In the past 10 years, more and more attention has been focused on corporate integrity. On a global scale, massive bankruptcies such as Enron have contributed to throwing the subject into the spotlight, while in the Netherlands, accountancy scandals such as Ahold have occurred.
These events, and more occasional infringements of competition law, have had a significant impact on regulation and have lead to the development and implementation of legislation (e.g. the US Sarbanes-Oxley Act of 2002) and a general increased interest in corporate governance (e.g. in the Netherlands the development and implementation of the Corporate Governance Code).
As a knock-on effect, individual enterprises have themselves become more focused on their corporate integrity and as a consequence, the role of compliance offer has become increasingly important, inter alia because of the increasingly detailed legislation and supervision required. Following on from that, there has been an increase in internal or corporate investigations, which many companies see as a means of internal risk control. A corporate investigation will most likely be commenced if any trouble (or indication of it) arises and such investigation has the purpose of mapping the issue and making an assessment of the risks contained in it. The results of it can be instrumental for the determination of future strategy. In addition, the results of the investigation can be used to ensure adequate internal reporting, e.g. to the supervisory board.
When commencing a corporate investigation, or when designing and setting up procedures for such corporate investigation to be commenced later, one should keep in mind that the investigation itself must be incorruptible, both with regard to the design and the execution. Errors in these areas could lead to the results of the investigation being unusable, and could even damage the enterprise, for instance, if the impression arises that there is a cover-up being put in place. Below, we will explore a number of relevant issues of both a legal and practical nature and we will address what measures a company can take in the event that the investigation brings a fraud by (for example) employees to light.
The Dutch context: legal framework
First of all, it should be noted that Dutch labour law provides strong protection for employees. It speaks for itself that an employee does not have the same freedoms during working hours as outside them, but fundamental rights such as the right to privacy, and the right to confidentiality of mail and telephone conversations (in principle) also apply during working hours. These rights are laid down in statute, but can also be vested in individual or collective labour agreements.
Further, it should be noted that employees also have a say in the development of policies within their company. This right also applies when the company seeks to implement a plan to install mechanisms that can be used for observing or controlling the presence, behaviour and performance of employees. Examples include the installation of cameras and the checking of email and the use of the internet. The works council must endorse such policies before they can be put in place (but only in general, not specific circumstances).
As a general rule, the following can be observed. The company may not infringe the employee’s privacy any more than necessary. The measure taken must meet the requirements of proportionality (being in proportion to the envisaged goal) and subsidiarity (a lighter measure is not available). In addition, a reasonable expectation of privacy might play a role (see EHRM 25 June 1997, NJ 1998, 506 (Halford)). How these (relatively vague) standards should be applied, depends on the circumstances of the case. It is clear, however, that, for instance, permanent camera surveillance is not allowed, while camera surveillance in the event of concrete suspicions of fraud will be allowed. (See Court of Appeals – Hertogenbosch, 2 July 1986, NJ 1987, 451 (Koma/Industriebond FNV) and Dutch Supreme Court, 27 April 2001, NJ 2001, 421 (Wennekes Lederwaren).
Dutch law does not provide for statutory laws specifically regulating investigations. This does not mean, however, that the fundamental rights as described above have not sunk into almost every relevant aspect of the Dutch legal landscape. There is one statutory law that provides specific and concrete rules that are relevant for an internal investigation that requires a deeper exploration here. The Dutch Data Protection Act (DDPA), or Wet bescherming persoonsgegevens (WBP), which is based on a European directive, contains standards for sound and prudent processing of personal data. The most important points in the DDPA are:
- The scope of the DDPA is limited to the full or partial automated processing of personal data in the framework of the activities of a responsible superior (in this case, the employer). Both the term personal data and the term processing have broad definitions. Under ‘personal data’ falls not only written data or data contained in a database, but also visual material (such as video or photo images) and audio material (such as a recording of a telephone conversation).
- It is decisive whether the data relate to a person that is identified or can potentially be identified, as anonymous or encoded data do not fall within the scope of the DDPA.
- The term ‘processing’ comprises virtually all acting, as of the moment of acquiring the data up until the moment of destroying the data. This means that almost all a company’s investigation methods will fall within the scope of the DDPA.
- If it is established that the DDPA applies, then the recording of the data must be registered with the board for the protection of personal data EUROPEAN LAWYER REFERENCE SERIES 273 The Netherlands (College bescherming persoonsgegevens or CPB). It must be noted that there is an exception in the event the data are collected for the purposes of legal proceedings against the relevant employee.
- From relevant case law about the use of investigation methods by the employer, it appears that employees only in exceptional cases invoke the DDPA or the violation of their privacy. In addition, courts only in exceptional cases apply the DDPA ex officio. This can, however, play a significant role when weighing the interests in employment litigation.
- The company can make the collection of personal data ‘DDPA-proof’ by compiling an internal code of conduct in which it is stipulated which kind of data will be processed and for what purpose.
Read full article here.