Data protection compliance in internal investigations – forward-looking planning and organisation is essential
Published on 31st Oct 2024
Time and again, companies are confronted with situations in which they have to access the data of their employees or board members for the purpose of conducting an internal investigation, e.g. if there is a suspicion that criminal offences or other legal violations have been committed. Especially in the case of antitrust or competition law offences, companies are threatened with high fines, making a thorough internal investigation necessary.
In some cases, companies may even be legally obliged to carry out such an investigation, e.g. under company law, in particular on the basis of the management responsibility of the board of directors etc. for the company, on the basis of Sec. 130 OWiG (German Act on Administrative Offences) and following the obligation to set up a compliance system.
The question regularly arises as to whether and how such investigations can be carried out in accordance with data protection (or even criminal law) requirements. Consultancy practice shows that companies must lay the foundations for successful (and also legally compliant) compliance investigations at an early stage.
As has recently become known, high fines are not just a theoretical risk here: According to its activity report for 2023, the Lower Saxony data protection supervisory authority imposed a fine of EUR 4.3 million in one case because affected employees were not sufficiently informed about the inclusion of their data in a compliance audit and as the disclosure of data to the auditor was excessive.
1. Timely establishment of a compliance organisation in the company, taking into account data protection requirements
In consulting practice, it is regularly found that companies lack the necessary structures to carry out such investigations in compliance with data protection regulations.
One practical example relates to the handling of emails. As part of internal investigations, emails from employees often have to be analysed – often with regard to an investigation period of several years. In this context, it may also be necessary to review chat histories or stored documents.
Initially, there is often a lack of necessary data separation (e.g. between business and private emails) or timely deletions. Companies therefore often have to take a series of ad hoc measures in order to carry out the planned investigation in compliance with data protection regulations.
It is therefore strongly advisable to take these measures in advance (and not only when necessary) and to establish a "compliance organisation" in the company in good time, which also takes into account the data protection requirements (see in detail under sections 2 and 3).
Experience has shown that it takes some time to plan these measures, coordinate them with the departments and companies involved and then introduce them. And this time is usually not available if suspicions have already arisen on the basis of which an investigation is to be carried out – especially if there is a legal obligation to do so. There may also be "internal pressure" within the company, for example, because rumours are already spreading that affect business development or companies want to benefit from a "leniency programme", for which they usually have to be the first to report breaches of the law to the authorities. In addition, such investigations are often carried out covertly, especially at the beginning, e.g. to prevent evidence from being destroyed.
If the measures required from a data protection perspective are not taken in good time, in the worst case this can even lead to investigations not being allowed to be carried out or only being allowed to be carried out with the exclusion of certain data sets.
2. Data protection sticking points
The data protection challenges that need to be solved can be illustrated by a judgement of the Higher Regional Court of Thuringia (judgement of 14 September 2021 – 7 U 521/21).
In the case decided by the court, a company accessed the business emails of its (former) managing director on suspicion of significant breaches of duty, who was expressly authorised to use his business email account for private purposes and had not consented to this access. The Higher Regional Court of Thuringia deemed this access to be unauthorised, with the result that the email account could not be used for the investigation – a super disaster that must be avoided.
Even if the court's reasoning is open to challenge, this clearly shows that companies must take measures at an early stage and with foresight or avoid certain errors if they wish to carry out internal investigations at a later date:
Applicability of telecommunications secrecy in the employer-employee relationship:
In the opinion of the court, the private emails in the (former) managing director's mailbox are subject to telecommunications secrecy.
In the specific case, the decisive factor was an (inaccurate) wording in the guideline on the use of Internet and email, in which the company stated that by offering private use of the Internet access and email connection, it became a provider of telecommunications services and therefore had to maintain telecommunications secrecy. The court interpreted this as a self-commitment.
Furthermore, in the opinion of the court, the secrecy of telecommunications would continue to exist for as long as the emails are stored on the provider's server (and not under the sole control of the user) – therefore, it does not end solely with the receipt of an email by the recipient.
Authorisation for private use as a company practice:
In the opinion of the court, the company could no longer revoke the authorisation for private use through its right to issue instructions. Rather, the authorisation had become a company practice that could only be revoked to a limited extent.
