The GDPR is not a shield against internal investigations

By Konstantin von Reden-Lütcken, MBA

Konstantin von Reden-Lütcken (krl@krl-law.de) is a Berlin-based criminal defense lawyer specializing in economic and tax criminal law, forensic investigations, and compliance risk management.

Data protection shifted into focus over the last few years as personal data became more prominent and sensitivity increased in respect to potential misuse. When the General Data Protection Regulation (GDPR)[1] was announced in 2016 to become valid in May 2018, panic-like hysteria emerged, pushed by consultants who sought to conquer a share in the consultancy market for data protection. On a daily basis, the question, “Are you GDPR-ready?” was raised in all kinds of communities. The law created or increased a valid sensitivity toward the handling of personal data, but it can also be used to try and avoid prosecution, internal investigations of misconduct, or even criminal offenses of employees or other personnel.

In internal investigations, large volumes of digital data are being evaluated in order to investigate certain suspicions. During such investigations, digital assets are searched by using personal data to identify communications and documents relating to certain employees under suspicion. How does this affect the rights of those employees under GDPR? I was part of a team that was involved in such an internal investigation, and we were confronted with this question by legal counsel. A data protection specialist analyzed the objections raised by the opposing lawyers. The results brought clarification.

The investigation

I was appointed as external counsel to assist an internal task force that had just started to conduct an investigation to assess the potential misconduct of a managing director, a freelance consultant, and a group of employees who all left the company to join a competitor—all within a time frame of three months. A suspicion had been raised by two whistleblowers who had witnessed questionable actions and had reported them to group counsel and the head of internal audit. After initial interviews with the whistleblowers and limited research of backed up emails by the head of internal audit in conjunction with external lawyers, the suspicion was proven to be based on facts. Therefore, a task force was created, of which I became a part. The intensified investigation that followed was primarily conducted by analyzing archived emails of the former employees and the consultant. The result was that proof of substantial criminal behavior could be established relating to breach of copyright, embezzlement, fraud, and theft of data and documents, as well as a substantial breach of noncompetition stipulations. It was my task to evaluate and summarize the facts, which were then used to file a criminal complaint against the former managing director and the consultant (i.e., the leaders of the “gang”), as well as to file a civil lawsuit claiming roughly €7 million in damages.

During the investigation, the defendants’ legal counsel had issued a request based on Article 15 of the GDPR demanding copies of all emails relating to the defendants that had been subject to investigation. After the civil lawsuit had been filed, the request was renewed and incorporated in a counterclaim and objection raised against the analysis of the archived emails and their use as proof in the civil lawsuit. The arguments of the defendants’ legal counsel were: (1) the archived emails are personal data; (2) the defendants have a right to receive a copy; and (3) the archived emails may not be analyzed, particularly as they also contain private information, and/or presented as proof in a civil lawsuit. The defendants’ counsel intended to use the GDPR and a broad reference to Article 6 of the European Convention on Human Rights to suffocate the prosecution from the start. Legal analysis of the raised objections, however, led to a sobering clarification of the real regulatory intent of the GDPR. The legal findings may in their individuality only be applied in conjunction with German law of civil proceedings and the German Data Protection Act. I, however, believe that the legal principles might be applicable in other jurisdictions as well. After all, the intention of this summary is to reduce the hysteria and fear that has arisen from the implementation of GDPR.

The legal findings

1. What is personal data according to the GDPR?

According to Article 15, paragraph 1, of the GDPR, a claimant has the right to receive information on all processed personal data as well as the meta-information mentioned in subsections (a)–(h) (e.g., intent of processing, categories, personal data). Personal data is defined in Article 4, paragraph 1, as any kind of information that relates to an identified and/or identifiable natural person. These comprise data such as the name, date of birth, and all other criteria that allow the identification of a person (e.g., names, account numbers, license plate, Social Security number). Personal data, however, is not all and any information. Personal data contains information that is particularly suitable to identify an individual. Data assembled by or connected with an individual is not considered personal data. Otherwise any kind of document, report, or analysis would have to be considered personal data only because it includes the names of individuals. In such cases, only the names of the individuals would be considered personal data but not the other information contained in the document (as long as it does not enable the identification of the individual).

After all, when employment relationships are being analyzed in archived emails, such as in this particular investigation, the only personal data primarily contained in the emails are the names of the employees. If used in a metasearch, the name has been processed. This does not mean that an employee has the right to receive copies of all emails that had been subject to assessment. The general content of those emails is not personal data. The employee only has the right to be informed—upon request—that a metasearch with his/her name has been conducted, as well as the scope of the assessment. But the content of the emails may, in general, not be considered personal information.

2. Does a claimant have the right to receive copies of documents that are subject to internal investigations?

German civil procedure law does not provide for some kind of discovery (i.e., the disclosure of proof or potential proof relating to the facts on which a civil or criminal complaint is based toward the respective other party). It was certainly not the intention of the legislative authorities to introduce some kind of discovery into the German (or other) jurisdiction “through the backdoor,” even if the additional procedural step of discovery would be helpful to settle lawsuits more efficiently or even out unjust imbalances of financial or influential powers between parties of a lawsuit.

