Companies must observe strict data protection law requirements when conducting an internal investigation. The European General Data Protection Regulation (EU) 2016/679 ("GDPR"), which became effective on 25 May 2018, provides a uniform set of rules for data processing throughout the European Union, replacing the existing patchwork of national laws governing how personal data is handled. Under the GDPR, new rules impose stricter and more detailed obligations for companies processing personal data, including extensive accountability obligations. Failure to demonstrate compliance with these rules could lead to claims for damages as well as administrative sanction and high fines from the competent data protection authorities. In addition, despite harmonization on the European level, national differences must be taken into account, such as specific national law provisions in the area of processing of employee data, that can have a substantial impact on how internal investigations can effectively be conducted.
The following sections shall provide a general overview on the requirements and conditions for internal investigations under the GDPR. The text also highlights the relevant case-law and the potential consequences of unlawful processing.
What is the legal basis for performing internal investigations under the GDPR?
Companies may only perform internal investigations if they can base the respective data processing operations on a valid legal basis. The appropriate legal basis depends on the purpose of the investigation, the categories of data subjects affected, and the nature of the data concerned.
- Legal obligation to perform investigation: Under certain conditions, companies may be legally obliged to perform an internal investigation. In this case, the company may base the data processing on Article 6(1) lit. c GDPR. However, such cases will likely to remain an exception in practice.
- Data processing due to legitimate interests: Companies may justify the data processing to the extent the processing is necessary for legitimate interests pursued by the company or a third party (Article 6(1) lit. f GDPR), provided that the legitimate interests of the affected data subjects do not supersede. This requires a thorough balancing of interests, taking into account all circumstances of the individual case, including the extent of the investigation, the nature of the data processed, the reasonable expectations of the data subjects and the potential consequences for their rights and freedoms. The envisaged processing activities are not admissible if there are less intrusive measures to achieve the purposes of the investigation. A key aspect of the balancing of interests will be the safeguards implemented to reduce the impact on the data subject and to ensure a proportionate approach in compliance with the data protection principles (see below). The balancing of interests should be thoroughly documented.
- Consent of data subject: The GDPR stipulates strict requirements for obtaining valid consent, including, in particular, that consent must be freely given. This means that data subjects must have a real choice to agree to the related processing of their personal data or not, and also to withdraw any consent given at any time. Therefore, consent is not advisable as a general legal basis for permitting an internal investigation. In particular within an employment context, due to the imbalance between the employee and the employer, consent will likely not be considered voluntary. This may potentially be different where the processing implies any legal or economic advantage for the employee or the employer and employee pursue similar interests, such as in limited scenarios for certain types of custodians or whistleblowers who are free to provide their consent or not.
- Collective agreements: Collective agreements (in particular works council agreements) may also form a legal basis for internal investigations. However, collective agreements which are intended to legitimize data processing must comply with the specific requirements of Article 88 GDPR and potential national implementations laws (see below).
If the internal investigation also involves special categories of personal data within the meaning of Article 9(1) GDPR (e.g., race, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, health data), additional restrictions apply. Companies may only process sensitive data if they can rely, in addition to a legal basis under Art. 6(1) GDPR as set out above, on one of the exemptions stated in Article 9(2) GDPR. In particular, companies may process sensitive data to the extent necessary for the establishment, exercise or defense of legal claims (Article 9(2) lit. g GDPR). On the other hand, companies cannot legitimize the processing of sensitive data merely on the basis of their legitimate interests.
What other requirements do companies have to consider?
Apart from the aforementioned restrictions, the GDPR (and national implementation laws, where applicable) provides for additional requirements and conditions for internal investigations.
- Compliance with data protection principles: When performing internal investigations, companies have to comply with the general principles of data processing set out in Article 5 GDPR (i.e., lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation and integrity, and confidentiality). In particular, companies should carefully assess whether the intended processing of personal data is limited to what is necessary and whether all data is in fact adequate and relevant for the investigation. Where possible, companies should only process data which have been anonymized or pseudonymized. Proportionality is a key aspect and may require, among other things, a thorough definition of search terms, a limitation of the group of data subjects concerned, the use of automated filtering, the implementation of pseudonymization, and other safeguards.
- Considering national implementation laws: National implementation laws to the GDPR and other legal national particularities may provide for additional requirements for internal investigations. As an example, the German Federal Data Protection Act ("BDSG") imposes strict requirements on companies willing to perform internal investigations in the employment context. In addition, German law is interpreted to impose strict limits on the possibilities of an employer to access and review electronic communications of its employees, such as emails, where private use of the employer's IT and communication systems is permitted.