De facto extension of telecommunications secrecy to business emails if these are not clearly distinguishable:
Finally, the court clarified that only private emails are covered by telecommunications secrecy. However, if these could not be clearly distinguished from business emails, telecommunications secrecy would also indirectly prevent access to business emails, as companies would then have to access all emails, including private emails, in order to identify the business emails. And such access to private emails would also be generally inadmissible under telecommunications secrecy.
3. Recommendations for action by companies
Companies are therefore strongly advised to take measures in advance to ensure that they can carry out internal investigations later on in a legally secure manner, which they may even be obliged to do. From a data protection perspective, companies should take the following measures in particular:
3.1 Establishment of a compliance organisation within the company / group of companies
The first central component for conducting compliance investigations in a legally compliant manner – not only from a data protection perspective – is to establish a compliance organisation within the company or group of companies.
In particular, this includes determining which function / department of the company should carry out such an investigation, e.g. the internal audit department or a special compliance department. If a company is part of a group of companies, it often makes sense for investigations to be carried out centrally so that the necessary expertise and resources only have to be available at this "central point". In addition, investigations in the case of a group of companies often require data from several companies in the group to be analysed, which is why a centralised approach also makes sense here in order to ensure a standardised and coordinated approach.
Depending on the specific structure of the compliance organisation, it may be necessary to establish guidelines and processes within the company or group of companies. In the case of groups of companies, contracts between the individual companies will also often be necessary to conduct centralised investigations, especially if the companies are located in different jurisdictions and the legal systems of the different countries may stipulate that investigations are to be conducted by the company employing the employees concerned, for example. These guidelines/processes or contracts should also regulate which functions are to be involved under which conditions and, if applicable, which means may be used under which conditions (e.g. interviews with employees, access to emails, etc.).
Ideally, (sample) documents should also be prepared that could be required in the event of an investigation, especially since in such situations it is often necessary to act quickly to prevent the destruction of evidence and therefore there is hardly any time to draft such documents, e.g. instructions to employees not to delete any data.
In any case, checklists should be drawn up with the steps to be taken in each case in order to ensure that the investigation runs smoothly – especially at the beginning.
3.2 Measures to ensure compliance with data protection requirements
In addition, the following steps must be taken from a specific data protection perspective so that such investigations can be carried out in a legally secure manner. These steps include (1) more organisational measures that should be taken in advance and (2) measures that must be taken as soon as the investigation project takes shape.
3.2.1 Measures that should be taken in advance
The most important measures that should be taken in advance due to their general organisational nature:
Prohibition / regulation of private use of the systems concerned
As already shown, the private use of the IT systems affected by the investigation, such as email accounts and cloud storage, can have a significant impact on the (legal) certainty of the investigation. In particular, the question of whether and how an employer must comply with telecommunications secrecy as per Sec. 3 TDDDG (German Act on Data Protection and the Protection of Privacy in Telecommunications and Digital Services) vis-à-vis its employees when private use of email systems is permitted is highly controversial.
Even if, in our opinion, telecommunications secrecy does not apply in principle in such a constellation, companies are strongly advised not to expose themselves to the associated risk. The most effective way for a company to protect itself against this is to prohibit the private use of such systems and to monitor this prohibition if it suspects that it is being breached. If private use is nevertheless permitted or knowingly tolerated, further measures are required, in particular to separate private and business emails/data and regulations on the company's access to emails/data and, if necessary, declarations of consent from employees.
Assessment of company agreements / guidelines
If company agreements or guidelines on the use of any IT systems concerned are concluded or adopted, care must be taken to ensure that they either contain provisions that expressly enable the company to carry out investigations in the desired manner or – in the absence of such provisions – that the company agreements or guidelines at least do not prevent or restrict the investigations. In any case, such regulations should be complied with when conducting the investigation.
If necessary, existing company agreements/guidelines should also be reviewed and adapted if necessary.
Allocation of responsibilities under data protection law and conclusion of contracts with companies in the group
If an investigation is carried out centrally within a group of companies, it may often be necessary from a data protection perspective to allocate data protection responsibilities precisely and to conclude suitable contracts between the "central company" carrying out the investigation and the other group companies that may be affected by an investigation.
On the one hand, this may be necessary in order to map the distribution of roles under data protection law between the companies involved. For example, such investigations are often carried out by the "central company" and the other group company acting together as joint controllers within the meaning of Art. 26 GDPR. In this case, Art. 26 GDPR requires the conclusion of a corresponding agreement. If necessary, this can also be included in an existing "Intra-Group Data Transfer Agreement".
