Witness interviews and legal holds are among the most sensitive aspects of…
Companies are obliged to investigate indications of misconduct but generally results from internal investigations are not protected against seizure (unlike the Anglo-American principle of legal privilege). Under German law, there is no legal privilege in the sense of a comprehensive protection of communication between lawyer and client. Lawyers have a confidentiality obligation; they are not allowed to disclose information obtained in the context of their engagement (without client’s consent).
Searches at law offices are not generally prohibited. The German Code of Criminal Procedure provides privilege protection of the communication between individual defendants and their defence counsel only. In-house counsel generally do not qualify as lawyer or defence counsel for their company.
It is prohibited to seize documents of individual defendants and their defence counsel and of documents prepared for the purpose of defending a company if the company is in a position similar to an accused person; this requires sufficient suspicion against manager that increases the probability of sanctions against company (Federal Constitutional Court).
German law does not prohibit lawyers from conducting internal investigations, even if they have regularly consulted the company and are still doing so. In any case, however, it must be made clear to an interviewee that the lawyer conducting the interview does not represent the employee, but the company.
Notwithstanding the prevailing lack of legal privilege regarding internal investigations, companies should carefully structure the collection of information. Data gathering should follow a documented investigation plan, combining forensic data analysis, document review, and employee interviews, while fully respecting GDPR, employment law, and works council rights.
Internal dissemination of investigation results should be strictly limited. A common pitfall is over-distribution of findings within management or compliance functions. Information should follow a clear need-to-know principle, typically restricted to senior management, compliance officers, and supervisory bodies. Wider circulation increases the risks of leaks, reputational harm, inconsistent narratives, and loss of control in potential enforcement proceedings.
Whether and to what extent findings should be disclosed to prosecutors or regulators is - except for statutory disclosure requirements -a strategic business decision requiring careful balancing of interests. While cooperation may expedite the conclusion of investigations and mitigate sanctions, premature or uncoordinated disclosure can significantly increase criminal, regulatory, and civil liability exposure. Structured disclosure strategies and consistent communication frameworks are essential.
