Companies must observe strict data protection law requirements when conducting an internal investigation. The European General Data Protection Regulation (EU) 2016/679 ("GDPR") provides a uniform set of rules for data processing throughout the European Union, which replaced the existing patchwork of national laws governing how personal data is handled. The GDPR imposes strict and detailed obligations for companies processing personal data, including extensive accountability obligations. Failure to demonstrate compliance with these rules could lead to claims for damages as well as administrative sanctions and high fines from the competent data protection authorities. In addition, despite harmonisation on the European level, national differences must be taken into account, such as specific national law provisions in the area of processing of employee data that can have a substantial impact on how internal investigations can effectively be conducted.
The following sections shall provide a general overview of the requirements and conditions for internal investigations under the GDPR. The text also highlights relevant case law and potential consequences of unlawful processing.
What is the legal basis for performing internal investigations under the GDPR?
Companies may only perform internal investigations if they can rely on a valid legal basis for the intended data processing operations. The appropriate legal basis depends on the purpose of the investigation, the categories of data subjects affected, and the nature of the data concerned.
- Legal obligation to perform investigation: Under certain conditions, companies may be legally obliged to perform an internal investigation. In this case, the company may legitimise the data processing based on Article 6(1) lit. c GDPR. However, such cases will likely remain an exception in practice.
- Data processing due to legitimate interests: Companies may further justify the data processing to the extent the processing is necessary for legitimate interests pursued by the company or a third party (Article 6(1) lit. f GDPR), provided that the legitimate interests of the affected data subjects do not supersede. This legal basis (which in practice will often form the only available legal ground) requires a thorough balancing of interests, taking into account all circumstances of the individual case, including the extent of the investigation, the nature of the data processed, the reasonable expectations of the data subjects and the potential consequences for their rights and freedoms. The envisaged processing activities are not admissible if there are less intrusive measures to achieve the purposes of the investigation. A key aspect of the balancing of interests will be the implementation of safeguards to reduce the impact on the data subject and to ensure a proportionate approach in compliance with the data protection principles (see below). The legitimate interest assessment ("LIA") should be thoroughly documented.
- Consent of data subject: The GDPR stipulates strict requirements for obtaining valid consent, including, in particular, that consent must be freely given. This means that data subjects must have a real choice to agree to the related processing of their personal data or not, and also to withdraw any consent given at any time. Therefore, consent is not advisable as a general legal basis for permitting an internal investigation. Particularly within an employment context, due to the imbalance between the employee and the employer, consent will likely not be considered voluntary. This may potentially be different where the processing implies any legal or economic advantage for the employee or the employer and employee pursue similar interests, such as in limited scenarios for certain types of custodians or whistleblowers who are free to provide their consent or not.
- Collective agreements: Collective agreements (in particular works council agreements) may – to some extent – also form a legal basis (or at least additional safeguard) for internal investigations. However, collective agreements intended to legitimise data processing must comply with the specific requirements of Article 88 GDPR and potential national implementations laws (see below).
If the internal investigation also involves special categories of personal data within the meaning of Article 9(1) GDPR (e.g. race, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, health data) additional restrictions apply. Companies may only process sensitive data if they can rely on one of the exemptions stated in Article 9(2) GDPR, in addition to a legal basis under Article 6(1) GDPR as set out above. In particular, companies may process sensitive data to the extent necessary for the establishment, exercise or defence of legal claims (Article 9(2) lit. g GDPR). On the other hand, companies cannot legitimise the processing of sensitive data merely on the basis of their legitimate interests.
What other requirements do companies have to consider?
The GDPR and national implementation laws, where applicable, provide for additional requirements and conditions for internal investigations.
- Compliance with data protection principles: When performing internal investigations, companies have to comply with the general principles of data processing set out in Article 5 GDPR (i.e. lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation and integrity, and confidentiality). In particular, companies should carefully assess whether the intended processing of personal data is limited to what is necessary and whether all data is in fact adequate and relevant for the investigation. Where possible, companies should only process anonymised or pseudonymised data. Proportionality is a key aspect and may require, among other things, a thorough definition of search terms, a limitation of the group of data subjects concerned, the use of automated filtering, the implementation of pseudonymisation, and other safeguards.