- Accountability obligations: The GDPR imposes strict accountability and documentation obligations on companies (Article 5(2), Article 24(1) GDPR). In particular, companies must not only take all measures to ensure compliance with data protection laws but also be able to prove, such as in the case of enquiries from the data protection authorities, that they have performed the internal investigation in accordance with the GDPR. To comply with these obligations, companies should establish a documented data protection concept and investigation plan setting out the legal considerations and all technical and organizational safeguards implemented for conducting the internal investigation and should comprehensively document every step taken.
- Information of data subjects: In general, companies must inform affected data subjects about the processing of their personal data in advance (Articles 12 et seq. GDPR). This applies, in principle, also in case of internal investigations. However, the success of the investigation might be at risk if the suspect is informed about the envisaged data processing in advance. The GDPR does not provide for explicit exceptions to the notification requirements for such cases. The national implementation laws, however, may include respective provisions. For instance, under German law, companies do not have to inform data subjects in certain scenarios where the information would impair the establishment, exercise or defense of legal claims. However, there is no uniform implementation on national level across Europe. Therefore, companies should carefully assess in each case to what extent national exceptions can be relied upon. Whenever possible, companies should inform affected data subjects prior to the investigation.
- Data transfer to third parties: It might be necessary for companies to transfer personal data to third parties outside the company, either to analyze the information with the help of external advisors or to share the results of an investigation with third parties, such as in case of disclosures to courts or law enforcement authorities. Such data transfers, however, must also comply with the requirements of the GDPR. Where external service providers are involved, acting only as processors on behalf and in accordance with the instructions of the company conducting the investigation, the data can likely be shared provided an appropriate data processing agreement is entered into which reflects the requirements under Art. 28 GDPR. In other data transfer scenarios to controllers, companies will have to thoroughly assess whether and on which legal basis the data can be shared and what safeguards need to be implemented to protect the personal data. To reduce the impact on the rights and freedoms of data subjects, the authorities require companies to take a layered approach, in particular in case of cross-border disclosures of personal data involving the transfer of only anonymized or pseudonymized data. In addition, the transfer of personal data to recipients in third countries outside the European Economic Area is only permitted where the strict requirements for international data transfers according to Articles 44 et seq. GDPR are met. Safeguards may need to be implemented to ensure an adequate protection of personal data, such as entering into additional agreements with the recipients outside the European Economic Area.
- Data protection impact assessment ("DPIA"): Generally, data controllers must perform a DPIA if the envisaged data processing is likely to result in a high risk to the freedom and rights of data subjects (Article 24 GDPR). In many cases, in particular cases involving the automated processing of large data sets, internal investigations can have such a potential impact on the rights and freedoms of the affected data subjects. To avoid legal risks, companies should perform a DPIA prior to any investigation.
- General data protection law requirements: As for any other processing of personal data, the general requirements under the GDPR must be complied with, such as establishing appropriate records of processing activities (Art. 30 GDPR), ensuring compliance with the principles of data protection by design and by default (Art. 25 GDPR), and implementing appropriate technical and organizational security measures appropriate to the risks for the protection of personal data (Article 32 GDPR).
- Co-determinations rights of works council: In some countries it may be necessary to involve the local works council in advance. Investigation measures which the works council did not consent to might be invalid. In addition, the works council might seek a preliminary injunction to ban the employer from performing the investigation.
What may be the consequences of unlawful processing?
Companies which do not consider the aforementioned requirements and conditions may face high legal risks when processing personal data in the course of internal investigations.
- Administrative fines/criminal liability: Companies which do not comply with the strict requirements of the GDPR may face administrative fines up to €20 million or four percent of their total global turnover for the previous year, whichever is higher. In case of company groups, there is the risk that data protection authorities will calculate fines on the basis of the consolidated revenue of the group. Additionally, national implementation laws as well as national criminal codes may provide for criminal liability in case of unlawful processing.
- Exclusion of evidence: In case of unlawful processing, the company may not be able to use the findings of the internal investigation in court. This aspect is particularly important if the company has imposed sanctions (e.g. a dismissal) against an employee due to the findings of the internal investigation. If the employee challenges the lawfulness of the dismissal in court, the company has to show that it has performed the respective data processing in accordance with the applicable data protection laws. If the court deems the data processing as unlawful, the findings may be excluded as evidence and the dismissal might be invalidated.
- Claim for damages by affected data subjects: Data subjects whose personal data have not been processed in accordance with the GDPR may claim damages from the company. Those claims may refer to material and non-material losses due to the infringement.
Which current case law is relevant for internal investigations?
In January 2016, the European Court of Human Rights ("ECHR") rendered an important decision regarding the secret monitoring of employee communication (application No. 61496/08). In the so-called "Bărbulescu" case, the ECHR ruled that employers violate the employees' fundamental right to respect for private life and communication (Article 8 European Convention of Human Rights) if they secretly monitor their employees' messenger communication without implementing appropriate safeguards to preserve the employees' legitimate interests.
