Employee data protection in internal investigations

I. Introduction

Internal investigations are a key part of a modern compliance management system. If a company becomes aware of possible violations of the law, whether in terms of white-collar crime or personal misconduct on the part of individual employees, an internal investigation is required to clarify these allegations. This knowledge can be obtained in a variety of ways, for example through whistleblowers, anomalies during an internal audit or simply by chance. The most prominent example of an extensive internal investigation is the emissions scandal at VW, which began in 2015.

The process of an internal investigation can be roughly divided into four phases. In the first phase, the allegation is analyzed. An investigation plan is then drawn up in the second phase. The company sets up an investigation team to examine the allegations. This team can consist of the company's own employees and/or external consultants. The investigation plan includes the organization of the investigation in terms of time, content and personnel. This is followed by the third phase, the actual internal investigation with data collection and evaluation, e-discovery, interviews, etc. The fourth phase concludes with the evaluation of the results, typically presented in a final report.

During the third phase in particular, the requirements of data protection, especially employee data protection, must be considered. Violations of data protection regulations can lead to considerable sanctions. In addition to civil law claims by affected employees for injunctive relief and damages, there may be severe consequences in the area of criminal and administrative offense law. 

This article will discuss where exactly the tension lies regarding employee data protection in internal investigations and how this can be resolved. Before carrying out investigations, it should therefore always be checked whether the planned measures are permissible with regard to data protection. In addition, the question of the extent to which employees are entitled to information rights under the General Data Protection Regulation (GDPR/Datenschutzgrundverordnung – DSGVO) and the extent to which they can request information about their processed data will be addressed.

II. Determining the purpose of processing

The first important step in initiating internal investigations is to determine the purpose of the processing. According to Art. 5 para. 1 lit. b GDPR, this must already be determined before the investigation measures are initiated and must be described in such concrete terms that all parties involved can recognize which processing operations may and may not take place. Blanket statements of purpose such as "compliance measures" or "internal investigations" are not sufficient.

III. Authorization bases for data processing

Since any processing of personal data constitutes an interference on the general personal rights of the data subject, which are protected by fundamental rights, an authorization basis is required for this. The consent of the data subject and statutory authorization bases can be considered as such. Under certain circumstances, collective agreements, such as works agreements, can also serve as a basis for authorization under data protection law. However, the scope for design is limited here, as the level of protection under the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) may not be lowered by the collective agreement.

1.     Consent

Whether consent is a suitable legal basis depends heavily on the individual case. Under certain circumstances, the request for consent can have an undesirable warning function that jeopardizes the success of the investigation. Due to the inherent imbalance between the parties in the employment relationship, there are also often doubts about the voluntary nature of consent. Care should therefore be taken to ensure that the employee concerned does not get the impression that he or she would have to expect (de facto) disadvantages in the event of refusal of consent. The fact that consent can be revoked at any time also tends to reduce its attractiveness as a basis for authorization under data protection law. 

1.     Legal basis for authorization

Legal authorization bases for the processing of employee data – both for the investigation of criminal acts and breaches of duty under employment contracts – can be found in Sec. 26 para. 1 BDSG and in Art. 6 GDPR.  

Regardless of the legal basis on which the data processing is based, it must always be proportionate. An important criterion here is necessity. The purpose of the measure must not be able to be reasonably achieved by other, milder means. This must be considered when selecting the investigative measure. The least invasive measure to achieve the purpose of the investigation must be examined. Furthermore, the interests of the persons concerned that are worthy of protection must be weighed up. The employer's interest in clarification must be weighed against the interest of the employee concerned in the protection of their personal data. The interests must always be weighed up based on the circumstances of the specific individual case. On the part of the employer, the allegation in question and the respective degree of suspicion in the context of internal investigations are important criteria to be weighed up. 

IV. Searching e-mail inboxes

In many cases, employees' email correspondence becomes the focus of internal investigations. In practice, impending compliance risks such as insider trading, embezzlement or illegal transactions are often uncovered by analyzing email traffic – either by simply reviewing the email inbox or e-discovery, e.g. searching for specific keywords.

As a rule, emails contain personal data, so that the search of email inboxes requires a basis for authorization under data protection law (see above). If the employer permits or at least tolerates the private use of the business email inbox, it is disputed whether the employer is to be considered a service provider of communication services in this case and is therefore subject to telecommunications secrecy pursuant to Sec. 3 para. 1 of the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TTDSG). Telecommunications secrecy generally prohibits the employer from inspecting the e-mail inbox. At most, a right of access should exist in exceptional cases, e.g. if there is a concrete suspicion of a criminal offense or if the investigation is intended to clarify significant or even existential grievances for the company.

Labor court rulings now predominantly deny the applicability of telecommunications secrecy to mixed-use email inboxes. However, the fact that the email inbox is also used privately must be considered when weighing up interests. However, in the absence of supreme court rulings, companies should exercise caution when examining mixed-use email inboxes. Unlawful interference with the secrecy of telecommunications is punishable under Sec. 206 of the German Criminal Code (Strafgesetzbuch – StGB) and carries a prison sentence of up to five years or a fine. Due to the risk of criminal liability, it is essential to obtain consent from the employees concerned. As a justification, this excludes the unlawfulness and thus the criminal liability of the act - at least in the relationship between employer and employee.

V. Duty to provide information in the context of internal investigations

The GDPR also contains information obligations that companies must comply with in connection with internal investigations.

These are regulated in Art. 13 and 14 GDPR. Data subjects must be informed before or at the time the personal data is collected. If information is obtained from third parties (e.g. other employees), this must be done after one month at the latest in accordance with Art. 14 para. 3 GDPR. In individual cases, there may be exceptions to the obligation to provide information if an investigative measure could otherwise no longer be carried out and the purpose of the investigation would be thwarted or if there are special confidentiality obligations, e.g. under the Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG). Whether an exception applies depends on which interest prevails in the specific case.

VI. Right to information in the context of internal investigations

In addition, employees affected by investigative measures can assert claims for information in accordance with Art. 15 GDPR regarding the personal data processed by them. Such a request can mean a considerable amount of work and legal risk for companies. However, there are also exceptions to the obligation to provide information. For example, if third-party interests, e.g. in the case of whistleblowing, prevent the disclosure of certain information or the limits of abuse of rights are exceeded. However, the hurdles for assuming an abuse of rights are very high.

VII. Practical tips

Employers are well advised to seek expert advice as early as the planning phase of internal investigations in order to avoid data protection breaches and the resulting consequences as far as possible. 

Data protection notices for compliance measures or possible investigative measures can be provided to employees at the start of the employment relationship in the form of basic information. This means that the information obligations can already be fulfilled quite comprehensively and only need to be supplemented later with specific information for the individual case. Employees or third parties who carry out investigations should also receive specific instructions on data protection. 

Due to the controversial legal situation, employers should carefully consider whether they allow their employees to use their work email inbox privately.  If such use is permitted, it should be comprehensively regulated and among other things preferably only permitted on the condition that the employee agrees to appropriate controls.

Published: June 2024