- Considering national implementation laws: National laws implemented under the GDPR and other legal national particularities may provide for additional requirements for internal investigations. As an example, the German Federal Data Protection Act ("BDSG") and principles established by national court law impose strict requirements on companies willing to perform internal investigations in the employment context. In addition, the German law provisions implementing the European e-privacy rules are interpreted to impose strict limitations on the possibilities of an employer to access and review electronic communications of its employees, such as emails, where private use of the employer's IT and communication systems is permitted (with potential liability under criminal law). Also, the specific (and differing) national laws transposing the EU Whistleblower Directive can impact data protection law aspects in the context of internal investigations triggered by whistleblowers. For example, the German Whistleblower Protection Act ("HinSchG") provides for a separate legal basis for processing of personal data in the context of the operation of a whistleblower system, and leads to certain modifications of the principles established under the GDPR (such as by stipulating specific confidentiality restrictions in respect of information and access rights).
- Accountability obligations: The GDPR imposes strict accountability and documentation obligations (Article 5(2), Article 24(1) GDPR). In particular, companies must not only take all necessary measures to ensure compliance with data protection laws but also be able to prove, such as in the case of enquiries from the data protection authorities, that they have performed the internal investigation in accordance with the GDPR. To comply with these obligations, companies should establish a documented data protection concept and investigation plan setting out the legal considerations and all technical and organisational safeguards implemented for conducting the internal investigation and should comprehensively document every step taken.
- Information of data subjects: In general, companies must inform affected data subjects about the processing of their personal data in advance (Articles 12 et seq. GDPR). This applies, in principle, also in the case of internal investigations. However, the success of the investigation might be at risk if the suspect is informed about the envisaged data processing in advance. The GDPR does not provide for explicit exceptions to the notification requirements for such cases. The national implementation laws, however, may include respective provisions. For instance, under German law, companies do not have to inform data subjects in certain scenarios where the information would impair the establishment, exercise or defence of legal claims. However, there is no uniform implementation on national level across Europe. Therefore, companies should carefully assess in each case to what extent national exceptions can be relied upon. Whenever possible, companies should inform affected data subjects prior to the investigation.
- Data transfer to third parties: It might be necessary for companies to transfer personal data to third parties outside the company, either to analyse the information with the help of external advisors or to share the results of an investigation with third parties, such as in case of disclosures to courts or law enforcement authorities. Such data transfers must also comply with the requirements of the GDPR. Where external service providers are involved, acting only as processors on behalf and in accordance with the instructions of the company conducting the investigation, the data can likely be shared if an appropriate data processing agreement is entered into, which reflects the requirements under Article 28 GDPR. In other data transfer scenarios to controllers, companies will have to thoroughly assess whether and on which legal basis the data can be shared and what safeguards need to be implemented to protect the personal data. Where cross-border transfers are made, the authorities require companies to take a layered approach to reduce the impact on the rights and freedoms of data subjects, requiring in some cases to limit the transfer at least initially to only anonymised or pseudonymised data. In addition, the transfer of personal data to recipients in third countries outside the European Economic Area is only permitted where the strict requirements for international data transfers according to Articles 44 et seq. GDPR are met. In its 2021 decision (Schrems II), the Court of Justice in the European Union (CJEU) has stipulated strict requirements for the necessary assessment to be carried out by data exporters transferring personal data to recipients in third countries not benefitting from an adequacy decision. In many cases, specific safeguards need to be implemented to ensure an adequate protection of personal data, such as by entering into additional agreements with the recipients outside the European Economic Area and by implementing additional supplementary technical and organisational safeguards to ensure that the legal regime in the third country does not impinge upon the effectiveness of the selected transfer mechanism. Appropriate documentation needs to be in place to demonstrate compliance with these requirements. In 2023, the European Commission recognised an adequate level of data protection for transfers to U.S. recipients participating in the EU–U.S. Data Privacy Framework which substantially reduces (but does not fully exclude) obligations for companies exporting data to the U.S.
