better placed in protecting the anonymity of the whistleblower while proceeding with the investigation. That said, employers generally have no obligation to report internal wrongdoing to any external body (please see question 25 for exceptions). The employer may assess whether it is appropriate to do so on a case-by-case basis.

Indian labour legislation does not stipulate any additional considerations or requirements concerning whistleblower complaints in private organisations and these are only available if there are complaints against public servants. Further, under the Companies Act, 2013, certain companies are required to establish a “vigil mechanism” for directors and employees to report genuine concerns regarding the affairs of the company. The vigil mechanism should provide adequate safeguards against the victimisation of persons using it.

Most whistleblowing policies will include a section that provides for an initial assessment of the complaint as to whether it meets the definition of a protected disclosure. This assessment, which ought to be carried out by a designated person who has been appointed to deal with disclosures, is a useful tool as some matters which may be labelled as whistleblowing may fall under the grievance procedure.

Where there are grounds, an investigation will be commenced. Under the Protected Disclosures (Amendment) Act 2022, whistleblowers are protected from penalisation for having made a protected disclosure, under the Act.

Penalisation may include; suspension, lay-off or dismissal; demotion, loss of opportunity for promotion or withholding of promotion; transfer of duties, change of location or place of work; reduction in wages or change in working hours; the imposition or administering of any discipline, reprimand or other penalty (including a financial penalty); coercion, intimidation, harassment or ostracism; or discrimination, disadvantage or unfair treatment.

If an employee (which includes trainees, volunteers, and job applicants) alleges that they have suffered penalisation as a result of making a protected disclosure, they may apply to the Circuit Court for interim relief within 21 days of the date of the last act of penalisation by the employer.

A claim for penalisation may also be brought before the WRC within six months of the alleged act of penalisation. If an employee alleges that they were dismissed for having made a protected disclosure, the potential award that the WRC can make increases from the usual unfair dismissal cap of two years’ pay to up to five years’ gross pay, based on actual loss.

Where a complaint of whistleblowing is made, employers should ensure that they appoint investigators with the appropriate knowledge and expertise to deal with such a matter and comply with the time limits set by legislation.

The regulations on whistleblowing in the private sector were originally outlined in article 6 of Italian Legislative Decree No. 231 of 2001 (as amended by Law No. 179 of 2017), which state that the models of organisation must provide for one or more channels that allow persons in positions of representation, administration and management of the entity (and persons subject to their direction or supervision) to report unlawful conduct according to Italian Legislative Decree No. 231 of 2001 and violations of the entity’s organisational and management rules.

Currently, Italy has implemented Directive (EU) No. 1937 of 2019, which provides for the adoption of new standards of protection for whistleblowers, through the Italian Legislative Decree No. 24 of 2023 (WB Decree)[1].

In line with the Directive, the WB Decree states, inter alia, that[2]:

• an internal whistleblowing reporting channel must be put in place by all private legal entities (and legal entities in the public sector) that have employed, during the previous year, an average of 50 employees or, even below this threshold, operate in certain industries[3] or have adopted an organizational model in accordance with Legislative Decree no. 231 of 2001;
• the WB Decree prescriptions apply to reports concerning breaches of certain national/EU[4] legal provisions (varying depending on features such as the private or public nature of the employer and its dimensions), and not to claims or requests linked to interests of a personal nature of the reporting individuals (pertaining to their individual employment contracts or to relations with their superiors)[5];
• whistleblowers’ reporting may take place through:
  • the company’s internal reporting channels and internal reporting procedures (with the possibility – for entities employing up to 249 employees, even if not part of the same group – to share whistleblowing reporting channels); or
  • external reporting channels and external reporting procedures established by the member states’ competent authorities (in Italy, ANAC, i.e. the National Anticorruption Authority); or
  • in certain circumstances, public disclosure;
• whistleblowing systems must provide:
  • a duty of confidentiality regarding the whistleblowers’ identity (which generally may not be disclosed to persons other than those competent to receive or investigate on the reports, except in specific case and with the whistleblower’s consent; see also answer to question 12 below); and
  • ways of protecting collected data according to the GDPR, as well as tight deadlines for communication with whistleblowers[6]; and
  • an integrated system of protection of whistleblowers against any retaliatory action directly or indirectly linked to their reports or declarations, with a reversal of the burden of proof (meaning the employer must give proof of the non-retaliatory nature of measures adopted vis-à-vis whistleblowers); and
  • the procedures to be taken in case of anonymous whistleblowing report.

See question 4 regarding amendments to the Whistleblower Protection Act.

The person designated as a whistleblower response service employee must not divulge the name, employee ID number, or other information that would allow a whistleblower to be identified without a justifiable reason, and there is a criminal penalty of up to 300,000 yen for violating this duty of confidentiality.

The former Act on the House for Whistleblowers already provided for several preconditions that a whistleblowing procedure must meet. For example, internal reporting lines must be laid down, as well as how the internal report is handled, and an obligation of confidentiality and the opportunity to consult an advisor in confidence must be applied. Employers are obliged to share the whistleblowing policy with employees, including information about the employee's legal protection. The employee who reports a suspicion of wrongdoing in good faith may not be disadvantaged in their legal position because of the report (section17e/ea Act House of Whistleblowers).

The starting point is that an employee must first report internally, unless this cannot reasonably be expected. If the employee does not report internally first, the House for Whistleblowers does not initiate an investigation. The House for Whistleblowers was established on 1 July 2016 and has two main tasks: advising employees on the steps to take and conducting an investigation in response to a report.

The Act on the Protection of Whistleblowers, which entered into force in 2023, introduced several changes, of which the most relevant are:

• Abolition of mandatory internal reporting: the obligation to report internally first is abolished. Direct external reporting is allowed, such as to the House for Whistleblowers or another competent authority. When reporting externally, the reporter retains his protection. However, reporting internally first remains preferable and will be encouraged by the employer as much as possible.
• Expansion of prohibition on detriment: the prohibition on detriment already included prejudicing the legal position of the reporter, such as suspension, dismissal, demotion, withholding of promotion, reduction of salary or change of work location. It now also includes all forms of disadvantage, such as being blacklisted, refusing to give a reference, bullying, intimidation and exclusion. 
• Stricter time limit requirements for internal reporting: the reporter must receive an acknowledgement of receipt of the report within seven days and the reporter must receive information from the employer on the assessment of their report within a reasonable period, not exceeding three months.

• Extension of the circle of protected persons: not just employees, but third parties who are in a working relationship with the employer are now also protected, such as freelancers, interns, volunteers, suppliers, shareholders, job applicants and involved family members and colleagues.

Consideration must be given to the confidentiality or anonymity of the whistleblower, when an investigation involves whistleblowing.

Since there is no specific law that governs whistleblowing, matters that involve whistleblowing will be governed by company policy.

In principle, an internal investigation should be conducted in the same way, regardless of whether it is initiated following a whistleblowing report, an audit, or a monitoring result. This includes anything related to confidentiality, fairness, data privacy protection, etc.

If an internal investigation is initiated following a whistleblower report, the main characteristic that is imposed by the EU Directive on the protection of persons who report breaches of EU Law (Whistleblowers Directive) and that will also be available under the Draft Law is for the organisation (employer) to communicate (if practicable) the report to the whistleblower. Furthermore, the whistleblower should receive feedback as to whether follow-up actions were undertaken following the report and, if yes – what actions were taken – and if not – why the follow-up actions were not taken.

The treatment of whistleblowers and their reports is laid down in various specific laws in Portugal.

Law 93/2021

Under Law 93/2021, a whistleblower of work-related offences must not be retaliated against. Furthermore, imposing disciplinary penalties on the whistleblower within two years after their disclosure is presumed to be abusive. The whistleblower is entitled to judicial protection and may benefit from the witness protection programme within criminal proceedings. Additionally, reports will be recorded for five years and, where applicable, personal data that is not relevant for the handling of a specific report will not be collected or, if accidentally collected, will be deleted immediately.

Corruption and Financial Crime Law (Law 19/2008)

Under Law 19/2008, a whistleblower must not be hampered. Furthermore, the imposition of disciplinary penalties on a whistleblower within one year following the communication of the infraction is presumed to be unfair.

Additionally, whistleblowers are entitled to:

• anonymity until the pressing of charges;
• be transferred following the pressing of charges; and
• benefit from the witness protection programme within criminal proceedings (remaining anonymous upon the verification of specific circumstances).

Money Laundering and Terrorism Financing Law (Law 83/2017)

Law 83/2017, which sets forth the legal framework to prevent, detect and effectively combat money laundering and terrorism financing, applies to financial entities and legal or natural persons acting in the exercise of their professional activities (eg, auditors and lawyers)(collectively, obliged entities).

