An internal investigation inevitably involves collecting data relating to employees. How can employers in Germany ensure they comply with their data protection obligations and conduct effective investigations?

Can an employer’s compliance with data protection regulations influence internal investigations within an organisation? The Volkswagen diesel emissions scandal or the harassment allegations against Julian Reichelt editor of the Bild newspaper show the importance of internal investigations. They are an important instrument for organisations to investigate suspected breaches of contractual obligations and to uncover wrongdoing. If clarification and investigation measures are to be effective and productive, there is habitually no way around a data-intensive approach, but data protection regulations in particular must be complied with.

As a rule, a results-oriented investigation goes hand in hand with monitoring or is accompanied by the tracking of work processes and employee behaviour. If, for example, email screening, forensic PC evaluations or other data analyses are carried out, personal data within the meaning of Article 4(1) of the GDPR is collected, recorded, processed and stored.

Does data protection limit internal investigations?

If, for example, storage periods and consent requirements for data relevant to investigations lead to internal investigations being made more difficult or even hindered, with the consequence that they protect the employee from consequences under employment law such as claims for damages or dismissal?

Despite an undeniable tension between effective internal investigations and data protection, case law since the entry into force of the GDPR and the German Federal Data Protection Act (BDSG) has clarified that compliance with data protection should not mean protection for offenders. Thus, an intentional offender whose act was uncovered by means of a lawful video recording pursuant is not worthy of protection.

As long as an offence is still legally actionable (in particular not time-barred), recordings may in principle be stored and viewed in the event of reasonable suspicion. Article 17 of the GDPR provides for the immediate deletion of personal data after the purpose of collection and use has been achieved, but also allows storage for the purpose of exercising legal claims; the courts will have to decide how it should apply on a case-by-case basis in the event of a dispute.

Employers’ rights in internal investigations

As a rule, it is in the employer’s interest to first question employees about existing suspicions. The employer’s right of direction means asking employees for an interview and questioning them is permissible in the context of their employment. However, if employee data is collected in the process, the employer should have the employee expressly consent to its collection. In contrast, mere consent to questioning will probably not be sufficient to constitute voluntary consent (Article 7(4) GDPR). As a rule, an employee may initially only cooperate because s/he fears that not participating in the survey would arouse suspicion. Without corresponding consent, however, the collection of data in an employee interview is only permissible under the conditions set out in s26 of the BDSG, which lists criminal offences or suspicion of criminal offences in paragraph 1 sentence 2. Previous case law agrees with the explanatory memorandum to the law: the provision is to be interpreted broadly and the collection of data only requires an initial suspicion. This must which, however, must go beyond vague indications or uncertain conjecture by third parties.

Undercover investigations

Investigations carried out secretly are often more effective. However, these conflict with the employee under investigation’s right to information under Article 15 of the GDPR. Case law weighs up the interests of secrecy on the one hand and the interests of gathering the information on the other. Undercover investigations are thus still possible in principle, but the employer must be able to demonstrate the need for secrecy. This may be possible if the legitimate interests of a third party, in particular an informant, are worth protecting (s 34(1) and s29 (1) (2) of the BDSG). If the need for compliance with information and disclosure claims systematically ruled out the implementation of clandestine measures, this would thwart the objective of internal investigations. On the other hand, it should be noted that the employee’s interests can also prevail, for example, if there is a risk that an informant has consciously made incorrect statements.

Practical advice

According to media reports, VW checked 1.6 million files and conducted 550 employee interviews and interrogations as part of the internal investigations to shed light on the diesel scandal. But good planning and documentation are not only imperative in investigations of these dimensions. Information gathered can only be used legally if the procedure is carried out in compliance with employment law and, above all, data protection law. It should also be noted that regardless of whether the employer outsources internal investigations to external bodies or carries them out itself, it remains responsible for compliance with the relevant GDPR obligations, and responsible for the investigations.

In collaboration with Jana Schön, Wiss. Mit. (trainee lawyer) in the Berlin office.