Corporate investigations can help businesses to respond appropriately to whistleblowers’ claims and to identify and address potential misconduct promptly. In the Belgian chapter of "Corporate Investigations 2017” (International Comparative Legal Guide) Hans Van Bavel and Frank Staelens (Moore Stephens Belgium) set out their insight on the latest practices, developments and trends in this particular field.

Below, Hans and Frank summarize the five most important questions a company needs to have taken into consideration before conducting a corporate investigation in Belgium.

1. What legal obligations should a company consider when deciding whether to conduct a corporate investigation?

There is no specific legal framework for internal corporate investigations. However, any internal investigation must comply with the rules on privacy and employee protection, which are set out in or derived from Belgian privacy law, telecommunication law, and employment law. As one must observe the right to privacy, personal integrity and individual freedom, an entity may not use force in any way for the purpose of finding evidence. Only law enforcement agencies are allowed to use force on or compel individuals for the purpose of finding evidence to the extent permitted by law, and only in a proportional manner to achieve a legitimate aim.

Internal investigations that are conducted with the consent of the employees are possible. The entity may interrogate its employees on condition that no force or acts of intimidation are used. Moreover, different collective bargaining agreements (“CBA”) allow for the possibilities to take certain investigative measures when deemed necessary.

2. Should a company liaise with the authorities before, during or after a corporate investigation?

The entity is not required to liaise with local authorities before starting an internal investigation. Whether or not it should liaise with local authorities depends on the specific case and circumstances. There is also no involvement of law enforcement entities during internal investigations. As a general rule, the internal and external investigations are all conducted separately.

Liaising with local authorities can be considered as an element of good faith on the entity’s part, or at least as a mitigating circumstance should the entity be sanctioned. Voluntary disclosure of the results of a properly conducted internal investigation for instance can be taken into account by law enforcement authorities when they decide whether to prosecute the corporate entity itself rather than the individual(s) involved. This is because a legal entity can only be punished under criminal law if it has acted with the required mens rea or guilty mind. Voluntary disclosure of the results of an internal investigation could be an element – albeit post factum – in showing that the entity seeks to distance itself from the event in question.

3. Before initiating the investigation, companies should set up an investigation plan to guarantee the most reliable and conclusive outcome. Which steps should be included in this investigation plan?

  • Step 1: secure the data that are subjected to the internal investigation
  • Step 2: assess whether the use of outside forensic auditors is important to ensure the credibility/independence of the investigation report;
  • Step 3: if evidence is found during the investigation, secure the access to the company’s buildings, intranet, and bank accounts
  • Step 4: if the investigation concerns an employee, assess whether the investigation findings are sufficient to dismiss him or her for cause
  • Step 5: assess whether it is useful to file a criminal complaint.

4. Which data collection and data privacy regulations should a company consider when conducting a corporate investigation?

Internal investigations often imply the processing of personal data or electronic communications. Data protection laws should therefore be considered, especially the rules on the transfer of personal data (within and outside the EU).

In Belgium the following laws or regulations apply, where applicable:

  • The Data Protection Act of 8 December 1992 (“BDPA”). Personal data may only be processed proportionately and transparently and for well-defined purposes. To the extent that there is a clear, legitimate basis for the processing, different bases are exhaustively listed in Article 5, BDPA. As data processing should always be proportionate to the envisaged purposes, it is important to strictly target the data and documents to those that are strictly necessary for the investigation.
  • The Act of 13 June 2005 on Electronic Communications (because internal investigations will often include electronic communications). These articles prohibit the following actions if they are done without the consent of all directly or indirectly involved persons, with fines of up to EUR 400,000: “(1°) intentionally obtain information about the existence of any information that has been sent by electronic means and that is not personally addressed to him, (2°) intentionally identify persons involved in the transmission of the information and the contents thereof, (3°) notwithstanding articles 122 and 123, intentionally obtain information concerning electronic communication and concerning another person, (4°) modify, delete, disclose, conserve, or use otherwise the information, identification, or data that have been obtained, intentionally or not.”
  • Article 314bis of the Criminal Code, which prohibits anyone from knowingly and willingly monitoring, gaining knowledge of, or registering the contents of (tele)communications that are not available to the public, unless all participants to the communication have given their permission to it.
  • Collective Bargaining Agreement no. 81 of 26 April 2002 on the protection of the private life of employees with regard to the monitoring of electronic online communication data (“CBA no. 81”).

5. Is it common practice for a company to prepare a written investigation report at the end of internal investigation?

It is indeed recommended to prepare a written declaration and have it signed by the interviewee. An investigation report should include a full description of the data and analysis techniques used, the declarations made by the interviewees/whistleblowers, and an overview of the findings. Moreover, it is useful to include an executive summary. An investigation report should not contain conclusions or any other personal opinions of the investigator.

A written report entails the risk that any written acknowledgment of the flaws in the entity’s monitoring or verification procedure can and will be used as evidence against the entity. However, if an outside counsel supervises the internal investigation and acts as an intermediary, all correspondence he or she makes is protected by professional secrecy. Legal privilege can therefore counter this risk to a certain extent.