In addition, an agreement is often required to authorise the "central company" to access the other company's data, e.g. if it is to be downloaded from an Exchange server.
Informing data subjects about the processing of their data
According to Art. 13 GDPR, data subjects must be informed about the processing of their data. Against this background, at least the employees of the company/companies within a group of companies should be informed (in the abstract) as part of the "employee data protection statement" about the potential processing of their data for this purpose and any joint controllership that may exist in this context.
If information has not been provided beforehand, exceptions to the obligation to provide information (also to non-employees) must be analysed, e.g. in accordance with Sec. 32 (1) no. 4 BDSG (German Federal Data Protection Act) or Art. 14 (5) lit. b GDPR, whereby the data subjects may then have to be informed at a later date.
3.2.2 Measures in view of a specific investigation
The most important measures that must be taken as soon as the intention to carry out an investigation solidifies:
Assessment of admissibility under data protection law
It must be ensured that the processing of personal data associated with the planned investigation is carried out in a permissible manner, e.g. if an employee's emails or stored data are to be accessed. In the absence of the data subject's consent, legal authorisation is required for this. The legal basis for this is in particular Art. 6 (1) lit. c GDPR, if there is a legal obligation to carry out the investigation, or Art. 6 (1) lit. b GDPR, if the processing is necessary for the performance/termination of the employment relationship, or Art. 6 (1) lit. f GDPR, if the investigation pursues legitimate interests of the company.
Each of these legal bases – also against the background of several rulings of the CJEU – is associated with special requirements that must be assessed and complied with in each individual case.
This applies to all phases of such an investigation, which typically consists of the following three sections:
1. the freezing of a large amount of data for backup and protection against deletion or modification ("freeze"),
2. the investigation itself, in which the data relating to certain suspects ("custodians") is analysed,
3. processing the results of the investigation in order to assert claims, defend against claims, etc.It must also always be checked whether the specific purpose (from a certain point in time) could also be achieved with anonymous or pseudonymous data.
Regardless of the ultimately applicable legal basis, companies must carefully document the results of the admissibility check.
Processing of special categories of personal data pursuant to Art. 9 (1) GDPR
There are particular challenges when processing special categories of personal data, such as health data. These may only be processed under particularly strict conditions. In particular, the legitimate interest of a company alone cannot justify their processing. Against this background, every reasonable effort should be made to avoid that Art. 9 (1) GDPR becomes applicable.
This can include both organisational measures, such as a selection of search terms that avoids such data categories being returned as hits, as well as technical measures, e.g. to prevent the disclosure of this data. If it cannot be avoided that Art. 9 (1) GDPR applies, the processing of this particularly sensitive data can otherwise – depending on the individual case – possibly be based on special authorisations, such as Art. 9 (2) lit. f GDPR or Art. 9 (1) lit. b GDPR in conjunction with Sec. 26 (3) BDSG (or corresponding national law of another EU member state). This requires a reliable assessment.
Permissibility of changes of purpose
If the personal data was not (also) collected for the purpose of carrying out such investigations, as will often be the case, the requirements of Art. 6 (4) GDPR must also be met so that the data may be used to carry out the investigation, for which a compatibility test in accordance with Art. 6 (4) GDPR must be carried out regularly – the results of this test should also be documented.
Information of custodians in specific cases
It may also be necessary to inform the custodians – in addition to the general employee data protection statement – about the specific circumstances of the processing of their data in the context of the specific investigation (e.g. about which specific employee groups and data are affected). This applies in particular in the light of the above-mentioned decision of the Lower Saxony data protection supervisory authority, in which the imposition of the fine of EUR 4.3 million was justified primarily by the fact that the employees concerned were not sufficiently informed about the inclusion of their data in the specific compliance audit. The extent to which such (additional) information is required in an investigation depends on several factors that need to be examined on a case-by-case basis, including whether the investigation must initially be conducted secretly in order not to jeopardise the objective of the investigation. If the information in the general employee data protection statement was not sufficient, it may be necessary to provide additional information to employees.
Check the investigation manual with regard to the necessity of data processing
Depending on the scope and focus of the investigation, it may be useful to create an investigation manual in which the individual steps of the investigation are defined (internally), e.g. the search terms used to analyse the data.
