Protection of personal data in internal investigations | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

Protection of personal data in internal investigations

Poland’s data protection regulations do not directly address internal investigations, but that does not mean they do not apply. In fact they can play a major role in drawing the line between lawful and unlawful investigative measures.

A necessary element of internal investigations is analysis of documents and correspondence of persons working in the company or other organisation being investigated. Depending on the purpose for which it was decided to launch the investigation, the scope of docu­ments may be broad enough to cover not only documents in the traditional sense of the term but also data stored in servers and in individual users’ computers (including email), as well as data from company-owned phones and other mobile devices.

Unavoidably, such data sets contain a range of personal data, from the names of individuals to the IP addresses from which they logged onto the company server.

The general rules that must be complied with for personal data to be processed in accor­dance with the law also apply to processing of personal data in internal investigations, regardless of whether the investigation is pre­ventive in nature or is carried out due to the existence of an actual incident posing a threat to the organisation. Personal data may be processed only when at least one of the conditions set forth in Art. 23 of the Personal Data Protection Act is met (or Art. 27 with respect to sensitive data, i.e. data related to individuals’ health, criminal record, religious affiliation, or several other categories of infor­mation identified in the act).

It may be recognised that two of the condi­tions in these regulations for processing of personal data also apply in the case of internal investigations. The first is the requirement of the consent of the data subject (except for deletion of data, for which consent is not required). Consent must be given voluntarily. The second condition is that the processing of data must be necessary to achieve legally justified purposes of the data controller, with­out infringing the rights and freedoms of the data subjects.

Obtaining the consent of all the interested persons can be difficult from an organisa­tional point of view. Asking for consent may also compromise the element of confiden­tiality essential for the investigation and allow some to eliminate traces of unlawful behav­iour. An additional issue arises out of the special nature of the relationship between employer and employee. Consent to process­ing of personal data given by an employee, regarded as the weaker party to the employ­ment relationship and in a position of dependence on the employer, throws into question the employee’s freedom in this respect, and hence the legality of the process­ing of the employee’s personal data based on such consent. Theoretically, if the employee has complete freedom in deciding to give consent and could refuse to give consent without facing any negative consequences, such consent could sanction the legality of processing of the employee’s personal data. (A similar view has been taken by the European Commission’s Art. 29 Working Party on Data Protection and in rulings by Poland’s administrative courts.) In practice, however, if a dispute arises it may be difficult to prove that the employee freely consented to processing of his or her personal data in this context.

In addition, there is a use limitation principle in force which requires the data controller to obtain consent also in the event that consent was given before but the purpose originally given for collecting the data did not include internal investigations. In that case it is recommended to obtain consent of the data subjects for the change in the purpose of the data processing.

An alternative basis for processing of personal data in an internal investigation could be derived from the legally justified purposes pursued by the data controller. The Personal Data Protection Act provides two examples of legally justified purposes: direct marketing of the data controller’s own products and enforcement of claims arising out of the data controller’s own business. However, the concept of “justified purpose” as such is not defined in the act.

In practice, the concept of a legally justified purpose of the data controller is interpreted broadly. In employment aspects, it is cited as the basis sanctioning monitoring of employ­ees in the workplace, including monitoring of employees’ use of IT systems and devices belonging to the employer (as the data controller).

Lawfully introduced monitoring of employees may prove to be an incredibly valuable tool when it becomes necessary to conduct an internal investigation, particularly when time is of the essence. Employee monitoring must not only be conducted in compliance with the law (including the Personal Data Protection Act), but must also meet the requirements of a justified purpose and the principle of proportionality. It must also fulfil the require­ment of transparency. This means that employees should be aware that they are subject to monitoring, and under what rules, and the rules must be defined in detail. Con­ducting monitoring of staff without inform­ing them in advance—even if there is a legally justified purpose—will violate the employee’s right to privacy, and in conse­quence the personal data will be processed without a proper basis.

Agnieszka Szydlik, Katarzyna Żukowska, Personal Data Protection Practice, Wardyński & Partners