Lukas Plattner reflects on LEGALTECH IN SCENA: Bringing the legaltech community…
The executive management of companies is obliged to immediately investigate and remedy any violations of the law brought to their attention and to take disciplinary action against the employees responsible (LG Munich I, 5 HK O 1387/10). Remedying a violation of the law includes taking appropriate measures to prevent similar violations in the future.
A violation of these corporate compliance obligations may give rise to claims for damages against the executive bodies and result in fines against managers and the company itself.
The HinSchG obliges companies with 50 employees or more to set up an internal reporting office for whistleblowers. This reporting office must operate independently in order to ensure that reports are handled objectively and confidentially.
The internal reporting office first checks whether a reported violation falls within the material scope of the law and whether the report can be classified as valid. If a valid report is received, internal investigations must be initiated.
There are information obligations towards the whistleblower. Among other things, the whistleblower must receive confirmation of receipt and information about any follow-up measures taken. The identity of the whistleblower and all persons affected by a report must be treated as strictly confidential, unless there are exceptional reasons to disclose it upon demand by an authority.
Whether the processing of personal data is permissible in the context of internal investigations is determined by the General Data Protection Regulation and the Federal Data Protection Act (“BDSG”). If there is no legal basis for the processing, not only is there a risk that evidence will be inadmissible, but also that the company will face fines of up to EUR 20 million or 4% of its annual turnover. Responsible persons may also be liable to criminal prosecution.
In most cases, the processing of personal data in practice is not based on consent. Such consent can be revoked at any time and carries the risk that courts may deem it inadmissible. As a rule, data processing can be based on Art. 6 (1) lit. f GDPR or § 26 (1) sentence 2 BDSG.
If a data protection officer has been appointed in the company, they must be involved in the planning and implementation of the investigation at an early stage.
The labor law framework for internal investigations can be summarized as follows:
Employees are generally obliged to cooperate in internal investigations and to provide truthful information. Refusal to cooperate or providing false information can result in consequences under labor law, including warnings or dismissal.
At the same time, general right of privacy (Allgemeines Persönlichkeitsrecht, APR) limit internal investigation measures. In particular, employees' rights to their own image, spoken word, reputation, privacy, and informational self-determination are protected. Measures such as workplace inspections or email screening interfere with the APR and are only justified if, after careful consideration of the interests involved, the legitimate interests of the employer (e.g., to ensure order in the workplace, to protect company property, or to preserve trade secrets) outweigh the personal rights of the employee. The latter is usually the case, if there are suspicions of considerable wrongdoing and high potential damage for the company. In any case, employees cannot generally refuse their cooperation based upon the potential risk of self-incrimination (as they could in criminal proceedings).
Collective agreements or works council agreements can establish framework conditions for internal investigations. They often determine binding rules for dealing with suspicions, the involvement of the works council, and the protection of employee rights in the context of investigations.
Under statutory law, the works council's right of co-determination under Section 87 of the Works Constitution Act (BetrVG) can apply, for example, with regard to using technical solutions to review emails (review platforms).
