Printer Friendly, PDF & Email

The GDPR is not a shield against internal investigations

Konstantin von Reden-Lütcken ( is a Berlin-based criminal defense lawyer specializing in economic and tax criminal law, forensic investigations, and compliance risk management.

Data protection shifted into focus over the last few years as personal data became more prominent and sensitivity increased in respect to potential misuse. When the General Data Protection Regulation (GDPR)[1] was announced in 2016 to become valid in May 2018, panic-like hysteria emerged, pushed by consultants who sought to conquer a share in the consultancy market for data protection. On a daily basis, the question, “Are you GDPR-ready?” was raised in all kinds of communities. The law created or increased a valid sensitivity toward the handling of personal data, but it can also be used to try and avoid prosecution, internal investigations of misconduct, or even criminal offenses of employees or other personnel.

In internal investigations, large volumes of digital data are being evaluated in order to investigate certain suspicions. During such investigations, digital assets are searched by using personal data to identify communications and documents relating to certain employees under suspicion. How does this affect the rights of those employees under GDPR? I was part of a team that was involved in such an internal investigation, and we were confronted with this question by legal counsel. A data protection specialist analyzed the objections raised by the opposing lawyers. The results brought clarification.

This document is only available to members. Please log in or become a member.