Complying with German data protection laws can be challenging when it comes to internal investigations where there is a suspicion of employee wrongdoing. Employers should take note of guidance in a German Federal Labour Court decision as to whether given investigative measures may be justified.
Collection, processing and use of personal data is permissible only if and as far as permitted or ordered by the Federal Data Protection Act (FDPA) or another law, or if the data subject has provided consent. This holds true in employment relationships as well. Under Section 32 FDPA, an employee’s personal data may be collected, processed or used for employment-related purposes where necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract. Any data obtained without permission or in inadmissible ways must not be used as evidence to found a dismissal. Once the General Data Protection Regulation (GDPR) comes into force, Section 32 FDPA will be replaced by Section 26 Federal Data Protection Act-new, although that is no more specific.
What does this mean for internal investigations?
As the wording of Section 32 FDPA is rather unspecific, courts have ruled in the past that this regulation may not justify any investigative measure to determine whether any employee has gravely breached his or her duties, unless the breach of duties is also a criminal offence. This understanding of Section 32 FDPA complicated and hindered compliance monitoring as well as internal investigations considerably, as employers were, for example, not entitled to investigate specific grounds of suspicion for cartel violations below the threshold of a criminal offence. In other words, employers were barred from investigating specific grounds for suspicion of serious breaches of duties if these were not a criminal offence at the same time.
More recently, though, the German Federal Labour Court (Germany’s highest court for employment disputes) has, in its leading decision of June 29, 2017 (2 AZR 597/16), taken a unified position with regard to internal investigative measures. It ruled that investigative measures are justified in general if the following rules are observed:
- there is a (simple) suspicion of gross misconduct, which does not necessarily have to be a criminal offence;
- the suspicion is based on specific facts (which are to be documented);
- no less intrusive investigative measures exist (there is a “need to know”); and
- the investigative measure is reasonable (based on a balance of interests).
This triggers the following effects for internal investigations and the respective systems: To avoid evidence obtained from being excluded, and potentially also fines and claims for damages, companies have to select steps that can be taken in accordance with the circumstances of the specific case. The “need to know” principle in particular demands that even if there is no less intrusive measure, the selected measure has to be limited with regard to scope and length of the investigation. It is also crucial that a weighing of the respective interests has taken place. As exclusion of evidence obtained is often based on data protection laws, it is advisable to involve the company’s data protection officer in the respective investigation – especially when establishing a system of internal investigations, whistleblowing etc. Employees conducting the respective investigations also have to be trained to ensure that they understand and observe these rules. Checklists as well as investigation maps have proven helpful.
As Section 26 Federal Data Protection Act-new includes the principle regulations which are the basis for the Federal Labour Court’s decision, it is to be expected that the rules outlined above remain applicable after 25 May 2018, when General Data Protection Regulation (GDPR) comes into force.