General information on internal investigations
An internal investigation is initiated when there is suspicion of a legal violation. The scope of internal investigations can vary greatly and is tailored to the specific circumstances of the case. Minor administrative offences committed by employees can often be dealt quickly and easily with little effort. In comparison, criminal allegations raise very complex legal questions that must be examined in equally extensive investigations.
Investigation methods
Depending on the size and structure of a company and the specific circumstances of the suspected violation, a wide variety of investigation methods are used:
- Employee interviews,
- Analysis of paper documents and electronic data,
- Open source research,
- Forensic investigations,
- Expert assessments,
- after completion of the investigation: legal assessment of the investigation results, for example in the form of a legal opinion.
If the investigation is conducted properly, the results can be used as evidence in legal proceedings (criminal, civil and administrative proceedings).
Legal requirements at a glance
Currently, there are no explicit legal requirements for conducting internal investigations in companies in Austria. While the procedure is not conclusively and expressly regulated by a specific law, special legislation can provide the basis for potential regulations. In any case, the primary focus must be on the personal rights of those affected and the fundamental right to data protection, as set out in Section 1, Paragraph 1 of the Austrian Data Protection Act (Datenschutzgesetz – DSG) and the strict requirements of the General Data Protection Regulation (GDPR).
The Whistleblower Protection Act (HinweisgeberInnenschutzgesetz – HSchG) is also relevant in this regard, as it regulates the protection of whistleblowers, their identity and confidentiality, and the obligations of secrecy and protection against reprisals. As the HSchG has a narrow scope of application, it must be carefully examined in each case to determine whether it actually applies.
Company law requirements
If company management becomes aware of information indicating a potential legal violation, they are obliged to investigate. This obligation stems from the general duty of care owed by managing directors of a limited liability company (GmbH) under Sec 22 and 25 of the Austrian Limited Liability Companies Act (GmbHG), and by members of the executive board of a stock company (AG) under Sec 70, 82 and 84 of the Austrian Stock Corporation Act (AktG). The supervisory board also has a duty to investigate. These provisions also give rise to an obligation to investigate suspicions of violations of the law or other legal provisions, and to conduct investigations to clarify the facts.
Managers therefore have a duty to act, failing to do so can lead to liability consequences. If a compliance officer is employed by the company, failure to take the necessary action may also result in compliance officer liability.
The business judgement rule (Sec 25 para 1a GmbHG, Sec 84 para 1a AktG) is crucial for avoiding liability. It standardises the circumstances in which decision-makers act with the diligence of a prudent manager. If a managing director decides not to conduct an internal investigation, thereby violating his duty of care, he may be held liable as a managing director.
Liability may also arise from a failure to initiate an internal investigation, even though there is a duty to do so. In the event of a suspicion of a criminal offence within a company, the management is always obliged to conduct an internal investigation.
General civil and labour law requirements
A central component of internal investigations is always the protection of employees’ personal rights. According to Sec 16 of the Austrian Civil Code (ABGB), every person has inherent rights that are self-evident through reason. Personal rights therefore protect individuals from interference by third parties. The most important personal rights include the right to honour, freedom, the right to one’s own image, the protection of one’s personal sphere of life, as well as the right to respect for one’s economic reputation.
Internal investigations may occasionally interfere with these rights. However, it is essential to weigh up the employer’sinterests in information and control against the personal rights of the employee. This assessment of interests often requires a comprehensive legal review. If a company has such an assessment carried out by external sparring partners such as lawyers, a thorough legal analysis can be guaranteed.
A duty to cooperate in internal investigations can generally be derived from the duty of loyalty under labour law for affected employees.
Internal investigations often require reviewing documents and data files. A distinction must be made here:
Checking work-related documents is generally permissible, as in such situations the employer’s interests usually outweigh those of the employee. For this reason, the employee’s consent is not required in this case.
However, the situation is different when it comes to checking private documents. An analysis of documents of a private nature is generally not permitted in the context of an internal investigation. Only if a balancing of interests and a proportionality test weigh in favour of the company (e.g. suspicion of criminal offences against the company vs. personal rights and data protection interests of the employee) private documents may also be reviewed if they are probably relevant for the internal investigation.
Data protection requirements
Internal investigations must comply not only with corporate and civil law regulations, but also with data protection requirements. The processing of personal data often interferes with the fundamental right to data protection (Sec 1 DSG). In the context of internal investigations, for example when reviewing emails or other messages, data processing regularly occurs which should be subject to appropriate review by experts.
In the context of internal investigations, the requirements of the GDPR and the DSG must always be complied with. Depending on the category of data, Art 6 or Art 10 GDPR provide different legal grounds that may justify an interference. According to Sec 6 para 1 lit f GDPR the legitimate interests of the employer (e.g. the investigation or future prevention of potentially criminal behaviour) have to outweigh the interests of the employee (e.g. the right to respect for private life and to the protection of personal data in accordance with Sec 1 of the Data Protection Act).
Furthermore, the principle of proportionality must always be observed. The investigation measures must therefore be the least intrusive means available to achieve the objective . In addition, the principles set out in Sec 5 para 1 of the GDPR must be observed when processing data.
Information that is not relevant to the internal investigation must be deleted. However, relevant findings and discoveries that are important for the enforcement of legal claims may be retained until the respective proceedings have been legally concluded. Special retention obligations apply within the scope of the HSchG.
In addition, the data protection processing directory must be supplemented with investigation measures and a data protection impact assessment (Art. 35 GDPR) must be carried out if data relating to persons worthy of protection (e.g. employees) is processed and data records from two or more processing operations are merged.
Consultation of a specialised lawyer in case of need
In the event of allegations that fall under criminal law, due to the sensitive nature of the matter, it is advisable to consult a lawyer who specialises in internal investigations. He will conduct an initial factual and legal review of the matter, after which he will propose and, if necessary, initiate further measures. A lawyer will ensure that the internal investigation is conducted correctly and that legal requirements are observed, thereby minimising liability risks. The lawyer can either lead the investigation or provide partial support.
Legal compliance is especially important in investigation steps that affect employees’ legal rights. If it transpires that measures taken by the investigation team were inadmissible, civil and, under certain circumstances, criminal consequences may also arise. The following criminal offences are particularly relevant here: breach of privacy and of certain professional privileges (Sec 118 of the Austrian Criminal Code (StGB)), unlawful use of a computer system (Sec 118a StGB), breach of telecommunication confidentiality (Sec 119 StGB), improper use of audio recording and listening devices (Sec 120 StGB), and coercion (Sec 105 StGB). The involvement of a lawyer can minimise these kinds of liability risks.