According to article 20 of Law 83/2017, individuals who learn of any breach through their professional duties must report those breaches to the company's supervisory or management bodies. As a result, the obliged entities must refrain from threatening or taking hostile action against the whistleblower and, in particular, unfair treatment within the workplace. Specifically, the report cannot be used as grounds for disciplinary, civil or criminal action against the whistleblower (unless the communication is deliberately and clearly unjustified).

Legal Framework of Credit Institutions and Financial Companies (RGICSF)

Credit institutions must implement internal-reporting mechanisms that must guarantee the confidentiality of the information received and the protection of the personal data of the persons reporting the breaches and the persons charged. Under article 116-AA of RGICSF, persons who, while working in a credit institution, become aware of:

• any serious irregularities in the management, accounting procedures or internal control of the credit institution; or
• evidence of a breach of the duties set out in the RGICSF that may cause any financial imbalance, must communicate those circumstances to the company's supervisory body.

These communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower.

Moreover, article 116-AB of the RGICSF establishes that any person aware of compelling evidence of a breach of statutory duties may report it to the Bank of Portugal. Such communications cannot, per se, be used as grounds for disciplinary, criminal or civil liability actions brought by the credit institution against the whistleblower, unless the report is clearly unfounded.

The Bank of Portugal must ensure adequate protection of the person who has reported the breach and the person accused of breaching the applicable duties. It must also guarantee the confidentiality of the persons who have reported breaches at any given time.

Portuguese Securities Code (CVM)

Article 382 of the CVM states that financial intermediaries subject to the supervision of the Portuguese Securities Market Commission (CMVM), judicial authorities, police authorities, or respective employees must immediately inform the CMVM if they become aware of facts that qualify as crimes against the securities market or the market of other financial instruments, due to their performance, activity, or position.

Additionally, according to article 368-A of the CVM, any person aware of facts, evidence, or information regarding administrative offences under the CVM or its supplementary regulations may report them to the CMVM either anonymously or with the whistleblower's identity. The disclosure of the whistleblower's identity, as well as that of their employer, is optional. If the report identifies the whistleblower, their identity cannot be disclosed unless specifically authorised by the whistleblower, by an express provision of law or by the determination of a court.

Such communications may not be used as grounds for disciplinary, criminal, or civil liability action brought against the whistleblower, and they may not be used to demote the employee.

According to article 368-E of the CVM, the CMVM must cooperate with other authorities within the scope of administrative or judicial proceedings to protect employees against employer discrimination, retaliation or any other form of unfair treatment by the employer that may be linked to the communication to the CMVM. The whistleblower may be entitled to benefit from the witness-protection programme if an individual is charged in criminal or administrative proceedings because of their communication to the CMVM.

Under the Prevention of Corruption Act 1960 and the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 (CDSCA), in any civil or criminal proceeding, no witness is obliged to disclose the name or address of any informer, or disclose any information that might lead to his or her discovery concerning offences such as corruption, drug trafficking, and money laundering, save where:

• in any proceeding for the offence, the Court, after a full inquiry into the case, is of the opinion that the informer wilfully made, in his complaint, a material statement that he knew or believed to be false or did not believe to be true; or
• in any other proceeding, the court is of the opinion that justice cannot be fully done between the parties without the discovery of the informer.

In line with the above, employers should therefore keep the informer’s identity confidential upon receiving a complaint relating to corruption, drug trafficking, money laundering, and other serious offences prescribed in the second schedule of the CDSCA.

Aside from the legal obligations imposed on the company when dealing with a whistleblower who is subject to the WPA as discussed in question 1, there are also practical considerations the company should keep in mind when dealing with a whistleblower, regardless of whether the whistleblower falls under the WPA.

For example, there have been instances where an employee who raised allegations filed a complaint with Korean authorities (such as the Anti-Corruption and Civil Rights Commission (ACRC) or the Labour Office) that the company took retaliatory action against the whistleblower. The company should carefully review the legal risks before taking action, such as personnel action or civil or criminal action, against an employee who raises allegations if that employee was also involved in the wrongdoing.

Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons who report breaches of Union law, has been implemented in Spain through Law 2/2023 (Ley 2/2023, de 20 de febrero, reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción). This law limits the capacity of companies to retaliate or to take any action against employees who report workplace violations or breaches of the law. Any action taken against an employee in such a position would be considered null and void if challenged in court.