- Data protection impact assessment ("DPIA"): A DPIA must be performed if the envisaged data processing is likely to result in a high risk to the freedom and rights of data subjects (Article 35 GDPR). In certain cases, particularly cases involving the automated processing of large data sets, including sensitive information, internal investigations can have such a potential impact on the rights and freedoms of the affected data subjects. To avoid legal risks, companies should generally perform and document a full DPIA, or at least a reasonably detailed privacy risk assessment, prior to any investigation.
- General data protection law requirements: As for any other processing of personal data, the general requirements under the GDPR must be complied with, such as establishing appropriate records of processing activities (Article 30 GDPR), ensuring compliance with the principles of data protection by design and by default (Article 25 GDPR), and implementing appropriate technical and organisational security measures appropriate to the risks for the protection of personal data (Article 32 GDPR).
- Co-determinations rights of works council: In some countries, it may be necessary to involve the local works council in advance. Investigation measures the works council did not consent to might be invalid. In addition, the works council might seek a preliminary injunction to ban the employer from performing the investigation.
What may be the consequences of unlawful processing?
Companies that do not consider the aforementioned requirements and conditions may face high legal risks when processing personal data in the course of internal investigations.
- Administrative fines/criminal liability: Companies that do not comply with the strict requirements of the GDPR may face administrative fines up to €20 million or four percent of their total global turnover for the previous year, whichever is higher. In the case of company groups, there is the risk that data protection authorities will calculate fines on the basis of the consolidated revenue of the group. Additionally, national implementation laws and national criminal codes may provide for criminal liability in case of unlawful processing.
- Exclusion of evidence: In case of unlawful processing, the company may not be able to use the findings of the internal investigation in court. This aspect is particularly important if the company has imposed sanctions (e.g. a dismissal) against an employee due to the findings of the internal investigation. If the employee challenges the lawfulness of the dismissal in court, the company has to show that it has performed the respective data processing in accordance with applicable data protection laws. If the court deems the data processing unlawful, the findings may be excluded as evidence and a dismissal might be invalidated.
- Claim for damages by affected data subjects: Data subjects whose personal data have not been processed in accordance with the GDPR may claim damages from the company. Those claims may refer to material and non-material losses due to the infringement.
Which case law is relevant for internal investigations?
In January 2016, the European Court of Human Rights ("ECHR") rendered an important decision regarding the secret monitoring of employee communication (application No. 61496/08). In the "Bărbulescu" case, the ECHR ruled that employers violate the employees' fundamental right to respect for private life and communication (Article 8 European Convention of Human Rights) if they secretly monitor their employees' messenger communication without implementing appropriate safeguards to preserve the employees' legitimate interests.
According to the ECHR, employers are generally allowed to monitor their employees' communication to a certain degree. Such monitoring measures, however, must be accompanied by adequate and sufficient safeguards to preserve the employees' right to privacy. In particular, employers must generally inform their employees about the envisaged monitoring in advance. This notification must include detailed information on the nature, the extent of the monitoring and the degree of intrusion. In addition, employers need to provide legitimate reasons to justify the monitoring of employee communication. In this context, the ECHR particularly refers to the principle of data minimisation. The employers must prove that there is no less intrusive measure to reach the envisaged purposes.
The criteria established for the monitoring of employees were further refined in a decision of the ECHR in the Ribalda case (applications Nos. 1874/13 and 8567/13) in October 2019. The court ruled that covert video surveillance of employees does not violate the employees' fundamental rights for private life and communication (Article 8 European Convention of Human Rights). Thus, the knowledge gained by the employer may be used as justification for the dismissal.
The case revolved around the fact that in a Spanish supermarket, merchandise worth between €8,000 and €25,000 per month disappeared over a period of several months – with increasing tendency. The employer used covert video surveillance to identify the guilty parties (a group of cashiers and sales assistants), who were later dismissed. The Grand Chamber decided that – while covert video surveillance is not justified for every slightest suspicion of misappropriation or wrongdoing – the video surveillance in the specific case was lawful even though the employees had not been informed in advance about the monitoring by the employer. The case is different from the Bărbulescu case (where also no prior information was given) because the Bărbulescu case concerned the general monitoring of an employee's activities during working hours. In the Ribalda case, however, there was concrete suspicion of a crime causing considerable damage.