According to the ECHR, employers are generally allowed to monitor their employees' communication to a certain degree. Such monitoring measures, however, must be accompanied by adequate and sufficient safeguards to preserve the employees right to privacy. In particular, employers must generally inform their employees about the envisaged monitoring in advance. This notification must include detailed information on the nature, the extent of the monitoring and the degree of intrusion.
In addition, employers need to provide for legitimate reasons to justify the monitoring of employee communication. In this context, the ECHR particularly refers to the principle of data minimization. The employers must prove that there is no less intrusive measure to reach the envisaged purposes.
The criteria established for the monitoring of employees were further refined in a recent decision of the ECHR in the Ribalda case (applications Nos. 1874/13 and 8567/13) in October 2019. The court ruled that a covert video surveillance of employees does not violate the employees' fundamental rights for private life and communication (Article 8 European Convention of Human Rights) and the knowledge gained by the employer may be used as justification for the dismissal.
The case revolved about the fact that in a Spanish supermarket over a period of several months merchandise worth between €8,000 and 25,000 per month disappeared – with increasing tendency. The employer used covert video surveillance to identify the guilty parties (a group of cashiers and sales assistants) who were then dismissed. The Grand Chamber decided that – while covert video surveillance is not justified for every slightest suspicion of misappropriation or wrongdoing –the video surveillance in the specific case was lawful despite the fact that employees had not been informed in advance about the monitoring by the employer. The case is different than the Bărbulescu case (where also no prior information was given) because the Bărbulescu case concerned the general monitoring of an employee's activities during working hours, while in the Ribalda case there was concrete suspicion of a crime causing considerable damage. The ECHR weighed the protection of the privacy of employees against the protection of the employer's property and business operations, considering that there was a legitimate aim because of concrete and reasonable suspicion of a serious misconduct causing a substantial extent of losses and endangering the smooth function of the company, the employees' expectation as to the protection of their private life was limited (because employees were monitored not in very private areas (such as toilets or locker rooms or closed working areas) but in areas open to public (such as checkout counters) where their privacy was in any event restricted by the permanent contact with customers, and the activities filmed were not of an intimate or private nature), the duration had not exceeded what was necessary in order to confirm the suspicions of theft, and the measures were appropriate and proportionate as there were no other less intrusive means to achieve the legitimate aim. While the court stressed the importance of appropriate prior information, the lack of information in the specific case was considered just one of the criteria to be taken into account in order to assess the proportionality of the measures taken and other safeguards were sufficient to justify the overall balancing in favor of the employer.
Although the Bărbulescu and Ribalda decisions did not directly refer to the GDPR, the decisions are generally understood to interpret the accepted principles under the European Convention which remain applicable under the GDPR. Therefore, companies are well advised to consider the criteria established by the ECHR when conducting international investigations.
The GDPR and the national implementation laws, if applicable, set strict limits for conducting internal investigations. Companies have to deal with a variety of requirements and obligations. To ensure compliance with data protection laws, companies should carefully assess the individual circumstances and legal requirements for each investigation. Companies are well advised to establish a professional data protection concept and investigation plan, including appropriate internal procedures and technical and organizational safeguards, enabling the company to effectively manage the internal investigation in line with legal requirements. The steps taken should be documented in order to be able to demonstrate compliance with the GDPR. Otherwise, companies may face serious sanctions, data subject damage claims, reputational damage and exclusion of evidence due to unlawful processing.
|Dr. Martin Pflueger
Hogan Lovells Munich
T +49 89 29012395
|Since the early days of his career, Martin Pflueger has been focusing his practice on advice in the area of information technology, Internet, e-commerce and data protection law, with a focus on the technology, automotive and life sciences industry. Not only from his various secondments with clients in the technology and pharmaceutical sector, including as European privacy counsel for a worldwide leading cloud computing service provider, Martin brings extensive experience in drafting and negotiating IT agreements, evaluating new technologies and business models as well as advising clients on all aspects of European and German data protection law.
Martin is recognized for having a deep understanding of the expectations and legal challenges clients are facing in connection with complex technology or outsourcing projects, the implementation of business processes in the field of Internet and e-commerce matters, or the handling of personal data. He regularly advises clients on IT/IP related aspects in various commercial and corporate transactions. Martin's privacy practice covers all aspects of European and German data protection law, including the coordination of multi-jurisdictional projects on European and international level – whether you are looking at setting-up your cross-border transfers of personal data (including implementing Binding Corporate Rules), managing your internal investigations or compliance systems, or at dealing with the particularities for the processing of employee 0r health data, whether you need assistance with the drafting of privacy policies or data transfer agreements, or whether you seek advice on topics such as Artificial Intelligence, Big Data, Connected Cars or the Internet of Things. He regularly assists companies in relation to GDPR compliance audits and implementation projects.