What all of the above-mentioned legal bases for data processing have in common is that they can only justify "necessary" data processing for the respective purpose. Therefore, even after the initial review of the permissibility of data processing, it must be ensured in the further course of the project, that only "necessary" data processing takes place.
The investigation manual can play an important role here by analysing the individual steps defined there for the further course of the investigation – and their design – in terms of their respective necessity for the respective purpose and, if necessary, by establishing data protection guidelines.
Carrying out a data protection impact assessment
Depending on the scope and organisation of the investigation, it may be necessary to carry out a data protection impact assessment in accordance with Art. 35 GDPR before data processing begins.
Conclusion of data processing agreements with forensic service providers
If specialised forensic service providers are involved in an investigation, they generally act as processors on behalf of the respective company. The requirements set out in Art. 28 GDPR must therefore be observed when selecting the service provider. Only reputable service providers should be selected, particularly due to the often considerable scope and possibly also the sensitivity of the data. Furthermore, a data processing agreement must be concluded with these service providers in accordance with Art. 28 (3) GDPR. In particular, it must be ensured that the requirements of Art. 32 GDPR on the security of processing are also complied with.
3.3 Consideration of further implications under criminal law
As soon as such investigations extend to log files or ongoing connections or to stored files or emails, the criminal law provisions of Secs. 202a and 202b StGB (German Criminal Code) must also be observed, which were originally introduced as "hacker paragraphs", but whose wording is formulated so broadly that access by the employer to business end devices can also be covered in principle; many detailed questions are still unresolved. Essentially, these provisions prohibit access to data that is not "intended" for the perpetrator.
Regularly, data storage for business purposes is intended for the employer. This approach is also followed by labour court case law (LAG Berlin-Brandenburg NZA-RR 2011, 343 ff.). The Federal Court of Justice has also recently considered the employer to be authorised to dispose of its employees' email data (BGH, NStZ-RR 2020, 278, 280).
However, there are uncertainties if employees are permitted to use work devices for private purposes. The prevailing opinion in such constellations is that private content falls under the protection of Secs. 202a and 202b StGB. In the case of mixed use, however, this makes the distinction more difficult. This also applies to business-related but personal files (such as communications from the HR department, the company medical service or the works council).
It is also a requirement of the offence that access must take place by "circumventing the access protection". In principle, the combination of user ID and password is recognised as access protection within the meaning of Sec. 202a StGB; therefore, circumventing password protection also constitutes a criminal offence. In the employment context, however, it should be noted that the employer (usually acting through the IT or network administrators) has scheduled access to the business end devices and the information stored there, precisely in order to administer, maintain and secure them against attacks or other disruptions. Against this backdrop, it is widely recognised that the non-appropriate use of such administrator access is generally exempt from punishment. However, the circumvention of any encryption is regularly relevant under criminal law.
In order to get these legal uncertainties under control, it is therefore advisable to exclude any private use of business end devices or to create such regulations that ensure the legality of the employer's necessary access authorisations in legal and operational terms (see above under section 3.2.1).
3.4 Possible consequences of violations of data protection or criminal law regulations / prohibition of use of evidence
If companies violate the provisions of data protection law, such a violation can regularly be sanctioned by the competent data protection supervisory authorities, including by means of a fine. As mentioned at the beginning, there are already precedents in which such sanctions have been imposed for internal investigations that violate data protection law. Offences against criminal law can, in the worst case, be punished with a fine, while prison sentences are likely to be reserved for extreme cases. However, it is more likely that the public prosecutor's office will discontinue the proceedings (possibly subject to conditions), whereby the penalty would not be imposed on the company but on the individuals involved.
In addition to the sanctioning of the violation per se, a violation of data protection or criminal law regulations in the present context can also have consequences for the use of the findings obtained through the investigation. Even if German courts are rather reluctant to assume a ban on the presentation of facts or the use of evidence, at least in the case of violations of data protection regulations (see e.g. BAG Urt. v. 29.6.2023 - 2 AZR 296/22 on unlawful open video surveillance), companies should not expose themselves to the risk of a ban on the use of the findings obtained through the investigation in a dismissal protection or compensation claim – especially since the BAG (Federal Labour Court) also stated in the aforementioned judgement that a ban on use would exist under certain circumstances.