Spanish law allows anonymous reports to protect whistleblowers from retaliation.

If the Swedish Whistleblowing Act governs the investigation, additional considerations apply relating to who may investigate a reported irregularity (see question 4) and the duty of confidentiality and restrictions on access to and disclosure of personal data in investigations (see questions 6, 10 and 11), as well as the rights and protections of whistleblowers.

As regards the rights and protections of whistleblowers, the following can be noted. A person reporting in a reporting channel governed by the Swedish Whistleblowing Act is protected against retaliation and restrictive measures. Thus, companies are prohibited from preventing or trying to prevent a person from reporting, and retaliating against a person who reports. Furthermore, a reporting person will not be held liable for breach of confidentiality for collecting the reported information if the person had reasonable grounds to believe that it was necessary to submit the report to expose irregularities. Under the Swedish Whistleblowing Act, any person reporting irregularities in a reporting channel established under the Swedish Whistleblowing Act may also report irregularities to designated Swedish authorities.

If an employee complains to his or her superiors about grievances or misconduct in the workplace and is subsequently dismissed, this may constitute an unlawful termination (article 336, Swiss Code of Obligations). However, the prerequisite for this is that the employee behaves in good faith, which is not the case if he or she is (partly) responsible for the grievance.

It is down to the employer’s discretion and subject to the whistleblowing policy (if any) to commence the investigation resulting from a complaint from a whistleblower. Whistleblowers and those who cooperate with an investigation should be protected. Normally the employer would not try to identify the whistleblowers. Also, it is best not to reveal the identity of the witness or the source of information; otherwise, they may feel uncomfortable giving information or raising their concerns next time. Any allegations of retaliation that surface during the investigation should be treated as a new report of possible misconduct that could be subject to additional investigation.

Although there is no specific legislation in Turkish law on whistleblowing, necessary mechanisms need to be implemented to ensure that whistleblowers and the whistleblowing process are kept confidential. In addition, whistleblowers must be encouraged and supported to be open about raising their concerns in good faith. A whistleblowing activity, when it amounts to raising a concern in good faith, must not be mistreated by the employer. Employers should also put in place protection mechanisms against the mistreatment of whistleblowers or retaliation towards them by other employees.   

The employer should first identify which individuals may have protection as whistleblowers. This could be a current or former employee who raises the initial complaint, a co-worker who gives evidence as part of the investigation, or the accused employee.

In each case, consider whether a “protected disclosure” has been made (under Part IVA ERA 1996). This requires analysis of the subject matter of the disclosure, how it is made, and a reasonable belief that it is made in the public interest.

Employers must then ensure there is no detrimental treatment or dismissal of any worker on the grounds of their protected disclosure. Although the causation test for these purposes is not straightforward, as a general rule if the protected disclosure has a “material influence” on the decision to discipline or dismiss, there may be liability. Individual managers may be personally liable alongside the employer. Compensation for whistleblowing cases is uncapped, meaning businesses and individuals can face significant financial and reputational exposure.

What this means in practical terms is that the employer should promote a “speak-up” culture and, where protected disclosures are made, ensure they are handled by a team who are properly trained in how to do so.

Several federal, state, and local employment laws prohibit retaliation against employees who come forward with complaints or participate in corporate investigations. Employees who possess information regarding corporate misconduct may also be considered whistleblowers protected from retaliation under federal and state whistleblower laws, including but not limited to the Sarbanes-Oxley Act of 2002, the Dodd-Frank Wall Street Reform and Consumer Protection Act, and the Consumer Financial Protection Act of 2010.

An employee generally does not need to show that he or she was terminated or demoted to bring a retaliation claim; other actions on the part of the employer may qualify if they could be seen to discourage employees from raising complaints. To protect against a potential retaliation claim, employers should make clear at the outset of an investigation that retaliation will not be tolerated and require the complaining employee (and potentially his or her manager) to bring any instances of retaliation to the investigator’s attention immediately.

It is up to the employer to determine whether or not to open an investigation after a complaint from a whistleblower. It is very important that the identity of the whistleblower is protected and that the employer also should not reveal the identity of the witness or the source of information, as the sources and witnesses may fear retaliation and feel uncomfortable or hesitant in giving information or raising concerns again.