The ECHR weighed the protection of the privacy of employees against the protection of the employer's property and business operations. The court considered that there was a legitimate aim because of concrete and reasonable suspicion of serious misconduct causing a substantial extent of losses and endangering the smooth function of the company. Also, the employees' expectation as to the protection of their private life was limited since the employees were not monitored in very private areas (e.g. toilets, locker rooms, or closed working areas) but in areas open to the public (such as checkout counters). In these public areas, the employees' privacy was restricted by the permanent contact with customers, and the activities filmed were not of an intimate or private nature. The court further considered that the duration had not exceeded what was necessary to confirm the suspicions of theft. The measures were thus appropriate and proportionate as there were no other less intrusive means to achieve the legitimate aim.
While the court stressed the importance of appropriate prior information, the lack of information in the specific case was considered just one of the criteria to be taken into account in order to assess the proportionality of the measures taken. Also, other safeguards were sufficient to justify the overall balancing in favour of the employer.
Although the Bărbulescu and Ribalda decisions did not directly refer to the GDPR, the decisions are generally understood to interpret the accepted principles under the European Convention that remain applicable under the GDPR. Therefore, companies are well advised to consider the criteria established by the ECHR when conducting international investigations.
In addition, on national level, there is a rising number of specific court cases (and decisions by the competent data protection authorities) relating to employee monitoring and investigations under the GDPR. These cases further refine the principles that need to be taken into account in order to ensure compliance with national law requirements.
Conclusion
The GDPR and national implementation laws, if applicable, set strict limits for conducting internal investigations. Companies have to deal with a variety of requirements and obligations. To ensure compliance with data protection laws, companies should carefully assess the individual circumstances and legal requirements for each investigation. Companies are well advised to establish a professional data protection concept and investigation plan, including appropriate internal procedures and technical and organisational safeguards, enabling the company to effectively manage the internal investigation in line with legal requirements. The steps taken should be documented in an appropriate privacy risk assessment in order to be able to demonstrate compliance with the GDPR. Otherwise, companies may face serious sanctions, data subject damage claims, reputational damage and exclusion of evidence due to unlawful processing.
Dr. Martin Pflueger Partner Hogan Lovells Munich T +49 89 29012 241 E martin.pflueger@hoganlovells.com
|
Since the early days of his career, Martin Pflüger has been focusing his practice on advice in the area of information technology, Internet, e-commerce and data protection law, with a focus on the technology, automotive and life sciences industry. Not only from his various secondments with clients in the technology and pharmaceutical sector, including as European privacy counsel for a worldwide leading cloud computing service provider, Martin brings extensive experience in drafting and negotiating IT agreements, evaluating new technologies and business models as well as advising clients on all aspects of European and German data protection law, including data security and cybersecurity. Martin is recognised for having a deep understanding of the expectations and legal challenges clients are facing in connection with complex technology or outsourcing projects, the implementation of business processes in the field of deep digital transformation, and the handling of personal and non-personal data. He regularly advises clients on IT/IP related aspects in various commercial and corporate transactions. Martin's privacy practice covers all aspects of European and German data protection law, including the coordination of multi-jurisdictional projects on European and international level – whether you are looking at setting-up your cross-border transfers of personal data (including implementing Binding Corporate Rules), at managing your internal investigations or compliance systems, or at dealing with the particularities for the processing of employee or health data, whether you need assistance with the drafting of privacy policies or data transfer agreements, or whether you seek advice on topics such as artificial intelligence, data governance, big data, connected cars or the Internet of Things. He regularly assists companies in relation to GDPR compliance audits and implementation projects. Martin further regularly represents companies in data protection law proceedings with the data protection authorities or German courts, including handling civil law proceedings relating to (mass)-claims for damages. |