The claimant only has the right to receive information on the personal data processed and the scope of the search. But the claimant has no right to receive copies of the documents or the information that was processed in connection with their personal data. The reason for this is that the person in question must be in a position to judge if the processing of their personal data has been unjust. This is the intention of Section 15 of the GDPR: to enable the affected individual to answer the questions: What kind of personal data has been processed? Was the reason for processing my personal data legitimate? Was it proportionate?

The claimant may not ask to receive all and any documents that are connected to them or in which their name is being mentioned. This would not only not be covered by the intentions of Section 15, but it might also conflict with additional interests of the obligated party in such a broad claim of information (i.e., in this case, the damaged corporation). These interests might include business secrets, such as business-related information contained in emails, names, and information on customers. To allow the claimant to receive all documents connected to their name by claiming their right to being informed according to Section 15 of the GDPR would result in the situation that the company would have to supply the accused with copies of documents and information that had, at least partially, been the object of their greed and that led them to the misconduct—the proof on which damage claims and the criminal complaint were being founded.

The clear answer is: “No, one may not receive all documents and information connected to your name. But we do inform them that we conducted a metasearch comprising all archived emails applying their name.” This covers the right of information meant by Section 15 of the GDPR.

3. Will an investigation of personal data lead to a spoliation of evidence in a civil lawsuit?

The German Supreme Labor Court (Bundesarbeitsgericht) on August 23, 2018,[2] ruled that Datenschutz ist kein Tatenschutz, meaning data protection is no protection against (civil or criminal) prosecution. The German Supreme Labor Court had to rule on the question of whether findings from the evaluation of video material showing criminal behavior of an employee (theft) could be used as proof in a civil lawsuit against an employee. The judgement of the German Supreme Labor Court comprises three essential statements, which may be applied as reference in comparable cases (such as the one I just described):

  • Section 32, paragraph 1, of the old German Data Protection Law, with respect to Section 26, paragraph 1, of the new German Data Protection Law (drafted to comply with the new stipulations required in accordance with European law) may, in accordance with the GDPR, be regarded as a legal permission for the analysis and usage of personal data within an employment relationship.

  • If rightfully analyzed data results in a suspicion of legal misconduct, such data may be further evaluated, processed, and saved and may be used as proof of misconduct.

  • The prohibition to save and process personal data only intends to prevent misuse of such personal data. It is not the intention of the legislative authority to prevent the assessment and proof of facts resulting in misconduct or even criminal offenses.

Section 6, paragraph 3, of the GDPR requires the respective member state to establish legislation to grant authorizations to process personal data. Germany did so by creating the new Data Protection Law, where Section 26 requires authorization to process personal data within an employment relationship. Other GDPR states have most certainly also established comparable legislation.

The Supreme Labor Court ruled that personal data may be analyzed to assess misconduct and that it may be used to prove such misconduct. The intention of the legislative authority behind the GDPR as well as the German Data Protection Act is to enable the individual to be informed about the personal data processed and the scope in which it is being processed. But it is not the intention—clarified by the Supreme Labor Court—to prevent the assessment or proof of misconduct, be it civil or criminal. Even if the processing of personal data was unjust or potentially disproportionate, this would not create a spoliation of evidence, because it was not the intention of the legislative authority to cover up or protect misconduct. Such a disproportionate or unjust processing of data may result in fines to be claimed by the Data Protection Authority.

Conclusion

The aforementioned case resulted in the whole investigation team having to cope with questions of data protection, which eventually were clarified by specialists in data protection law who summarized the abovementioned arguments. Of course, every corporation should apply care when processing personal data. Particularly, the individuals in question should be informed (upon request) that their data is being processed—and the scope—in a timely manner. This is an administrative burden for any corporation. Therefore, it may be a slight relief that the GDPR does not require the companies to provide all kinds of information and documents in a lawsuit, and it does not prevent such information being used as evidence based on facts revealed throughout internal investigations.

Takeaways

  • The intention of GDPR is to prevent misuse of personal data.

  • The GDPR may not be misused to introduce a discovery in jurisdictions, which does not provide for a discovery in litigation.

  • Personal data identifies an individual or is data through which an individual becomes identifiable.

  • The right to receive copies of processed personal data does not comprise all documents in which that personal data is being mentioned or to which the personal data refers.

  • Archived emails and data of current and former employees may be searched in an internal investigation if the employee is suspected to have breached their employment agreement or is suspected of criminal behavior.

 
2 Bundesarbeitsgericht, August, 23, 2018, 2 AZR 133/18, http://bit.ly/385eyWT.
1 Council Regulation 2016/679, General Data Protection Regulation, 2016 O.J. L119.

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings