Internal Investigations

Internal investigations in companies have become an important aspect of companies’ and corporations’ compliance frameworks, be it in response to an internal or external tip-off, or as part of regulatory scrutiny.

To meet clients´ needs, and to assist clients in compliance-related crises, Schoenherr has established a dedicated unit of specialists from different practice areas across our international offices.

Internal investigations, which inter alia include interviewing employees or collecting and processing data, require answers to various criminal, employment, corporate and data protection law questions.

Presenting a general overview of the key legal issues of internal investigations in Central and Eastern Europe, this primer provides answers to the most urgent questions per jurisdiction covered by Schoenherr.

This guide has been prepared for information purposes only and does not purport to constitute (nor may it be interpreted as substituting) legal advice or to be exhaustive in any respect. It is based on the relevant laws and regulations as of 1 September 2017 and may therefore not present an accurate picture of the legal situation in future. The authors of this guide, Schoenherr and any of its officers, directors or employees, advisors or any other third party accept no liability, duty or responsibility with respect to the content of this guide or the conclusions drawn from its content.

Different chapters and jurisdictions can be selected in the filter box on the right side ➜

General

Generally no.

Generally no.

Generally no. The obligation arises only when the company knows about the criminal activity of a member. The reporting obligation rests with the managing bodies / the persons who conducted the internal investigation.

Generally yes.

Generally, no.
Exceptions may apply for some (grave) criminal activity where a notification duty to local criminal authorities applies.

Generally no.

Generally no.

Generally no.

Generally no.

Generally no.

Generally, no. (see Specific Questions 1.1). Our advice excludes general reporting obligations for crimes against life.

Generally no.

Generally no.

Generally no.

No.

Generally no.

Generally no.

Generally no.

No.

Generally, no.

There is no such obligation regarding an internal investigation. It should be noted, though, that it is a general principle in Hungary that whoever suspects that a crime has been committed might turn to the authorities. There are, however, certain crimes where turning to the authorities is necessary (eg money laundering) and where failure to do so is a crime itself.

Generally no.

Generally no.
However, if such criminal activity involves damage caused to the company, the latter will be able to request the coverage of the damages caused only if an internal investigation (Ro. ancheta de serviciu) was conducted.

Generally no.

No.

No.

Generally no.

Generally no.

Generally no.

No.

Generally yes. A company may generally perform interviews and/or surveillance measures considering certain requirements.

Companies are generally allowed to conduct internal investigations, although the applicable laws and regulations do not provide for the specifics. surveillance measures and interviews are generally permitted, if certain conditions are fulfilled.

Generally yes. A company may generally perform interviews and/or surveillance measures considering certain requirements.

Yes. A company may generally perform interviews and/or surveillance measures considering certain requirements (eg protection of employee’s dignity, data protection, internal policies).

Generally, yes. A company may generally perform interviews and/or surveillance measures (subject to meeting some requirements).

Yes. interviews and surveillance measures might be applied as long as they do not interfere with the private life of the employee.

Companies are generally permitted to conduct internal investigations. However, certain measures (in particular surveillance measures, for example) can only be performed if certain conditions are fulfilled.

Yes. Both interviews and surveillance measures may be used, subject to fulfilment by the company of certain legal requirements.

Companies are generally allowed to conduct internal investigations, although the applicable laws and regulations do not provide for the specifics. surveillance measures and interviews are generally permitted, if certain conditions are fulfilled.

Yes. A company may generally perform interviews and/or surveillance measures considering certain requirements.

Yes. Both kinds of investigation instruments may be used by a company, with the observance of certain requirements.

Companies are generally allowed to conduct internal investigations, although the applicable laws and regulations do not provide for the specifics. surveillance measures and interviews are generally permitted, if certain conditions are fulfilled.

Generally yes. A company may generally perform interviews and/or surveillance measures as tools of internal investigations. However, the company must comply with relevant requirements under respective legislation, such as employment law or privacy law.

Generally yes. A company may generally perform interviews considering certain requirements; requirements are, comparatively, even stricter in respect of surveillance measures (also see answer under point 3.1).

Generally yes. surveillance measures and/or interviews may be used during an internal investigation.

Generally no.

No.

Generally no, unless within the internal investigation a crime has been found. The reporting obligation rests with the managing bodies / the persons who conducted the internal investigation.

Yes, if they contain evidence and/or traces of the criminal activity.

Generally, no.
Exceptions may apply for some (grave) criminal activity where a notification duty to local criminal authorities applies.

Generally no. Please see our comment for question no. 2.

No.

Generally no.

No.

No.

Generally, no.

No.

Generally no.

Generally no.

No.

Yes.

Yes.

Yes.

Yes.

Yes.*
*For details on the various types of leniency programmes, please refer to the answer to question 6.3.

Leniency measures are known in the Hungarian legislation, but cooperation with the authorities in itself is not enough. Usually, the damage should be avoided or at least minimised if possible.

Yes.

Yes.

In principle yes.

Yes.

Yes.

Yes.

No.

Yes.

Yes.

1Deciding on whether to conduct an internal investigation

Generally no. However, if a company definitely knows that the member will commit a crime immediately, it could lead to reporting obligations under certain circumstances. Please also see our answer to question 7.2 concerning ad hoc obligations.

Generally no. The obligation only exists in case of severe criminal offences (ie with a sentence of more than 21 years of prison in the Federation of Bosnia and Herzegovina and more than 25 years of prison in the Republic of Srpska).

Generally no. However, if a company definitely knows that the member will commit a crime immediately, it could lead to reporting obligations for its managing bodies / the persons who conducted the internal investigation.

Companies are legally obliged to report suspicions of criminal activities which are prosecuted ex officio. The The Criminal Code prescribes, inter alia, that a responsible person within a company may face a penalty of 3 years if it does not notify local authorities about such criminal activity.

Exceptions may apply for some (grave) criminal activity where a notification duty to local criminal authorities applies. Please also see our answer to question 7.2 concerning ad hoc obligations.

There are circumstances / criminal activities where failure to report suspicions of criminal activity to the local authorities is a crime in itself (eg money laundering or acts concerning corruption). However, there is no general obligation to report.

Generally no. However, the Criminal Code provides that the criminal liability of the legal entity is triggered if the management and supervisory bodies (i) did not prevent the criminal activity; (ii) attempted to hide the criminal activity; or (iii) did not report the criminal activity before the criminal procedure was initiated against the offender.
Depending on the circumstances, if the management or supervisory bodies of the Company have reason to suspect that a member is or has been engaged in preparatory activities which may eventually result in a crime, the Company may be obliged to report the suspicions of criminal activity.

Generally no. However, reporting obligations may arise, eg as result of external audits or in case of capital market abuse (in accordance with the capital market legislation).

No. The obligation only exists in case of (i) knowing that a criminal offence, for which the prescribed sentence is 5 years of prison or more, is being prepared (the obligation applies for the period before the act was committed / when it was possible to prevent it); (ii) knowing that a criminal offence, for which the prescribed sentence is 40 years of prison, is being prepared; or (iii) knowing that a criminal offence, for which the prescribed sentence is more than 40 years of prison, was committed or in case of knowing who committed such a criminal offence.

No.

Generally, no. However, the persons with control attributions within a company are bound to report corruption offences potentially committed by members.
Additionally, in the case of public institutions, if there is a reasonable suspicion related to the commission of an offence (no matter its nature), the representatives of public institutions or of public-law legal entities must report those offences which represent violations of duties whose observance they control under the law.

Generally no. The obligation only exists in case of severe criminal offences (ie with a sentence of more than 30 years of prison).

Generally no. However, it may lead to reporting obligations under market abuse legislation. And the particular individuals who know about such suspicions might be obliged to report them in certain cases, in order to prevent the crime.

Yes; it is a criminal offence not to report (i) that certain (serious) criminal offences are being planned, or (ii) that such (serious) criminal offences have occured (whereby the seriousness is measured against the years of imprisonment that may be imposed). Additional sector-specific reporting obligations apply (eg for physicians).

No. Pursuant to Article 278 of the Turkish Criminal Law, any person who fails to immediately notify the authorised bodies about an offence is punished with imprisonment up to one year. However, this provision only applies in the event of the negligence of real persons in relation to such obligatory notification of criminal activities; and again, within the meaning of Article 20 of the Turkish Criminal Law; no criminal/punitive sanctions may be imposed on legal entities and legal entities cannot be tried as criminals. However, the sanctions applied to legal entities in the form of security precautions stipulated in the law for the offences are reserved. Such security precautions that can be applied are: (i) cancellation of licences given by public bodies, and (ii) seizure of property and income.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interest of the company.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally, no.
Nevertheless, members of statutory/control corporate bodies must duly discharge their due managerial care in the best interests of the company; this may include a need to consider/ initiate an internal investigation and/or perform other steps in relation to the suspicion of a criminal activity (eg notification duty [see answer to question 1.1]).

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no.
However, if such criminal activity involves damage caused to the company, the latter will be able to request the coverage of the damages caused only if an internal investigation (Ro. ancheta de serviciu) was conducted. Also, such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

No.

Generally, no. However, the company’s management might take such a step in order to act in the best interests of the company.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no; however, such an obligation may arise under the general fiduciary duty of care of the statutory bodies of a company.

Generally no. However, the management / supervisory board members may be obliged to report under their general duty of care towards the company.

No. As explained under point 1.1, companies/legal entities offence, and therefore are not obliged to perform such an internal investigation. However, within the meaning of Article 269 of the Turkish Commercial Code, (i) members of the board of directors of a company or (ii) third parties that are in charge of the governance of a company are obliged to act as cautious executives and to protect the interests of the company while performing their duties in accordance with the principle of good faith. A cautious executive must make business judgments pursuant to the principles of corporate governance. Furthermore, again as explained under point 1.1, if a real person has strong grounds in relation to the commission of a crime, that person is obliged to notify the authorised bodies about the related criminal offence.

This generally depends on the legal form of the company. If the company is a limited liability company (GmbH), it can be obliged by a binding shareholder resolution (of the parent company). If the company is a stock company (AG), it can be obliged by initiating a respective resolution of the management board / supervisory board of the company. However, the management of an AG is rather independent of its parent company, which limits the scope of (legal) influence of the parent company.

Depending on the internal acts of a local subsidiary (ie articles of association, foundation deed), the parent company as a shareholder could through its voting rights influence the Shareholders’ Meeting of the Bosnian subsidiary to enact a decision reflecting the demands of the parent company for an internal investigation.

This generally depends on the legal form of the company. If it is a limited liability company (OOD), it can be obliged by a binding shareholder resolution (of the parent company). If it is a stock company (AD), it can be obliged by initiating a respective resolution of the board of directors / management board of the company.

This generally depends on the legal form of the company. If the company is a limited liability company (d.o.o.), it can be obliged by a binding shareholder resolution (of the parent company). If the company is a stock company (d.d.), it can be obliged by initiating a respective resolution of the management board / supervisory board of the company. However, the management of a stock company is rather independent of its parent company, which limits the scope of (legal) influence of the parent company.

If the company is a limited liability company (d.o.o.), it can be obliged by a binding shareholder resolution (of the parent company). If the company is a stock company (d.d.), it can be obliged by initiating a respective resolution of the management board / supervisory board of the company. However, the management of a stock company is rather independent of its parent company, which limits the scope of (legal) influence of the parent company.

Generally, the parent company may instruct its subsidiary to carry out an internal investigation by means of a binding shareholder or board resolution.

Depending on the internal acts of the local subsidiary (ie articles of association), the parent company as a shareholder could adopt a decision reflecting the demands of the parent company to conduct an internal investigation. Moreover, the work Rulebook may contain additional obligations for the employees/managers.

By means of a decision taken at the general assembly of shareholders / decision of the sole shareholder.

Depending on the internal acts of the local subsidiary (ie articles of association), the parent company as a shareholder could through its voting rights influence the shareholders’ meeting of the Montenegrin subsidiary to enact a decision reflecting the demands of the parent company to conduct the internal investigation.

There are no such means. Both in the case of a limited liability company and in the case of a stock company, neither the supervisory board nor the shareholders/stockholders may issue binding instructions for the management board.

As a matter of principle the parent company has limited legal tools to determine a subsidiary to perform an internal investigation. Usually, cooperation of local management is necessary and highly important for the success of the internal investigation.

Depending on the internal acts of the local subsidiary (ie articles of association), the parent company as a shareholder could through its voting rights influence the shareholders’ meeting of the Serbian subsidiary to enact a decision reflecting the demands of the parent company for an internal investigation.

Yes, in a limited liability company or in a joint stock company the shareholders’ general meeting can adopt a resolution binding on managing directors of a company.

This generally depends on the legal form of the company. In a limited liability company (d.o.o.), a shareholder (ie the parent company) can pass resolutions that are binding on the management (limitations apply). In a joint stock company (d.d.), the shareholders in principle cannot pass such binding resolutions; the management of a d.d. is generally independent. However, there are ways in which a d.d.’s management can be put under an obligation to conduct an internal investigation; one example is a domination agreement, whereby the subsidiary’s management is obliged to act as instructed by the parent’s management.

Generally a local subsidiary can be obliged by its parent company to perform an internal investigation by a shareholder resolution. Furthermore, under the group company provisions of the Turkish Commercial Code, each shareholder of a parent/controlling company can request at the general assembly of the related company that information be provided regarding a subsidiary/dependent company’s (i) position in terms of its finance and assets and accounting results; (ii) the relations of the controlling company with dependent companies; (iii) the relations of dependent companies with each other; (iv) the relations of controlling and dependent companies with their shareholders, managing directors and their relatives; and finally (v) the transactions they have conducted and the results thereof. Furthermore, within the meaning of Article 207 of the Turkish Commercial Code, if an auditor, operational auditor, special auditor, early risk identifier and the management committee have delivered an opinion stating the existence of fraud and conspiracy in a subsidiary/ dependent company’s relationship with the controlling/ parent company or with another dependent company, any shareholder of the dependent company can request the assignment of a special auditor from the commercial court of first instance at the location of the company’s headquarters for the purpose of clarifying this matter.

(i) The authorities are generally not prohibited from using this information against the company itself.
(ii) The authorities can generally also use this information against others (including members).
However, some restrictions of such use could follow out of the method of the internal investigation (ie testimony of a member extracted by threats).

The public authorities (public prosecutor or police) would examine the information in the internal investigation report and (i) pursue the investigation or (ii) reject the criminal charges in cases against (i) the company and/or (ii) others. However, the report on the findings of the internal investigation would represent a source of information on a potential criminal activity for the public authorities, rather than evidence of criminal activity.

In Bulgaria only natural persons can bear criminal liability and therefore criminal proceedings cannot be initiated against a company. Generally, the authorities can use information gathered during an internal investigation against a member or other third person. In order to use such information as evidence in criminal proceedings, the information must be acquired through the proper means, which are explicitly specified in the Bulgarian Criminal Procedure Code. For example, if during an interview a member discloses information that implicates another member in a crime, the interview transcripts may indicate that a criminal offence was committed, but the authorities would probably require a witness interrogation as a proper way of obtaining the information against the member. Depending on the type of evidence and the method of information collection, there may be limitations on the use of information gathered by an internal investigation.

Companies are legally obliged to notify the competent authority about known evidence, as well as take measures necessary to preserve traces of criminal activity. The authorities are generally not prohibited to use this information against (i) the company and/or (ii) against others (including members), provided such information has not been gathered unlawfully (eg testimony of a member extracted by threats, unauthorised video monitoring).

Generally, the authorities are not prohibited from using such information against the company itself. The authorities can also use such information against others (including members). Restrictions apply to the manner in which internal investigations shall be organised not to disqualify its outcomes for the purposes of criminal proceedings (ie a testimony of a member extracted by threats).

There is no limit as to what sort of information the authorities may or may not use or against whom. In other words, it is at the discretion of the authorities to decide how to carry out an investigation.

The public authorities (public prosecutor or police) learn of a crime based on rumours or a criminal report. Based on this it examines the information and (i) pursues the investigation or (ii) rejects the criminal charges in cases both against the company and/or others. If the public prosecutor cannot assess whether the allegations are credible, he shall collect all information necessary to decide on the charges by himself, or with the assistance of the police or other authorities responsible for the investigation.

Generally, the disclosed information can be used against both the company itself and others (including members).

The public authorities (public prosecutor or police) would examine the information and (i) pursue with the investigation or (ii) reject the criminal charges in cases both against (i) the company and/or (ii) others. Certain restrictions of such use could exist based on the method of the internal investigations, if the information was obtained illegally (ie contrary to the law or Constitution; for instance, if testimony of a member was extracted by threats or if information was gathered by reviewing personal e-mail correspondence without a member’s consent).

Such evidence is treated as any other evidence. However, the interrogation records are of lower value, as when it comes to the criminal proceedings the authorities rely on the principle of direct evidence taking. For their validity and procedural value, testimony must be given in front of a competent official.

According to the Code of Criminal Procedure (“CCP”), generally any piece of evidence which is not forbidden under the law may be used in a criminal trial, against the company and/or third parties. Additionally, the CCP provides that personal recordings (interceptions) can be used as evidence if they concern the parties’ private communications. Also, any other recordings may constitute evidence, unless prohibited by the law.

The public authorities (public prosecutor or police) would examine the information in the internal investigation report and (i) pursue the investigation or (ii) reject the criminal charges in cases against (i) the company and/or (ii) others. However, the report on the findings of the internal investigation would represent a source of information on a potential criminal activity for the public authorities, rather than evidence of criminal activity.

The authorities are generally not prohibited from using this information against (i) the company and/or (ii) others. However, should any information be obtained unlawfully, restrictions on its use will apply.

The use of information gathered by an internal investigation is generally permitted, both against (i) the company and (ii) others. Limitations apply; for example, the use of such
information may be limited if the internal investigation was conducted illegally / in circumvention of procedural rights of the suspects (eg in case of unlawful wiretapping or video recordings).

There are no regulations under Turkish Criminal Law or Criminal Procedure Law prohibiting the use of information voluntarily provided (by the company) against the company and/or others. However, if such an internal investigation includes information that has been obtained through unlawful methods (ie voice records recorded without one’s consent), such unlawful information present in the internal investigation cannot be used against the relevant person, member, etc.

2Legal privilege

Basically, lawyers, notaries and economic trustees (Wirtschaftstreuhänder) are covered by legal privilege. These persons have the right to refuse to give evidence on matters about which they learned in the scope of their profession. Authorities must not circumvent this right inter alia by interrogating employees of the privileged person or by seizing documents containing privileged information.
Moreover, anyone has the right to refuse to give self-incriminating evidence.

Legal privilege only applies to attorney-client communication, including everything revealed by the client to the attorney, and all the information that the attorney acquired in any other way while representing the client irrespective of whether the client informed the attorney of the confidentiality of the information or if this could be inferred from the case itself. The attorney is also obliged to keep confidential data, submissions, information, records, objects, minutes and deposits of parties that he or she has chosen not to represent and which were provided to the attorney for the purpose of representation. The aforementioned also applies to parties who decided not to engage the attorney. legal privilege (i) covers attorneys (and trainee attorneys, associates and employees, given that they act in accordance with the attorney’s instructions) and (ii) only applies to the objects and documents placed in the attorney’s office.

Basically only lawyers are covered by legal privilege. Under both the Civil Procedure Code and Criminal Procedure Code, the lawyers of the parties to a court case have the right to refuse to testify (ie the right applies to both civil and criminal proceedings). The lawyers of the parties in competition proceedings enjoy the same level of protection. This means that in civil, administrative and penal proceedings, the legal privilege fully applies to lawyers and they may refuse to testify or to otherwise be interrogated in relation to their activities as lawyers. Legal protection applies to (i) lawyers registered with the Bulgarian Bar Association; (ii) EU or EEA lawyers registered with the Single Register of Foreign Attorneys-at-Law of the Supreme Bar Council and in the register of foreign attorneys-at-law kept by the relevant Bar; and (iii) lawyers assistants registered in a special register at the respective Bar Council. Apart from lawyers and lawyers assistants under (i) to (iii) above, lawyers who are citizens of other countries might enjoy the protection of legal professional privilege pursuant to the provisions of an international treaty between the Republic of Bulgaria and the country of nationality of the lawyer in question or on the basis of reciprocity between the two countries.
Certain violations of this duty of professional secrecy committed by lawyers are criminalised by the Bulgarian Criminal Code.

Notary publics are also obliged to keep confidential circumstances that were entrusted to them in their capacity as a notary. The same rules apply to all notary assistants. However, the protection that applies to notaries is not absolute and a document kept with the Notary Register may be delivered by the notary in the case of a written order (ruling, order) issued by a judge or prosecutor.

Basically, lawyers, notaries and tax advisors are covered by legal privilege. These persons have the right to refuse to give evidence about matters of which they have learned within the scope of their profession. This right must further not be circumvented by the authorities inter alia by interrogating employees of the privileged person or by seizing documents containing privileged information. Moreover, anyone has the right to refuse to give evidence if doing so would expose them to the risk of prosecution, disgrace or significant material damage.

Basically, attorneys-at-law and public notaries are covered by legal privilege. Such persons have the right to refuse to give evidence on matters about which they learned in the scope of their profession. Authorities must not circumvent this right by inter alia interrogating employees of the privileged person or by seizing documents containing privileged information.
Moreover, anyone has the right to refuse to give self-incriminating evidence.

In general, attorneys, notaries and auditors are covered by legal privilege.

Attorneys (and counsel), notary and defence attorneys are bound by legal privilege with their clients. Everything that the client entrusts to the attorney/notary with regard to the requested legal advice, representation or defence, and everything that the attorney has learned about the case in any other way, and any records which the attorney keeps in his archive and which are confidential, represents a professional secret and is covered by legal privilege. If the attorney chooses not to represent a client, he is obliged not to undertake anything which could harm the party. Also, a notary public and all employees of a notary public are obliged to keep confidential data that they have learned about in the course of their work, unless it follows otherwise from the law or the will of the parties.

Generally, under the Moldovan legislation, legal privilege refers only to certain categories of persons, which cannot be heard as witnesses within a penal investigation:
(i) persons with physical or mental issues, if such issues do not allow them to understand the circumstances of the case;
In certain cases:
(ii) defenders (lawyers) and employees of the lawyer’s office, representatives;
(iii) judges, prosecutors, criminal investigation officers, secretaries (recorders);
(iv) journalists;
(v) clergymen;
(vi) doctors (other persons providing health treatment);
(vii) Peoples’ Advocates, Peoples’ Advocates for children’s rights, their deputies and employees of their offices.
Also, a person has the right to refuse to make declarations, disclose information, present documents and goods, if such can be used against him/her or against his/her close relatives.

The Moldovan Code of Penal Procedure, however, does not contain an express prohibition on the seizure of documents of the persons listed in (i) – (vii) above.

Legal privilege applies to attorney-client communication, ingeneral cluding everything revealed by the client to the attorney, and all the information that the attorney acquired in any other manner while representing the client, irrespective of whether the client informed the attorney of the confidentiality of the information or if this could have been inferred from the case itself. The attorney is also obliged to keep confidential data, submissions, information, records, objects, minutes and deposits of parties that he or she has chosen not to represent and which were provided to the attorney for the purpose of representation. The aforementioned also applies to parties who decided not to engage the attorney. As the attorney is liable towards the client for the violation of legal privilege committed by its employees and associates, the legal privilege also covers these persons. Also, a notary public and all his/her employees are obliged to keep confidential data obtained in the course of work, unless it follows otherwise from the law, the will of the parties, or the content of the legal transaction.

Defence attorneys, advocates or legal counsels contacting the arrestees are covered by legal privilege, which may not be lifted or circumvented. The legal privilege refers to facts learned while giving legal advice or conducting a case. It also covers defence documents as referred to in point 2.3. Clergymen are covered by legal privilege with regard to facts learned during confession.
Mediators are generally covered by legal privilege with regard to facts learnt from the accused or the aggrieved party while conducting mediation proceedings.
Persons obliged to not disclose information classified as “confidential” or “strictly confidential” may testify as to information to which the above obligation applies only after they are released from the duty of confidentiality by an entitled superior authority.
Persons subject to notary, advocate, legal advisor, tax advisor, physician, reporter, statistical or counsels of State Treasury Solicitor Office privilege may be questioned with regard to the facts covered by this privilege only when this is indispensable for the interests of the administration of justice and such facts cannot be established on the basis of any other evidence.
The next of kin of the accused may refuse to testify. The right to refuse to testify is also vested in a witness who is accused of being an accomplice in the crime in question in a separate trial in progress.
A witness may refuse to answer a question, if the answer might incriminate himself or his next of kin for an offence or a fiscal offence.

Lawyers and notaries public are covered by legal privilege.

Legal privilege only applies to attorney-client communication, including everything revealed by the client to the attorney, and all the information that the attorney acquired in any other way while representing the client irrespective of whether the client informed the attorney of the confidentiality of the information or if this could be inferred from the case itself. The attorney is also obliged to keep confidential data, submissions, information, records, objects, minutes and deposits of parties that he or she has chosen not to represent and which were provided to the attorney for the purpose of representation. The aforementioned also applies to parties who decided not to engage the attorney. legal privilege in Serbia is regulated by the Serbian Attorney Act. legal privilege (i) covers attorneys (and trainee attorneys, associates and employees, given that they act in accordance with the attorney’s instructions) and (ii) only applies to the objects and documents placed in the attorney’s office or that were temporarily transferred elsewhere under the instructions and supervision of the attorney. Notaries and their offices are not covered by legal privilege under Serbian law.

Legal privilege covers attorneys-at-law, including their employees and associates. Attorneys cannot therefore be subject to interrogation with respect to the provision of legal services, and for instance their communication with a client cannot be used in criminal proceedings as evidence. A similar regulation applies to notaries.
In addition, anyone has the right to refuse to be interrogated if interrogation would expose them or their close persons to risk of prosecution.

In a nutshell, legal privilege – in the sense of the right to refuse to give evidence against the suspect – extends to spouses, close relatives / family by marriage, adoptive parents / children, (religious) confessors, attorneys, physicians, social workers and other persons who obtain information in the course of their profession and are bound by a duty of confidentiality. Furthermore, privilege against self-incrimination applies to all natural persons. In all the aforementioned cases, the persons have a right to decide whether they will give evidence or not.
In addition, attorneys are prohibited from testifying about information obtained from suspects in their role as their attorney, unless they are released by the suspect. Such evidence is in principle always inadmissible.

The Attorneys Act and the Criminal Procedure Law provides legal privilege provisions. Within the meaning of Article 36 of the Attorneys Act, attorneys are prohibited from disclosing information that has been entrusted to them or that they come upon in the course of performing their duties both as an attorney and as members of the Union of Bar Associations of Turkey and various bodies of bar associations. Attorneys’ testimony on the abovementioned matters is contingent upon having received their client’s consent. However, even under such circumstances, the attorney may refrain from testifying. This obligation of the attorney is only towards the client, and a breach of this regulation may lead to the civil and criminal liability of the relevant attorney. Likewise, Article 130 of the Criminal Procedure Law states that the offices of lawyers can only be searched with a court decision and with the supervision of a public prosecutor. The lawyer whose office is being searched is entitled not to permit confiscation of a document during such search, which relates to a client, by claiming legal privilege. In such a situation the related documents should be sealed and the court will decide whether the claimed document is protected by legal privilege. As the above-stated confidentiality is considered to be in the scope of public interest under Turkish law, it is applicable to all litigations and investigations, including competition investigations.

In particular documents drafted by a lawyer for the purposes of advisory and defence of an accused (“defence documents”).

All documents, records (in electronic, audio or picture form), files, minutes and deposits located at the attorney’s office are covered by legal privilege.

Legal professional privilege covers all data, documents and correspondence (documents on hard and soft copy, computer equipment, files and other information carriers), which are in the possession of lawyers and which relate to their clients. Also, client-attorney correspondence is explicitly protected by legal privilege. Conversations between client and attorney cannot be intercepted and recorded. Any recordings, where available, cannot be used as evidence and are subject to immediate destruction. These rules apply in all kind of proceedings (civil, criminal or administration).

Documents drafted by a lawyer for the purposes of advisory and defence of an accused, or tax documents regarding the usage of life insurance premiums as tax relief.

Any attorney-client communication, including documents drafted by an attorney-at-law for the purposes of advisory and defence of an accused (“defence documents”) is covered by legal privilege. Such defence documents are excluded from scrutiny by any public authority (see our answers to questions 2.3 and 2.4 below for limitations).

Documents, statements and notes drafted by the attorney for advice and defence of the accused.

Any documents that the attorney, notary or defence attorney keep in respect of the client.

Generally, there are no documents covered by legal privilege. In other words, the Moldovan Code of Penal Procedure does not expressly prohibit the seizure by the penal investigating authorities of a person’s / entity’s documents (including containing information arising out of the attorney-client relationship).
It is, however, indicated that documents containing state, trade and banking secrets, as well as information with regard to telephone conversations, may be seized on the basis of a court decision.

Documents drafted for the purpose of advising and defence of a client (ie data, submissions, information, records, objects, minutes and deposits of parties he or she has chosen not to represent and which were provided to the attorney for the purpose of representation, also for the parties who decided not to engage the attorney). legal privilege also covers documents concerning representation with which the attorney was acquainted, which were shown or handed over to the attorney during the representation.

Correspondence or other documents surrendered or found in the course of the search contain information pertaining to the performance of function of the defence counsel, additionally documents containing confidential information, or information constituting professional or other legally protected secrets or is of a private nature.

In particular documents drafted by a lawyer for the purposes of advisory and defence of an accused (“defence documents”).

Documents drafted for the purpose of advising and defence of a client (ie data, submissions, information, records, objects, minutes and deposits of parties that the attorney has chosen not to represent and which were provided to him/her for the purpose of representation, also for the parties who decided not to engage the attorney). legal privilege also covers documents concerning representation with which the attorney was acquainted, which were shown or handed over to the attorney during the representation.

Mainly legal documentation prepared in connection with provision of advisory services and for defence of an accused person. It also includes all information communicated to an attorney-at-law by a client.

As regards attorneys, legal privilege, in principle, extends to the attorney’s activities conducted “in the course of their profession”; hence all documents associated with the relevant client-attorney relationship are generally covered.

Documents covered by legal privilege have not been clearly listed under Turkish law. However, legal privilege should apply to all information exchanged between a client and an attorney, regarding the client’s right of defence, without a time limitation.

Legal privilege is not applicable if documents have been handed over to a privileged person for the sole purpose of hiding/protecting them from potential seizure. Moreover, legal privilege no longer applies if the defence documents have been handed over to a third party and are thus no longer within the sphere of the accused or the privileged person.

In the Federation of Bosnia and Herzegovina there are four exceptions where the attorney is relieved from the confidentiality obligation: (i) the client explicitly or tacitly allows it; (ii) it is necessary in order to prevent the commission of a criminal offence; (iii) it is necessary for the attorney’s or his/her associate’s defence; and (iv) an attorney initiates litigation for the settlement of costs and expenses owed by the client. In the Republic of Srpska, the attorney is relieved from his/her confidentiality obligation if (i) the client undoubtedly allows it; (ii) it is necessary for the defence of the client; and (iii) it is necessary for the justification of the attorney’s decision to refuse the defence of a client.

The legal privilege protection begins as soon as the attorney is instructed by the client. There are no explicit limitations provided under the law. The exception of the legal privilege protection would be for documents handed over to the attorney in relation to the attorney’s obligation to identify his/ her clients under the Measures against Money Laundering Act. Documents/information collected under the said act are stored by the attorneys and, if requested by the State Agency for National Security, delivered to it.

Legal privilege is not applicable if documents have been handed over to a privileged person for the sole purpose of hiding/ protecting them from a potential seizure.

Legal privilege is not applicable if defence documents have been handed over to a privileged person for the sole purpose of hiding/protecting them from potential seizure. legal privilege also no longer applies if the defence documents have been handed over to a third party and are thus no longer within the sphere of the accused or the privileged person.

Under the general confidentiality obligation of attorneys, attorneys have the right to refuse to give evidence on matters covered by legal privilege until that document is in the possession of the attorney and unless the client consents to the release. In criminal cases the attorney acting for the defence cannot be heard even if the client gave his prior consent.

Legal privilege by an attorney can only be revealed (i) when the client authorises the disposal, (ii) if it is necessary for the defence, or (iii) if authorised by the Bar Association.

Please see 2.1 and 2.2 above.

There are three exceptions where the attorney is relieved from the confidentiality obligation:(i) if the client undoubtedly allows it; (ii) it is necessary in order to prevent the commission of a criminal offence; and (iii) it is necessary for the attorney’s or his/her associate’s defence.

In point 2.1 there are limitations to be found related to lifting of the legal privilege based on the decision of a competent authority. The legal privilege as specified in point 2.2. does not apply to correspondence or other documents containing information classified as “privileged” or “confidential”, or information constituting a professional or other legally protected secret, if their holder is suspected of having committed an offence. It also does not apply to letters or other documents of a personal nature, if the person suspected of having committed an offence is their holder, author or addressee.

Under the CCP, the professional relationship between a lawyer and his client may be subject to electronic surveillance only when there is information that the lawyer is committing or is preparing the commission of certain very serious offences (eg against national security). It seems that no similar provisions exist in the case of notaries.
If the documents are found outside the sphere of the privileged person, they might no longer benefit from immunity.

There are three exceptions where the attorney is relieved from the confidentiality obligation:(i) if the client undoubtedly allows it; (ii) if it is necessary to prevent the commission of a criminal offence; (iii) it is necessary for the attorney’s or his/her associate’s defence; or (iv) it is necessary for the defence of rights and interests of the attorney or his/her close relatives and associates, if these rights and interests are objectively more important than the confidentiality of the information.

Legal privilege of the attorney-at-law does not apply in cases where the attorney-at-law is required by law to prevent/notify a criminal offence.

Legal privilege is generally limited to the provision of legally permitted services by the attorney to the client. It is therefore inapplicable in various cases of abuse (eg active attempts to hide evidence) or even criminal activities planned / conducted by the attorney and the client together. legal privilege does not apply if information has not been obtained from the client (but rather from some other source) or has been handed over to a third party (despite being originally obtained from the client).

Documents and information exchanged shall not be subject to legal privilege, if (i) the document/information exchanged does not relate to the client’s right of defence, or (ii) is executed/ exchanged for the purpose of hiding or helping a breach of law.

Authorities may under certain conditions seize documents containing legally privileged information. However, seizure of such documents is prohibited if doing so would circumvent legal privilege (see our answer to question 2.1). Therefore, the admissibility of such a seizure depends in particular on (i) the location of the documents (ie in the attorney’s office or company’s office) and (ii) the kind of documents (ie defence documents or documents drafted by the company itself, such as a summary report of an internal investigation). In any case there is a high risk that authorities will access actual privileged documents if these are kept in the company’s offices and not with the accused or a privileged person.

In the Federation of Bosnia and Herzegovina, legal privilege cannot be violated “to the detriment of the attorney or the client”, including during a court-ordered search. If a court-ordered search of a law office concerns the information gathered during an internal investigation, than the public authorities potentially could have access to it. The legal framework and relevant practice do not provide clear guidance in relation to the scope of documents that could be subject to search and seizure in a law office.

Yes. See our answer under 2.3 above.

If legally privileged documents are confiscated, the usage of such documents shall be inadmissible. Also, any evidence gathered from such documents shall be inadmissible (“fruit of the poisonous tree doctrine”), unless public interest prevails over the defence rights of the accused. In any case there is a high risk that the authorities could access privileged documents if these are kept within the premises of the company and not with the accused or a privileged person.

Generally, public authorities may (under certain conditions) seize documents containing legally privileged information if and to the extent such seizure does not circumvent the legal privilege (see our answer to question 2.1). The admissibility of such a seizure depends on the nature of the documents (ie defence documents prepared by an attorney-at-law vs. documents drafted by the company itself, such as a summary report of an internal investigation). The location of the documents is generally not a relevant factor. In each case, there is a substantial risk that public authorities will practically access actual privileged documents if these are kept in the company’s offices.

Under certain circumstances the authorities may access legally privileged information, although a court order is required. In the case of a search warrant, apart from the court order, the presence of the prosecutor is also required.

Attorney-client communication cannot be subject to review, copying, examination or confiscation, and cannot be used as evidence in court proceedings.

Generally, there are no documents covered by legal privilege. However, documents (related to internal investigation) containing state, trade and banking secrets may be seized on the basis of a court decision.

If a court order to search a company concerns the information gathered during the internal investigation, then the public authorities potentially could have access to it. During criminal proceedings, however, the following cannot be seized: (i) written documents (spisi) and documents issued by competent authorities if publication thereof would violate the duty of confidentiality applying to, inter alia, attorneys, notaries; (ii) letters of the suspect to his/her attorney (this does not apply if the attorney was an accomplice, if he helped the suspect after committing a crime, and concealed the crime); (iii) any documents (thus also including defence documents), minutes or excerpts made by the aforementioned professionals who are under a confidentiality obligation, and which were made or acquired while performing their work. Therefore, the possibility of a seizure depends in particular on (i) the location of the documents (ie at the attorney’s office or the company’s office), and (ii) the kind of documents (ie defence documents or documents drafted by the company itself, such as a summary report of an internal investigation). In any case, there is a high risk that the authorities will access actual privileged documents if these documents are kept in the company’s offices and not with the accused or a privileged person.

If a document found or surrendered contains confidential information, or information constituting professional or other legally protected secrets or is of a private nature, the agency conducting the search immediately, without reading it, shall hand the document over to the public prosecutor or to the court in a sealed envelope.
If the defence counsel or other person summoned to surrender an object or whose premises were searched declares that correspondence or other documents surrendered or found in the course of the search contain information pertaining to the performance of function of the defence counsel, the agency conducting the search shall leave the documents to the said person without examining their contents or appearance. However, if such a statement made by a person who is not a defence counsel raises doubts, the agency conducting the procedure shall hand these documents over to the court. The court, having acquainted itself with the documents, shall return them in their entirety or in part to the person from whom they were taken or shall issue a decision that the documents be seized for the purposes of the proceedings.

The following shall be exempted from access and confiscation: documents which contain communications between the lawyer and the client, as well as documents that contain notes made by the lawyer in defence of his client (defence notes).
Apparently, there are no similar provisions in the case of notaries.
However, there is the possibility to have such documents accessed and removed (confiscated) if they are found at the company’s premises and especially if the company is not subject to investigation.

If a court order to search a law office concerns the information gathered during the internal investigation, then the public authorities potentially could have access to it. The legal framework and relevant practice do not provide clear guidance on the scope of documents that could be subject to search and seizure in the law office.

Yes, for instance if documents containing legally privileged information are not stored with the attorney-at-law or are not marked as legally privileged.

There are two aspects to legal privilege. Firstly, it is a procedural right of persons mentioned above (see 2.1 above), allowing them to refuse testimony (and, by extension, it limits certain ways of obtaining evidence – eg wiretapping – which could be used as circumvention of legal privilege). Secondly, it is a procedural caveat, which prohibits the use of certain methods/information in a criminal investigation (eg unwarranted searches of private premises). It follows that obtaining information gathered during an internal investigation in the course of a criminal investigation is, in principle, possible and permissible, eg on the basis of a search warrant for the company’s premises or a testimony by a person who is not covered by legal privilege.
However, it is important to note that measures used for obtaining information during a criminal investigation should not be used to circumvent other procedural caveats. For example: An attorney is prohibited from testifying against his/her client (see 2.1 above); by extension, use of attorney’s notes (including information about a client) that are found during a search of an attorney’s office is not permissible, even if the search itself were (procedurally speaking) lawful.

As explained under point 2.1 above, it is possible, following a legal privilege claim made by a lawyer, to seize and seal in an envelope information gathered from an internal investigation, which is present at the lawyer’s office during a search held by public authorities. In order for such a sealed document to become accessible by public authorities, the judge of a “peace court of criminal jurisdiction” at the investigation phase, or a judge/court at the prosecution phase shall give the necessary decision in relation to the access of public authorities to such documents seized and sealed during a public investigation.

Documents drafted by (i) and (ii) can be protected by legal privilege. Documents drafted by (iii) and (iv) are generally not protected by legal privilege.

In the Republic of Srpska only documents drafted by foreign or national attorney are protected by legal privilege. On the other hand, in the Federation of Bosnia and Herzegovina, only documents drafted by a national attorney are protected by legal privilege.

Yes. In-house counsels are not covered by the legal privilege (unless the correspondence is between external attorney – client and an attorney). Other professionals (ie tax advisors) are also not covered by the legal privilege.
For foreign attorneys the legal privilege applies if they are (i) EU Lawyers who are citizens of another EU member State, of a state party to the EEA Agreement or of Switzerland who are qualified to practice law in at least one of the said countries; and (ii) are registered with the Single Register of Foreign Attorneys- at-Law of the Supreme Bar Council and in the register of foreign attorneys-at-law kept by the relevant Bar. In addition, lawyers who are citizens of other countries might enjoy protection of legal professional privilege pursuant to the provisions of an international treaty between the Republic of Bulgaria and the country of nationality of the lawyer in question or on the basis of reciprocity between the two countries.

Documents drafted by (i), (ii) and (iv) can be protected by legal privilege. Documents drafted by (iii) are generally not protected by legal privilege.

Generally, documents drafted by (i) and (ii) can be protected by legal privilege (some restriction on foreign attorneys may apply). Documents drafted by (iii) and (iv) are generally not protected by legal privilege (for the sake of completeness, documents drafted by tax advisors may under certain conditions be protected by legal privilege).

Generally yes. The protection is granted if a certain document was drafted by an attorney belonging to the Hungarian Bar. The same applies to junior attorneys (associates) belonging to the Hungarian Bar. On the other hand, there are no explicit provisions regarding in-house counsels working in an employment relationship granting professional legal privilege. Tax advisors are generally not granted legal privilege.

Only documents drafted by a foreign attorney and national attorney are protected by legal privilege.

Please see 2.2 above.

Only documents drafted by a Serbian or Montenegrin attorney are protected by legal privilege (it goes without saying that this obligation also applies to foreign lawyers who comply with national requirements and whose licences are recognised by the Montenegrin Bar).

It does not matter who the author of the documents is. It is important if the documents are covered by professional secrecy or any other legally protected secrecy.

Yes. If the mentioned documents have been drafted by lawyers (eg national lawyers/in-house counsels) it can be argued that they are covered by legal privilege (even though there is no certainty about this aspect). Documents drafted by other professionals (eg tax advisors) are not protected by legal privilege.

Only documents drafted by a foreign or national attorney are protected by legal privilege.

Only documents drafted by (i) and (ii) are protected by legal privilege. Other documents are generally not protected by legal privilege.

Generally no. legal privilege extends to information that the attorneys (and other privileged persons) obtain “in the course of their profession” (see also 2.1 above). It is generally irrelevant who drafted (ie technically put together) the interview notes or similar documents containing privileged information.

Documents drafted by national attorneys are covered by legal privilege, while documents drafted by foreign attorneys, other professionals and in-house lawyers are generally not protected by legal privilege. However, foreign lawyers that are not qualified in Turkey but carry out business in Turkey pursuant to the Attorneys Act can be considered within the protection of legal privilege, as long as they are not in-house lawyers. In-house lawyers are not considered to be independent from their clients, where being independent from a client is considered of the main conditions of being in the scope of legal privilege.

(i) Privileged information located in the accused’s office/home is protected.
(ii) Privileged information located in the attorney’s office is generally protected.
(iii) Privileged information located elsewhere is generally not protected.

Legal privilege covers only the information located at the attorney’s office.
The legal privilege of an attorney is notabsolute in the Republic of Srpska, as there are no legal obstacles to the documents covered by legal privilege being seized by the court under the Act on Criminal Procedure. Also, we cannot rule out the possibility that the documents protected by legal privilege in the Federation of Bosnia and Herzegovina will be used in the court if the court considers them not to be detrimental to the attorney or his/her client.

Generally no. However, if the legally privileged information is stored within the company or somewhere else and is not indicated as such (eg for correspondence, relevant identification is made in the subject), the documents that contain such legally privileged information may be taken by the authorities within ongoing proceedings (eg within dawn raids organised by the Bulgarian Commission for Protection of Competition). Subsequently, an appeal against the admissibility of these legally privileged documents has to be submitted within the respective proceedings. This might be both time-consuming and expensive.

Privileged information located at the accused’s office/home is protected. Privileged information located in the attorney’s office is generally protected. Privileged information located elsewhere is generally not protected.

Generally, no. All information subject to the legal privilege is protected regardless its location.

Generally, only information communicated to or being in the possession of the attorney is protected by legal privilege.

Legal privilege covers only information located at the attorney’s office.

Generally no.

Legal privilege covers the information located at the attorney’s office or information that has been located elsewhere by the attorney’s decision and under the attorney’s supervision. In certain cases, an attorney is relieved from the confidentiality obligation, while in a criminal proceeding there is a prohibition of seizure of documents protected by legal privilege.

Except for the limitations specified in point 2.3 above, it does not make any difference where the documents in question are located.

Yes. If located at the attorney’s/notary’s office, the information is inviolable, since it is covered by professional secrecy. If the privileged information is located within the company, there is a risk that it may be accessed by investigation authorities (see also 2.4)

Legal privilege covers only the information located at the attorney’s office.
Yes, legal privilege could be suspended (but only in line with the court’s order), for certain documents generally covered by legal privilege.

In case of legally privileged documents located at the attorney’s office, their use and access to them is limited due to legal privilege. The same applies to an attorney-at-law’s home. For documents stored at other premises, legal privilege generally does not apply.

(i) In principle, information located in the company is not specially protected; however, search of the suspect’s home/office and, in some cases, of the company’s premises requires a court warrant.
(ii) Information located in the attorney’s office is – in addition to a court warrant – specially protected (obligatory presence of the attorney and Bar Association representative, various further procedural protections, etc)
(iii) The status of information located elsewhere depends on the status of the location (eg private vs. public premises, suspect’s premises vs. premises of third parties, etc).
Moreover, information located in an attorney’s office is more likely to be subject to other procedural caveats (see 2.1 and 2.4 above) and hence be inadmissible.
The concept of a “privileged document” (or “privileged information”) is misleading, as under Slovenian law no document is privileged in and of itself and there is no document whose use is in and of itself prohibited in criminal proceedings. In short, what is prohibited are certain way/modes of obtaining documents/ information, as outlined in point 2.4 above.
It is correct that both the company’s premises and the attorney’s office may be lawfully searched on the basis of a search warrant, provided that certain procedural caveats have been observed. It is also correct that information found in the course of such searches may be used by the authorities (in criminal proceedings against the suspect), and in this sense legal privilege is not “absolute”, provided, however, that such information does not contravene (or constitute a circumvention of) procedural caveats. Particularly inadmissible is use of evidence that goes against the caveats mentioned in point 2.1 above, but – more generally – any evidence obtained in breach of Slovenian constitutional rights. It follows that the question of the admissibility or inadmissibility of evidence cannot be addressed with broad rules, but requires comprehensive analysis of the specific circumstances.
To illustrate, two examples: (1) As previously pointed out (see 2.1 above), attorneys are prohibited from testifying about their clients (ie attorney-client privilege); by extension, obtaining such information through a search of the attorney’s office would, in principle, be seen as circumventing attorney-client privilege, and hence such evidence would be inadmissible (ie not because the search itself would be inadmissible, but because it would circumvent attorney-client privilege). It follows that “privileged defence documents” (referred to above), ie documents containing information covered by attorney-client privilege, in principle would not constitute admissible evidence. (2) Evidence about a suspect – such as notes about an internal investigation – obtained during a lawful search of the company’s premises would in principle constitute dmissible evidence, because prima facie there appear no procedural caveats that would be circumvented by this. However, it cannot be excluded that in a particular case such circumvention could be identified (eg in relation to the suspect’s privilege against self-incrimination), and hence such evidence would be rendered inadmissible.

Within the meaning of the above-mentioned Article 130 of the Criminal Procedure Law, only the privileged information located within the attorney’s office is protected. Such information located within the company or anywhere else is generally not protected.

3Data collection – Investigating past violations

A concrete suspicion (konkreter Verdacht) against individual employees is required to justify such a search on an individual basis. Moreover, a balance needs to be struck between the interest in maintaining the employee’s confidentiality (Geheimhaltungsinteresse) on the one hand and the company’s interest in control and “access” (Kontroll- und Zugriffsinteresse) on the other. With respect to business e-mails, such an interest of the company is usually present. Nevertheless, this balancing of interests has to be considered separately in each individual case. Prior approval by the affected members (ie within the employment contract) is advantageous.

Generally, yes. However, under data protection laws and regulations the definition of personal data is quite broad and includes any data based on which the identity of a person is determined or could be determined directly or indirectly (ie could also potentially include the business e-mail address itself if the identity of a person could be determined based on it). Thus, if e-mail itself would be considered personal data, and if any personal data would be reviewed by searching corporate related data, the following should be complied with: (i) the affected members should be informed before the search of the company related data is conducted and should consent to it in writing; (ii) the intention to perform an internal investigation should be notified in principle to the Bosnian Data Protection Authority (“BDPA”); (iii) notification on the created data records concerning the internal investigation would then need to be filed to the BDPA within 15 days of the creation of such data records; and (iv) limitations to data transfer abroad under 5.2 below should be observed. In addition, the collected company related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access. The requirement to obtain the consent of the affected member may be waived only in situations where the lawful rights and interests of the company do not conflict with the right of the affected member to protect its privacy and personal life. However, this balancing has to be considered separately in each individual case. Obtaining the consent of the affected members is recommended, as the BDPA’s practice is generally restrictive.

As in Austria.

A balance of interests between the interest in maintaining an employee’s confidentiality on the one hand and the control and “access” interest of the company on the other has to be made. With respect to business e-mails, such an interest on the part of the company might almost always be given. Nevertheless, this balancing of interests has to be considered separately in each individual case. It would be advantageous if prior approval by the affected members (ie within the employment contract) is obtained or if internal investigation methods are prescribed by the company’s internal policies.

Yes, under certain circumstances. Generally, the guidance of the Czech Data Protection Office suggests that the employer’s approach shall depend on the form of the e-mail address – whether it includes the employee’s name or not. If the e-mail address consists of the employee’s name (eg klara.kiehl@schoenherr.at), any communication on the account shall be considered private. Such communication may be opened and read by the employer only exceptionally, in order to protect the employer’s legitimate interests, in particular if it is obvious that the message is of a business nature. If the e-mail address does not include the employee’s name and relates to business, the employer may access it. If the e-mail is of a private nature, the employer may not access it.

Generally yes, given that i) the employee’s private life cannot be violated and ii) the employee should be notified beforehand about the technical means used for the surveillance.

Generally, yes. However, under data protection laws and regulations the affected members (i) should be informed before the search of the company related data is conducted and should consent to it, and (ii) limitations to data transfers abroad noted below under 5.2 should be observed. In addition, the requirement under (i) may be reduced if informing the member would in effect jeopardise the controller’s obligation as regards the detection/prosecution of offenders. Furthermore, the collected company related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access. Due to the loopholes in the data protection legislation and practice, and the tendency of the Data Protection Authority (“MKDPA”) to interpret the applicable rules restrictively, a careful balancing of the purpose of the internal investigation against the members’ right to privacy is warranted. However, when the company related data are searched, the purpose of the internal investigation generally seems to prevail over the members’ right to privacy.

Generally yes.
General conditions:
(a) the obligations in connection with the company related data are notified to the employee;
(b) consent is granted (eg at the conclusion of the employment agreement) by the employee in connection with the processing of the e-mail information.
The processing of e-mail data without the employee’s consent is to be assessed in each individual case.

Generally, yes. However, under data protection laws and regulations the definition of personal data is quite broad and includes any data based on which the identity of a person is determined or could be determined directly or indirectly (ie could also potentially include the business e-mail address itself if the identity of a person could be determined based on it). Thus, if e-mail itself would be considered personal data, and if any personal data would be reviewed by conducting the search of corporate related data, the following should be complied with: (i) the affected members should be informed before the search of their e-mails is conducted and should consent to it in writing; (ii) the intention to perform an internal investigation should in principle be notified to the Montenegrin Data Protection Authority (“MNDPA”); and (iii) the limitations to data transfers abroad noted under 5.2. For the requirement under (i), it depends whether the identity of the employee could be determined based on the e-mail address. In addition, if the affected members have previously been informed (eg through corporate documents) that the Company records and oversees their e-mails and taking into account the purpose of the internal investigation, the MNDPA might not sanction the processing of the company related data without the express consent of the affected member given for the purpose of internal investigation. However, as the MNDPA’s practice is very restrictive, we cannot rule out the possibility that the MNDPA will consider the written consent of an affected member necessary for the search of company related data. Moreover, the intention to perform an internal investigation should be notified to the MNDPA.

Yes, the company is permitted to proceed as outlined in Example Case I¹. Suspected criminal activity of members constitutes a justified reason to search e-mail accounts of potential suspects, as it potentially leads to enforcement of claims arising out of the company’s business. In such a case, obtaining consent from the affected member is not mandatory. The affected members should be provided with information that such a search may take place. Such information should be provided before the affected member starts using the e-mail account altogether. It may also result from the company’s internal bylaws. If it is not the case, the affected member should be provided with the applicable information before the search begins. All e-mails may be subjected to the search if use of the company e-mail address has been restricted to professional purposes only.

There is a risk under Romanian law that this may be seen as a criminal offence, if consent of the relevant employees is not obtained.
From a data protection perspective, this kind of monitoring must be approved by the senior management, should be performed for a limited period of time and should be performed only further to a balancing test of the legitimate interest and the proportionate processing of personal data. Although the legitimate interest in monitoring business e-mail accounts could be justified in the balancing test, it should be considered the particular conditions of the member and his activity and the obtaining of the employee’s consent should be sought (although the validity of such consent is). Further, internal company policies and employment documents should be checked to understand the obligations/commitments of privacy undertaken by the company towards its employees.

Generally, yes. However, under data protection laws and regulations the definition of personal data is quite broad and includes any data based on which the identity of a person is determined or could be determined directly or indirectly (ie could also potentially include the business e-mail address itself if based on the identity of a person could be determined based on it). Thus, if e-mail itself would be considered personal data, and if any personal data would be reviewed by conducting the search of corporate related data the following should be complied with (i) the affected members should be informed before the search of the company related data is conducted and should consent to it in writing; (ii) the intention to perform an internal investigation should in principle be notified to the Serbian Data Protection Authority (“SDPA”); (iii) notification on the created data records concerning the internal investigation would then need to be filed to the SDPA within 15 days as of the creation of such data records; and (iv) limitations to data transfer abroad noted under 5.2 below should be observed. In addition, the collected company related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access. The listed requirements are mandatory, ie the Company should observe them in order to fully comply with the applicable data protection laws and regulations.

Generally yes; however, a company must take into consideration the individual rights of an employee and further restrictions under employment law. As to the individual rights of an employee, the most important restriction is that private letters (ie also e-mails) cannot be monitored by an employer. As regards work e-mails, it is subject to discussion whether an employer is entitled to also monitor the content of these e-mails or to monitor only basic information on e-mail, such as the sender, receiver and subject. Each case should thus be assessed on an individual basis, taking into consideration its specific circumstances. Under Slovak employment law, an employer is entitled to check the e-mails of an employee in the work e-mail account only when it has a serious reason for monitoring related to the special nature of the employer’s business activities and must notify the employee in advance of such monitoring. Implementation of a comprehensive checking mechanism in this respect requires prior consultation with employee representatives.

Generally, no. Activities in Example Case I¹ (searching the employees’ e-mails for specific keywords and in particular the use of surveillance measures) may be seen as an (unlawful) review of the content of the employees’ e-mails, and, in turn, an (unlawful) interference with the right to privacy and the privacy of communication, safeguarded by the Constutition and the Criminal Code. According to case law, the said right extends to both work correspondence as well as private e-mails. Slovenian law does not clearly spell out the conditions for the lawful review of employees’ e-mails. According to (non-binding) guidelines of the Information Commissioner, the content of e-mails may only be lawfully retrieved:
(i) based on a court order;
(ii) in very rare, exceptional cases, where there is risk of immense damage being inflicted to the employer which cannot be prevented through any other (less-intrusive) measure, provided that the employee was acquainted in advance with the rare instances in which such actions may be taken by way of internal acts adopted by the employer;
(iii) in exceptional circumstances, based on an explicit voluntary consent (however, the voluntary nature of any consent given by employees to the employer is generally questioned by the data protection authority).

Q: Could a concrete suspicion against a member concerning serious company related offences qualify as (ii) and thus lead to the admissibility of the search of company related data without the prior written consent of this member?

A: Generally, no – the concrete suspicion alone would not suffice; there would also have to be a serious risk of damage and the employee would have to be acquainted with the possibility of the review taking place (cf. (ii)). According to the opinions and guidelines of the Information Commissioner (NB: case law here is non-existent / extremely scarce), the review of employees’ e-mails is (almost) entirely limited to instances where it is conducted based on a court order. The existence of (exceptional) circumstances and fulfilment of other conditions for the lawful review of the employees’ e-mails should be carefully examined on a case-by-case basis. The suspicion of criminal activity alone does not automatically justify the review of the employees’ e-mails – the employer is generally deemed to be able to protect its interests by notifying its suspicitions to competent authorities (who may adopt adequate measures – obtain a court order to examine e-mail correspondence). Accordingly, there is a risk that Example Case I¹ would constitute a breach of the constitutional right to privacy and privacy of communication.

Q: We understand that a suspicion of criminal activity alone does not justify the review of the employees’ company e-mails by the employer. The employer has rather to appeal to the authorities in order to review the employees’ mails with the involvement of the authorities. Could you please confirm/clarify our understanding? (Basically we would like to know, under what circumstances a company is permitted to review its company related data.) A: Correct – please also see above. The circumstances under which Example Case I¹ would be permitted (according to the guidelines) are extremely limited. The unlawful interference with the employees’ e-mails may even trigger the criminal liability of the employer. In addition to the above, various restrictions and requirements apply for the performance of video surveillance.

In line with the decisions given by the Supreme Courts of Turkey, an employer always has the right to inspect, with the aim as stated under Example Case I¹, an employee’s e-mails, electronic devices, mobile phones and computers directly given for the conduct of the related business. However, such documents, information and devices that do not relate to the business of the employer and only relate to the private life of the employee, cannot be searched by the employer (or by its auditor, etc) in any way, or else the employer could become liable for the violation of the “right of privacy” of the employee in the scope of Turkish Criminal Law, and the information obtained from such a search will be considered illegal evidence if used in a criminal proceeding.

No.

No.

No.

No.

No.

No.

No.

Yes, the probable cause (Ro. banuiala rezonabila) is defined as suspicion arising from the existence of certain facts and/or information that would convince an objective observer that an offence was committed or will be committed, and that no facts and/or information exists that would remove the criminal character of the fact.

No.

No.

No.

No.

No.

No.

No.

Yes. Felonies are intentionally committed criminal offence scarrying a potential prison sentence of three years or more. All other criminal offences are misdemeanours. Although there is no direct impact on our answer under 3.1, the balancing of interests also depends on the gravity of the potential criminal offence. Generally, the company’s interest in conducting an internal investigation will increase with the severity of the criminal offence.

Yes. Applicable criminal acts in the Republic of Srpska and the Federation of Bosnia and Herzegovina define a felony as an act which is set forth by the law as a criminal offence, which is unlawful and committed with a guilty mind. On the other hand, the Republic of Srpska Misdemeanours Act defines a misdemeanour as an unlawful activity that violates public order or regulation on economic and financial businesses determined by the law or other regulation. The Federation of Bosnia and Herzegovina Misdemeanours Act defines a misdemeanour as a violation of law, public order or other public values that are not protected by the Criminal Act or other act regulating criminal offences.

Yes. A Crime is an act dangerous to society (action or inaction), which has been committed intentionally and which has been declared punishable by law.
A misdemeanour formally contains the elements of a crime, but is not sanctioned, as it is not dangerous to society due to its insignificance.
Regardless of whether a suspected act may qualify as a crime or misdemeanour, the company would not be allowed to perform e-mail searches, unless permitted by the employee.

The difference between a felony and a misdemeanour is only of a formal nature. Misdemeanours are minor violations of social values and the penalties are less severe than for felonies. Misdemeanours are prescribed in a number of regulations, whereas felonies are exclusively prescribed by the Criminal Code. The balancing of interests also depends on the gravity of the potential criminal offence. Generally, the company’s interest in conducting an internal investigation will increase with the severity of the criminal offence.

Yes. Misdemeanours are (i) all negligently committed criminal offences or (ii) intentionally committed offences with a maximum potential prison sentence of five years. All other criminal offences are felonies. Generally, there is no impact on our answer to question 3.1 when balancing misdemeanours and felonies.

Yes. Felonies are intentionally committed criminal offences with a potential prison sentence of two years or higher. All other criminal offences are misdemeanours. It has no direct effect upon how e-mails might or might not be investigated; however, the more severe the offence, the higher the company’s interest in discovering the circumstances.

Yes. A felony is defined in the Criminal Act as an act which is set forth by the law as a criminal offence that is unlawful and whose characteristics are set forth in the Act. The Misdemeanour Act defines a misdemeanour as an unlawful act which is determined by law as a misdemeanour, whose characteristics are described by law, and which entails misdemeanour sanctions.

The Moldovan legislation distinguishes between crimes (Ro. infractiuni) and administrative offences (Ro. contraventii). Crimes are also classified into: (a) minor crimes (Ro. infractiuni usoare); (b) crimes of average gravity (Ro. infractiuni mai putin grave); (c) felonies (grave crimes) (Ro. infractiuni grave); (d) very grave crimes (Ro. infractiuni deosebit de grave); and (e) extremely grave crimes (Ro. infractiuni exceptional de grave).

The Criminal Act defines a felony as an act which is set forth by the law as a criminal offence, which is unlawful and committed with a guilty mind. The Misdemeanours Act defines a misdemeanour as an act violating public order as determined by law or by other regulation for which a sanction has been prescribed.

Yes. Felonies are intentionally committed criminal offences with a potential prison sentence of three years or higher. All other criminal offences are misdemeanours. There is no direct impact on our answer under 3.1.

The CCP in force does not distinguish between general categories of offences, such as “misdemeanour” and “felony”. The only areas where such a distinction is made, depending on the seriousness of the offence, and where there is a specific definition of felonies, are the laws on organised crime and the protection of witnesses.

Yes. The Criminal Act defines a felony as an act which is set forth by the law as a criminal offence, which is unlawful and committed with a guilty mind. The Misdemeanours Act defines a misdemeanour as an unlawful culpably committed act provided for as a misdemeanour by law or another act of a competent body.

Yes, a misdemeanour is a criminal offence committed through negligence or a criminal offence committed intentionally with a potential prison sentence of up to five years. All other criminal offences are felonies. There are no possible implications to our answer under 3.1.

Yes. Felonies are criminal offences set out in the Criminal Code, and may be sanctioned with imprisonment. Misdemeanours are violations of law, set out in statues other than the Criminal Code, which may only attract the imposition of fines or administrative measures (eg cessation of activity), but may not be sanctioned with imprisonment. Generally, there is no direct impact on the answer under 3.1.

Pursuant to Article 2 of the Turkish Misdemeanour Law, a misdemeanour means a civil wrong in which the related law foresees the application of an administrative fine or an administrative sanction to the detriment of the misdemeanant. Misdemeanours (like felonies) can be committed both intentionally and by negligence. Felonies, which have been regulated under the Turkish Criminal Law, have more serious sanctions when compared to misdemeanours, and both administrative sanctions and prison sentences can be applied in the event of a violation of law. Prison sentences applied to felonies can be as short as less than 30 days and can go up to a life sentence. The differentiation between a misdemeanour or a felony does not have a direct impact on our answer under 3.1. However, as explained under question 3.1 above, if an employer violates its privilege of searching the documents and devices of an employee and violates the relevant employee’s private life, the sanction that shall apply cannot be evaluated as a misdemeanour and the employer shall be liable for committing a felony.

Following from our answer under 3.1: Again, the admissibility of such a measure requires (i) a concrete suspicion regarding a breach of the employer’s legal sphere, and (ii) prevailing interests of the company (balancing of interests). Since private data is generally deemed “worthy of protection”, the level of the required justification for the company to access such data will be higher compared to company related data. However, if the risk that private data could be affected by the search is reduced to a minimum and the possible offence could severely impact the viability of the company, such measures could be admissible. In any case, this has to be assessed in each individual case. Again, it is advisable that the members give their prior written consent to the planned measure in each particular case.

Generally yes, if the requirements under point 3.1. are complied with. Due to its restrictive practice, the BDPA could take a stricter stance towards the appropriateness of searching members’ private data. Thus, the company should observe the requirements under point 3.1 in order to be in full compliance with the applicable data protection laws and regulations, given that it cannot rule out with certainty that personal data will be processed during the internal investigation.

As in Austria.

As under 3.1., the interest in maintaining an employee’s confidentiality on the one hand has to be balanced with the control and “access” interest of the company on the other. Since private data is generally deemed “worthy of protection”, the level of the required justification for the company to access such data will be higher compared to company related data. However, if the risk that private data could be affected by the search is reduced to a minimum and the possible offence could severely impact the viability of the company, such measures could be admissible. This always has to be assessed in each individual case. Again, it is advisable that the members give their prior written consent to the planned measure in each particular case or that internal investigation methods are prescribed by internal policies.

See our answer to question 3.1.

The employee’s private life cannot be violated; thus such e-mails cannot be subject to the investigation, ie cannot be read. However, there is no specific rule on how to proceed if private data is extracted.

This would not be so clear-cut, because opening private data without the consent of the owner of such communication is a criminal act in itself (unless there is a warrant in place to open such communication). The general limitations and prerequisites from our answer under 3.1 also apply here.

Generally yes.
The conditions indicated in 3.1 above are generally applicable.Also, the company’s vs. the employee’s interests are to be taken into consideration (ie there must be justification for the company to access the employee’s e-mails containing both company related data and private data).
The processing of the e-mail data without the employee’s consent is to be assessed in each individual case.

Generally yes, if requirements under point 3.1. are complied with. Due to its restrictive practice, the MNDPA could take a stricter stance as regards the appropriateness of searching the members’ private data. Thus, the Company should observe the requirements under point 3.1 in order to fully comply with the applicable data protection laws and regulations, given that it cannot exclude with certainty that personal data will be processed during the internal investigation.

The prerequisites as specified in point 3.1 apply accordingly. Additionally, the company shall safeguard that the private e-mails are excluded from the search.

In this particular case, the chances to breach the right to private life is higher, considering the possibility of the member to use the e-mail accounts for private purposes. Internal company policies and employment documents should be checked to understand the obligations/commitments of privacy undertaken by the company towards its employees. Also, the balancing test of the legitimate interest should provide for higher significance of the personal data existing in the e-mail accounts. Considering the risk of breaching the right to private life, the keywords used for the investigation should be chosen carefully so the search is reduced to the minimum possible. However, the member may claim the breach of its right to private life and prove that such a breach was more important than the result of the investigation. In order to diminish the possibility of such a claim, the consent of the relevant employees should be obtained prior to such monitoring (although the validity of such consent is questionable).

Generally yes, if requirements under point 3.1. are complied with. Due to its restrictive practice, the SDPA could take a stricter stance as regards the appropriateness of searching the members’ private data. Thus, the Company should observe the requirements under point 3.1 in order to fully comply with the applicable data protection laws and regulations, given that it cannot exclude with certainty that personal data will be processed during the internal investigation.

Please see our answer under 3.1 above. An employer is not entitled to access the private data of an employee.

Generally no. See answer under 3.1 above.

In the scope of a recent decision of the Constitutional Court dated 10 May 2016, the Court decided that it is possible to review the private data present in the work e-mails of employees, if the relevant employee has signed the internal regulations of the company, which are considered to be a part of employment agreements. Such application means that the relevant employee has been sufficiently informed of the general principles of the related business. Therefore, if such an internal investigation conducted by the employer has (i) a legitimate aim and if the review is (ii) proportional with the aim of the investigation, then the personal information reviewed in the corporate e-mails during an internal investigation is considered to be legal. Thus, if the presence of personal correspondence and personal data has been openly prohibited via the above-mentioned internal regulations of the company, such personal data obtained as a result of the internal investigation will not be considered a breach of the right of privacy.

The surveillance of private e-mails is generally prohibited. If clarifying the suspicion is deemed highly relevant for the viability of the company and the keywords actually focus on this concrete suspicion (and are thus not too “broad”), the company can be permitted to process such data. However, such an assessment highly depends on the actual circumstances of the case.

The general conditions outlined in our answer under point 3.4 apply here as well. In particular, the employees should be informed before the private data search is conducted and should consent to the search in writing, as the BDPA may interpret that the right to privacy of the affected member overrules the rights and interests of the company to investigate a potential crime by searching private data. In addition, to mitigate concerns under data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that e-mail addresses could also be considered personal data, the mere review of such e-mail addresses is an act of data processing and generally requires the prior notification and consent of the members / data subjects (as well as compliance with other requirements under point 3.1). To further mitigate the risk of accessing private data, the relevant employees should also be offered to disclose private e-mail domains to be excluded from the private data search.

As in Austria.

The surveillance of private e-mails is generally prohibited. If clarifying the suspicion is deemed highly relevant for the viability of the company and the keywords actually focus on this concrete suspicion (and are thus not too “broad”), the company can be permitted to process such data. However, such an assessment highly depends on the actual circumstances of the case.

As outlined above, the surveillance of private e-mails is generally prohibited.

The surveillance of e-mails related to private life is prohibited. However, there might be a case where the surveillance is deemed crucial for the company’s interests. If such evidence is used before the authorities, the authorities may exclude the evidence if they find that it has been illegitimately collected.

The general conditions outlined in our answer under 3.4 above apply here as well. The Company must obtain a warrant or consent of the member in order to access the private data of members. Furthermore, to mitigate concerns under data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that the e-mail address could also be considered personal data, the mere review of such an e-mail address is an act of data processing and requires prior notification and consent of the affected members / data subjects (as well as compliance with other requirements under point 3.1).

Processing of employee’s private data (personal data) without the employee’s consent is generally prohibited. (eg company’s legal obligation, company’s interests vs. employee’s fundamental interests, rights and liberties, etc).

The general conditions outlined under 3.4 above apply here as well. In particular, the employees should be informed before the private data search is conducted and should consent to the search in writing. Furthermore, to mitigate concerns under data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that an e-mail address could also be considered personal data, the mere review of such an e-mail address is an act of data processing and requires prior notification and consent of the members / data subjects (as well as compliance with other requirements under point 3.1). To further mitigate the risk of accessing private data, the relevant employees should also be offered to disclose private e-mail domains to be excluded from the private data search.

The private data may not be searched or processed under Polish Law. However, if private e-mails, private correspondence, etc also contain company related data, the searching and processing of such data may be permitted according to the prerequisites under point 3.1.

The surveillance of private e-mails is generally prohibited. In case the balancing test (based on a reasonable suspicion of illegal actions) is successful as to justify the legitimate interest, the company may proceed with the search based on specific and objective keywords that may avoid results leading to potential breaches of private life. Considering the possibility of the member to use the e-mail account for private correspondence, the opportunity of such a case should be decided on a case-by-case basis.

The general conditions outlined under 3.4 above apply here as well. In particular, the employees should be informed before the private data search is conducted and should consent to the search in writing. Furthermore, to mitigate concerns under data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that an e-mail address could also be considered personal data, the mere review of such an e-mail address is an act of data processing and requires prior notification and consent of the members / data subjects (as well as compliance with other requirements under point 3.1). To further mitigate the risk of accessing private data, the relevant employees should also be offered to disclose private e-mail domains to be excluded from the private data search.

Monitoring of private e-mails is in general prohibited. We believe that this also covers private data of members.

See answer under 3.1.

Please see our answer to question 3.4 above.

A company may request such a prior approval within the employment contract or case-related. However, the more severe the intrusion into the privacy of the member during an internal investigation is, the more uncertain it will be whether “general consent” within the employment contract can be regarded as consent for the particular measure in question. If highly personal data will be processed during an internal investigation, the member should explicitly approve such measures.

Due to the loopholes in data protection legislation and practice and the BDPA’s tendency to interpret the applicable rules restrictively, it is recommended that the members consent in writing to a specific internal investigation, ie internal investigation caused by a specific suspicion of criminal activity. Although the “general” consent (eg given in an employment contract or an internal act of the company for the purpose of any past or future internal investigation) is not prohibited by the applicable laws and regulations, there is a risk that the BDPA may interpret the purpose of the general consent given for the aim of any internal investigation as not being sufficiently specific.

As in Austria.

A company may request such a prior approval within the employment contract or case-related. However, the more severe the intrusion into the privacy of the member during an internal investigation, the more uncertain it will be whether a “general consent” within the employment contract can be regarded as consent for the particular measure in question. If highly personal data will be processed during an internal investigation, the member should explicitly approve such measures.

A company may request such a prior approval within the employment contract or case-related. However, the more severe the intrusion into the private sphere of the member during internal investigations, the more uncertain it will be whether “general consent” given in the employment contract will be regarded as consent for the particular measure in question. If truly personal data will be processed during an internal investigation, the member should explicitly approve such measures. Some personal data (eg information on family and financial situation) are completely excluded, ie the employer may not request / gain such information under any circumstances.

Upon prior notification of the employees (usually stipulated in the employment contract), a company may look into the employees’ e-mails at any time, but may not access ones related to the employees’ private life. If there is no such stipulation, the company may acquire the employees’ consent on a case-by-case basis. The employees’ privacy in any case cannot be violated.

Due to loopholes in the data protection legislation, it is recommended that the members consent to a specific internal investigation, although suspicion of criminal activity may be a reason to reduce this requirement. Although the “general” consent (given in an employment contract or an internal act of the company for the purpose of any past or future internal investigation), is not prohibited by the applicable laws and regulations, there is a risk that the MKDPA may interpret the purpose of the general consent given for the purpose of any internal investigation as not being sufficiently specific, and disallow search of private documents without the consent of the member.

Generally, consent granted by the employee upon employment (eg inserted as a clause in the employment agreement or as a separate document) with regard to the processing of the employee’s personal data (including e-mail content) is sufficient for the processing of the e-mail’s content during an internal investigation.
However, the sufficiency of such preliminary consent is to be assessed at any time as regards the Company’s vs. the employee’s interests.

Due to loopholes in the data protection legislation and practice as well as the tendency of the DPA to interpret the applicable rules restrictively, it is recommended that the members consent in writing to a specific internal investigation, ie internal investigation caused by a specific suspicion of criminal activity. Although the “general” consent (given in an employment contract or an internal act of the Company for the purpose of any past or future internal investigation) is not prohibited by the applicable laws and regulations, there is a risk that the MNDPA may interpret the purpose of the general consent given for the purpose of any internal investigation as not being sufficiently specific.

The company may do so. Such general consent would not extend to private data.

A company may request the prior consent of its members to perform this kind of search by way of the employment agreement. However, as mentioned above, the validity of such consent is questionable, as it can be argued that it was not freely given, considering the subordination and the authority of the company, and not specific enough. Even if such consent is given upon signing the employment agreement, considering the intrusive character of the investigation, specific consent should be obtained. Again there is a risk of invalidity of such consent for the same reasons.

Due to loopholes in the data protection legislation and practice as well as the tendency of the SDPA to interpret the applicable rules restrictively, it is recommended that the members consent in writing to a specific internal investigation, i.e. internal investigation caused by a specific suspicion of criminal activity. Although the “general” consent (given in an employment contract or an internal act of the Company for the purpose of any past or future internal investigation) is not prohibited by the applicable laws and regulations, there is a risk that the SDPA may interpret the purpose of the general consent given for the purpose of any internal investigation as not being sufficiently specific.

Yes; however, an employee must be informed of each case of monitoring separately, unless the monitoring will be carried out on a permanent basis, when it is recommended to adopt internal guidelines in this respect and to inform employees of these guidelines (please also see our answer under 3.1).

A company may request such a prior consent; however, the voluntary nature of any consent given by employees to the employer is generally questioned by the data protection authority. This applies particularly if the consent is obtained along with the employment contract. Accordingly, procurement of consent in a separate document is advised. In addition, the consent should be as specific as possible (eg should specify all contemplated activities).

Yes, please see our answer to question 3.4 above. The presence of such consent obtained via the internal regulations as part of employment agreements or obtained before an internal investigation is highly recommended in order to prevent any kind of breach of law (especially breaches of the right of privacy).

4Interviews

Generally no. The works council may attend the interview only if the employee consults the works council and demands to participate in the interview.

Generally no.

Generally no. However, if there is a collective bargaining agreement that provides for extended rights for information and consultation, it should be reviewed whether the subject matter of the interview would fall in the scope of such rights.

No.

Generally, no approval of employee representative bodies is required for the interview; for the sake of completeness, the collective bargaining agreement may establish information/consultation/approval requirements.
Upon request of the employee, the respective member(s) of the employee representative body may be present at the interview.

Generally no. However, a separate agreement with the work council may provide for such approval.

Generally no.

Generally no.

Generally no.

There is no such obligation resulting from the regulations binding in Poland. It might result from the company’s internal bylaws.

Generally, no. The internal regulations or collective bargaining agreement (if any) should be checked for specific rules. member(s) may also seek the assistance of the trade union representative in such an interview.

Generally no.

No.

Generally no. However, adoption of general acts of the employer, referring to the interview (eg outlining the purpose, procedure) may in some instances trigger the requirement to obtain a prior opinion of the trade unions.

Generally no. However, a board of directors resolution could be adopted just to be on the safe side and to prevent future objections.

The admissibility of an interview – specifically whether the interviewed person is obliged to answer the questions – again depends on the balancing of interests between the affected person and the company. On the one hand, the person has an interest in avoiding self-incrimination, which has to be regarded by the company as well. On the other hand the company wants to clarify the suspicion which can be crucial for the viability of the company. Therefore, the company may in fact be required to inform the interviewee about the interview and the suspicion in order to assess whether the interviewed person’s interests prevail over the interests of the company to conduct the interview. Such an information obligation could also arise out of the employer’s general duty of care.

Under the applicable data protection laws and regulations, a the member must be informed by the interviewer about: (i) the purpose of the interview; (ii) interviewer’s identity, body and/or third party which will have access to the data; (iii) the consequences in case the member refuses to consent to an interview; (iv) the legal basis or willingness to provide information and processing; (v) the situations in which the member has the right to refuse the interview; and (vi) whether the personal data collected during the interview can be accessed and corrected.

As in Austria. In addition, if the interview is recorded in any way, the interviewed member must be informed beforehand. Also, no discriminatory actions can be undertaken against the member.

No.

In principle there is no statutory obligation that the employer should provide specific information before commencing the interview under labour or criminal laws; however, we believe that from a moral and ethical standpoint it would be desirable to inform employees of the potential criminal law implications. Generally, the admissibility of an interview – specifically whether the interviewed person has to answer the inquiries – depends on the balancing of interests between the affected person and the company. On the one hand, the person is interested in avoiding self-incrimination (which has to be respected by the company); on the other hand, the company wants to clarify a suspicion which can be crucial for the viability of the company. Therefore, the company may also be required to inform the interviewed person about the subject matter of the interview and the suspicion in order to assess whether the interviewed person’s interests prevail over the interests of the company to conduct the interview.

Hungarian law in general respects the concepts of both presumption of innocence and the prohibition of self-incrimination. Therefore, the company acts properly if it respects the said concepts and also informs the interviewed person that their testimony might be used before the authorities. The authorities might exclude evidence if they find that the evidence has been illegitimately collected.

Unless the member is already aware of it, the company must provide the member with the following information prior to the interview: (i) the identity of the data controller; (ii) the purpose of processing; (iii) the recipients or categories of recipients of personal data; (iv) whether answering the questions is compulsory; (v) the possible consequences of not answering questions; and (vi) the right to access personal data and the right to correct it.

The Moldovan Labour Code is not specific in this respect, ie it does not provide for the Company’s (employer’s) obligation to provide to the employee any preliminary information. It is, however, indicated that the employee has to be granted the possibility to provide any proofs and justifications. In other words, we cannot exclude an interpretation, pursuant to which such employee’s right to provide any proofs and justifications is violated if no information was provided to him/her in connection with the internal investigation.

The member must be informed by the interviewer about: (i) the interviewer’s identity, or the name and address of the company, or the identity of the other person who is responsible for data processing in accordance with the law; (ii) the purpose and the legal grounds for collecting and further processing the data (eg if known at the time that it could be used in criminal proceedings against another person); (iii) the user of the data and the legal grounds for giving the data for use; (iv) whether giving the personal data is mandatory or voluntary and the possible consequences of refusal to give such data; (v) the right to access the data and the right to request amendment of inaccurate data.

There are no particular obligations in this respect resulting from the regulations binding in Poland.

Generally, no (if the investigation is not structured as a disciplinary investigation under labour law). The company must observe all rights of the member. In this respect, the company should inform him about the subject of the interview and the possible consequences of the investigation.

Under the applicable data protection laws and regulations, a member must be informed by the interviewer about: (i) his/her identity, or name and address or company, or the identity of the other person who is responsible for data processing in accordance with the law; (ii) the purpose of collecting and further processing the data; (iii) the use of the data; (iv) the identity of persons or categories of persons using the data; (v) the legal basis, or willingness to provide information and processing; (vi) the right to revoke consent to the processing, as well as the legal consequences thereof; (vii) the rights of the person in case of unauthorised processing; (viii) other circumstances the withholding of which from a data subject or third party would be contrary to conscientious treatment.

Generally no; however, it is advisable to inform the employee of the purpose of the interview as well as of his/her rights and the potential consequences.

An information obligation of the interviewee may arise from the employer’s general duty of care towards the employee (and, as a precaution, from the general prohibition of mobbing/harassment at the workplace). In particular, the employee should be made aware of the purpose of the interview and the possibility that the interview notes may be used in subsequent criminal proceedings.

The company does not have to provide the interviewed person with any specific information, if (as explained under point 3.4 above) the interviewed person has been informed, via internal regulations as a part of employment agreements, (i) about the general scope and (ii) the possibility of the interview notes being used in criminal proceedings. If such information has not been provided in internal regulations, it is advisable to inform and obtain the written consent of the interviewed person prior to the interview, in order to use such interview notes as criminal evidence.

Generally no.

Generally no.

Generally no.

Generally no.

Generally, no. It is recommended, however, that any discussions with the employee that may impact the employer be carried out in the presence of at least two of the employer’s representatives who will subsequently draw up and sign minutes of the meeting.

No.

Generally no.

Generally no (except those indicated in 4.1 above).

Generally no.

Only persons authorised by the company to process the member’s personal data should participate in the interview. There are no other particular obligations in this respect resulting from the regulations binding in Poland.

Generally, no.

Generally no.

Generally no.

Generally no.

Generally no.

5Sharing of information gathered by internal investigations within the company network

A company may generally share the information within its national network as long as there are no prevailing interests of the affected persons contradicting such a transfer and access by unauthorised persons to the data is prevented (ie leak of sensitive personal data of members to unauthorised persons).

A company may generally share the information within its national network as long as the concerned member is informed of the fact that the national network of the company will use the data. Furthermore, the collected company related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access.

As in Austria.

A company may generally share the information within its national network. However, personal data may be transferred to third persons only if necessary for the fulfilment of rights and obligations stemming from the employment relationship, while such a transfer must be envisaged by the internal employment regulation.

There is a strict limitation if the information relates directly to the employee. In such a case, the employer may only provide information relating to evaluation of the employee’s work, the employee’s qualification and abilities, and matters relating to work performance. Other information may be provided only with the employee’s consent.

Generally, a company is free to share the information within its national network, as long as there are no prevailing interests of the affected persons contradicting such sharing (eg violation of personality rights).

A company may generally share the information within its national network as long as the member concerned is informed of the fact that the national network of the company will use the data.

General conditions:
(i) consent is granted (eg upon the conclusion of the employment agreement) by the employee in connection with the processing of the e-mail information;
(ii) protection of the employee’s collected personal data is ensured.

A company may generally share the information within its national network as long as the member concerned is informed of the fact that the national network of the company will use the data (this notification must be made before giving the consent for processing).

It is possible that the company shares the information within its national network. The information should be shared based on the written agreement setting the scope of information transferred and the purpose of its processing. The recipient of the information shall observe technical and organisational requirements as specified in the applicable regulations.

The company may generally share the information gathered in an internal investigation within its national network (employees at the national level that need the information strictly for the purpose of such an investigation), with the rights of the members observed at all times during such transfer of data (the fundamental rights of the affected person, as well as the rights provided by the data protection authority).

A company may generally share the information within its national network as long as the member concerned is informed of the fact that the national network of the company will use the data. In addition, the collected company related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access.

A company must comply with data protection rules in this respect, mainly to obtain the prior consent of the data subject to such a transfer, should it not qualify as processing of personal data on the basis of protection or rights and obligations of the employer. Certain personal data (such as birth registration number) cannot be transferred at all.

Generally, a company may share the information within its national company network. Insofar as such information includes personal data, the company should either (i) fully anonymise all personal data or (ii) verify that an adequate legal basis for the transmission of such data under data protection laws is established (eg the transmission of personal data is necessary for the fulfilment of rights and obligations of employees).

A company may generally share information gathered by an internal investigation within its national company network; however, if the gathered information includes private data of employees, then such information relating to private life cannot be shared within the national company network, unless such sharing has been explicitly permitted by the relevant employee. Notwithstanding, personal data may be processed without obtaining the explicit consent of the data subject if: (i) it is expressly permitted by any law; (ii) it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent; (iii) it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract; (iv) it is necessary for compliance with a legal obligation which the controller is subject to; (v) the relevant information is revealed to the public by the data subject himself/herself; (vi) it is necessary for the institution, usage or protection of a right; (vii) it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed. Furthermore, personal data not relating to the health and sexual life of the data subject may be processed without the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorised institutions and organisations.

See our answer to 5.1. In this case, the company should generally consider the local laws in order to assess the possible consequences of such a transfer.

The cross-border transfer of personal data is generally allowed only under certain conditions – Article 18 of the Bosnian personal data Protection Act provides that personal data may be transferred to a third country if such a country applies an adequate level of personal data protection.
BPDA has issued an opinion in which it states that countries that are parties to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of personal data have an adequate level of personal data protection. Thus, no approval is required from the BPDA for the cross-border transfer of personal data into countries that are parties to the Convention – otherwise, the BDPA’s approval would be required.

As in Austria.

See our Answer to 5.1.

See our answer to question 5.1.

Generally, the same applies as in the case of question no. 5.1.

Data may be transferred from Macedonia to an EU or EEA member State without any reporting obligations. Data may be transferred from Macedonia to a non-EU or EEA state if the level of data protection in that state is sufficient, and the MKDPA’s approval has been obtained.

General conditions:
(i) consent is granted (eg upon the conclusion of the employment agreement) by the employee in connection with the processing of the e-mail information;
(ii) protection of the employee’s collected personal data is ensured;
(iii) transborder transfer of personal data was authorised by the Personal Data Authority.

Data may be transferred from Montenegro abroad with the consent of the DPA, while data could be transferred to another country without the DPA’s approval only in exceptional cases prescribed by law.

Please see our answer to 5.1.

The information gathered in an investigation procedure may be, generally, shared with foreign entities within an international network, basically according to the same conditions as mentioned in point 5.1. above, only if such transfer of personal data is allowed under the law and is authorised by the data protection authority (if any), considering that the rights of affected persons are not breached further due to
such transfer.

Data may be transferred from the Republic of Serbia to a state signatory to the Council of Europe’s Convention on the Protection of Individuals with regard to Automatic Processing of personal data.
Data may be transferred from the Republic of Serbia to a state that is not a party to the Convention if a level of data protection in that state is in accordance with the Convention. The SDPA’s approval of the data transfer to a state that is not a party to the Convention is required.

See our answer to 5.1. In the case of cross-border transfer of personal data, the employer must comply with the rules for such transfers depending on country to which the data will be transferred.

See our answer to 5.1. In addition, should information gathered be transferred outside of the EU/EEA, additional requirements apply.

A company may generally share information gathered by an internal investigation within its national company network; however, if the gathered information includes private data of employees, within the meaning of Article 9 of the Law on the Protection of Personal Data, personal data shall not be transferred abroad without the explicit consent of the data subject. For exemptions of this regulation, please see point 5.1 above.

6Corporate criminal responsibility

Yes.

Yes.

No. Only natural persons can bear criminal liability. Companies can only bear administrative liability (ie sanction or remedy measures).

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

No, however; security measures, such as seizure of property and cancellation of operating permit, can be taken against legal entities.

Yes.

Yes.

Yes. Leniency can apply in competition or for certain crimes in criminal proceedings.

Yes.

Yes.*
*For the purpose of this questionnaire, we distinguish between the Leniency Programme of the Czech Competition Authority and other types of leniency programmes. For details, please refer to the answer to question 6.3 below.

In case of companies, no; in case of natural persons, yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Not for corporate criminal responsibility of legal entities. It may only serve as a tool to moderate sanctions to be imposed on a company (see 6.3 below).

Yes.

Yes, but mostly for competition-related disputes.

The Austrian leniency programme basically requires a voluntarily significant contribution to clarify the facts of a case by a perpetrator in due time. The application of the leniency programme further depends on the level of participation of the perpetrator with respect to the crime and in particular whether the offered information is new for the authorities. In any case the application highly depends on the circumstances of the individual case.

Under the applicable laws, the cooperation with public authorities is (i) a mitigating factor that a judge can take into account when determining the fine, and (ii) a condition for the relief from criminal liability. Thus, if (i) a managing or supervisory body of the company voluntarily reports a criminal act, the company’s punishment may be mitigated and (ii) if the managing or supervisory body of the company decides to return the unlawful gain / remove the damage / provide a justified report on the liability of another legal entity, the company may be exonerated from punishment.

The Bulgarian leniency programme basically applies to competition cases and to a limited number of crimes. For competition cases, the company’s voluntary cooperation may give it an advantage. In criminal proceedings, however, since companies do not bear criminal liability, the company’s cooperation basically favours only its employees.
Regarding competition cases, the principle is that one company is given the opportunity to be granted immunity from sanction for its participation in a secret cartel and this is the first undertaking which confesses to the competition authority involvement in a secret cartel and provides the required information and evidence. So far no company in Bulgaria has applied for leniency for participation in a cartel. Leniency is also provided in the Criminal Code, where for some crimes full release of liability is provided. For instance, a person who has bribed another person/company will be released from liability if the briber has immediately and at their own initiative informed the authorities about the bribe. Also, a person involved in an organised criminal group who voluntarily gives himself up and discloses everything he knows about the group before a crime is committed by this person or group is released from liability.
In other criminal proceedings, cooperation with the authority would be considered a mitigating factor.

According to Croatian law, a company that notifies the authorities about the criminal activity of its member before its revelation or before the company knew that the authorities have uncovered the criminal activity may be exempted from punishment. Ultimately whether such a company is exempted or more lenient punishment (than prescribed by the law) is applied depends on the circumstances of the individual case.

Generally, the leniency programme of the Czech Competition Authority requires a voluntary significant contribution by the breaching company to the clarification of the facts of the case. Depending on the extent and timing of the information provided, the leniency programme allows the Czech Competition Authority to grant the voluntarily cooperating company either (i) full immunity from the imposition of an administrative fine, or (ii) the possibility to reduce the administrative fine. Based on a successful leniency programme application, Czech Act No. 40/2009 Coll., Criminal Code, allows for exculpation from a criminal offence consisting in the conclusion of a prohibited price-fixing agreement, division of a market or another agreement distorting competition. Such exculpation is, however, only available to natural persons.
The Criminal Code and Act No.141/1961 Coll., Code of Criminal Procedure, both recognise the concept of a cooperating accused person (in Czech: spolupracující obviněný). Generally, in criminal proceedings the public prosecutor may designate the accused person as a cooperating person if the accused person contributes significantly to clarifying the facts of the case, confesses to having committed a crime and agrees to be designated as a cooperating accused person. Such cooperation may be deemed an extenuating cause and result in lower penalties being imposed. In each case, this concept applies only to the investigation of crimes committed by members of an organised group, in conjunction with an organised group or in favour of an organised criminal group.* The public prosecutor may only designate natural persons as cooperating persons.
In addition, Act No. 418/2011 Coll., on Criminal Liability of Legal Entities, recognises the concept of “effective regret” (in Czech: účinná lítost). This means that the criminal liability of a legal entity ceases to exist if the legal entity voluntarily refrains from further infringement, and (i) eliminates the danger, prevents the harmful effects of the offence or remedies the harmful consequences of the offence; or (ii) notified the prosecutor or police authority about the offence at a time when the danger could have been eliminated or the harmful consequences of the offence could have been prevented.
Finally, the Act on Criminal Liability of Legal Entities provides for the possibility of a legal entity to exculpate itself from criminal liability if it proves that it has made every effort that may be reasonably expected to prevent the commission of a criminal offence by a person associated with the legal entity. It is not yet clear what “every effort that may be reasonably expected” means. Currently, it is fair to conclude that the legal entity must implement a compliance programme and actively ensure that its employees and management adhere to it.
*An organised criminal group means an association of no less than three criminally liable persons with an internal organisation structure comprising division of functions and tasks focused on systematic intentional criminal activity.

Leniency may only apply to natural persons in certain circumstances. It basically requires a voluntarily significant contribution to clarify the facts of a case in due time (most probably right before it has been committed) and requires that the perpetrator applying for leniency takes every possible step to avoid or at least minimise the damage.

Under the Criminal Liability Act, cooperation with public authorities is a mitigating factor that a judge can take into account when determining the fine. Thus, a legal entity can be acquitted from a fine if:
(i) a responsible person within the legal entity, the governing, managing or supervising body, voluntarily reports the offender after the crime has been committed; or
(ii) if the legal entity returns the benefit or removes the harmful consequences of the crime, or compensates the harmful consequences of the crime in any other manner. If these conditions are fulfilled, but the court does not consider that the legal entity should be acquitted from a fine, the court can instead reduce the fine on the legal entity.

The application of leniency depends on the specific circumstances of the case.
Generally, the cooperation of the perpetrator with the investigating authorities is to be regarded as a mitigating circumstance (ie may lead to a lesser sentence).
Under certain conditions (eg self-incrimination (Ro. autodenunt), first time offence, active cooperation, offence qualified as minor crime or as a crime of average gravity, repaired damage), such cooperation may incur exemption of liability.

Under the Corporate Criminal Liability Act, cooperation with public authorities is (i) a mitigating factor that a judge can take into account when determining the fine, and (ii) a condition for the relief from criminal liability. The applicable regulations on criminal proceedings and criminal liability of legal entities regulate the conditions for decreasing the monetary penalty. Namely, the amount of the monetary penalty to be imposed in criminal proceedings depends, among other things, on: (i) whether the entity reported the criminal offence before being aware that criminal proceedings were initiated; (ii) whether it cooperated with the competent authorities (for discovering and processing the criminal offence/offenders) or disrupted the proceedings; (iii) attitude towards the offence, including whether it confessed. Furthermore, the entity could be exempted from punishment if: (i) it discovers and reports the offence before it was aware that criminal proceedings were initiated; (ii) if it had taken all the necessary measures to prevent and discover the commission of an offence; (iii) if it returned the material gain acquired by committing the crime, and provided data necessary for the liability of another entity/person. Also, if preconditions are fulfilled, the entity could be relieved from criminal liability if it agrees to act as a cooperating witness in criminal proceedings.

The leniency functions within the “crown witness” scheme and applies to individuals only. If it was to have an extenuating effect it would need to be pursued by perpetrators. There are two crown witness schemes: the “little” one and the “regular” one.
In general, in the framework of the “little” crown witness scheme the court is obliged to apply an extraordinary mitigation of the penalty, or may even grant a suspended sentence, with respect to an offender who acted in concert with others in committing an offence, then reveals information to the prosecutors about other offenders involved in committing the offence, or the essential circumstances thereof.
Perpetrators of criminal or fiscal offences committed in the framework of an organised crime group or selected other crimes (eg corruption) may be granted by the court, based on a motion filed by the prosecutor, the status of “regular” crown witness. In the framework thereof the crown witness is obliged to testify in exchange for discharge of punishment. The decision to grant the status of crown witness is at the discretion of the court and is not obligatory.

In a series of special laws (eg organised crime, corruption crimes, etc), the perpetrator is either completely exempted from criminal liability (eg giving bribes, peddling in influence, establishment of an organised crime group), if he reports the commission of the offence before its discovery by the investigation authorities, or he benefits from a decrease by half of the limits of the applied penalty (eg corruption and assimilated offences), if he reports the offence during the criminal investigation and facilitates prosecution of the person(s) involved in its commission.

Under the Corporate Criminal Liability Act, cooperation with public authorities is (i) a mitigating factor that a judge can take into account when determining the fine, and (ii) a condition for the relief from criminal liability. The Act provides that the court may exonerate a legal entity from punishment if it (i) detects and reports a criminal act to the authorities before it has learned about the instigation of criminal proceedings; (ii) voluntarily and without delay eliminates the detrimental consequences and returns unlawfully gained proceeds.
In addition, detecting and reporting a criminal offence and measures taken against the responsible person in the legal entity would be perceived by the court as mitigating factors when calculating the fine.

When determining a sentence, the court shall also take into account the actions of the legal person after committing the criminal offence, in particular its efforts to eliminate the harmful consequences of the criminal offence or to voluntarily compensate the damage caused.
In the case of a natural person as an offender, the authorities may within their discretion decide to apply leniency to the cooperating offender in the form of conditional stay of criminal proceedings (with a probationary period of up to 10 years), in the form of an agreement on settlement with the victim of the crime or in the form of an agreement on sentence made between the offender and the prosecutor. In addition, certain acts of an offender (such as acceptance of guilt and providing evidence to the authorities) can moderate sanctions for a natural person.

The Slovenian leniency programme basically requires the reporting of the identity of the suspected offender to the authorities. Depending on the circumstances of the case, cooperation with the authorities or removal of harmful consequences of the criminal offence may result in a reduction, or cancellation, of the sanction.

Under Turkish Criminal Law, pursuant to the concept of “effective remorse”, real person perpetrators who inform the authorities of a crime at a defined period (defined separately for certain types of crime) and under certain conditions can benefit from leniency. Leniency is also applied in competition-related disputes within the scope of the Law on Protection of Competition. In any case the application highly depends on the circumstances of the individual case.

7Others

Generally no. However, the information leading to an internal investigation itself (ie reliable testimony of a member) could already qualify as insider information within the meaning of Regulation (EU) No 596/2014 (“market abuse regulation”), which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no.

As in Austria.

Generally no. However, the information leading to an internal investigation itself (ie reliable testimony of a member) could already qualify as insider information, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the law.

Generally, no.
However, the information leading to and/or arising from an internal investigation itself could qualify as insider information within the meaning of Regulation (EU) No 596/2014 (“market abuse regulation”), which could lead to disclosure obligations (unless postponement of disclosure is permitted in accordance with the market abuse regulation).

Generally no.

Generally no. This issue has not yet been regulated in Macedonia.

Generally no. However, reporting obligations may arise, eg as result of external audits or in case of capital market abuse (in accordance with the capital market legislation).

Generally no, although this might depend on the outcome of the investigation. This issue has not yet been regulated in Montenegro, while EU Regulation No. 596/2014 has not yet been implemented in Montenegro.

No. The internal investigation as such does not constitute ad hoc, periodical or insider information as specified in Art. Regulation (EU) No. 596/2014.

No, unless the internal investigation concerns, in the opinion of the company subject to the internal investigation, insider information Regulation (EU) No 596/2014 (“market abuse regulation”) or other price sensitive information which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no, although this might depend on the outcome of the investigation. This issue has not yet been regulated in Serbia, while EU Regulation No 596/2014 has not yet been implemented in Serbia.

Generally no, unless internal investigations lead to a potential breach of the market abuse regulation, which could trigger disclosure obligations.

Generally no. However, the information leading to an internal investigation itself (ie a reliable testimony of a member) could already qualify as insider information within the meaning of Regulation (EU) No 596/2014 (“market abuse regulation”), which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no.

Generally no. However, information gathered by an internal investigation could qualify as insider information within the meaning of the market abuse regulation, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no. However, information gathered by an internal investigation may qualify as insider information within the meaning of the Securities Act of the Republic of Srpska or Capital Markets Act of the Federation of Bosnia and Herzegovina, which could lead to disclosure obligations.

As in Austria.

Generally no. However, information gathered by an internal investigation could qualify as insider information, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the law.

Generally, no.
However, the information leading to and/or arising from an internal investigation could qualify as insider information within the meaning of the market abuse regulation which could lead to disclosure obligations (unless postponement of disclosure is permitted in accordance with the market abuse regulation). Furthermore, the information on the internal investigation and/or its (potential) implications may need to be reflected – to a certain extent – in the regular reports executed by an investment instrument issuer domiciled in the Czech Republic or opting for the Czech Republic as its reference country.

Generally no.

Generally no.

Generally no.

Generally no. However, information gathered by an internal investigation could qualify as insider information within the meaning of the Capital Markets Act, which could lead to disclosure obligations.

No. Performance of the internal investigation does not qualify as information to be reported in an ad hoc report.

No, unless the internal investigation concerns, in the opinion of the company subject to the internal investigation, insider information Regulation (EU) No 596/2014 (“market abuse regulation”) or other price sensitive information which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no. However, information gathered by an internal investigation may qualify as insider information within the meaning of the Capital Markets Act, which could lead to disclosure obligations.

Generally no, unless internal investigations lead to a potential breach of the market abuse regulation, which could trigger disclosure obligations.

Generally no. However, information gathered by an internal investigation could qualify as insider information within the meaning of the market abuse regulation, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no.

Such a reporting obligation of the subsidiary towards its parent company could arise out of the general fiduciary duty according to company law.

This issue is not explicitly regulated, although the obligation could exist under the rule of the duties of a director under the applicable Companies Acts.

Generally no, unless an internal document signed between the parent company and the subsidiary so provides.

Depends on internal policies. Otherwise, the shareholder shall be notified about the subsidiary’s business at the general assembly.

Generally, no.
Such a reporting obligation of the subsidiary towards its parent company may be established under general corporate rules and principles (generally limitations apply; further limitations may apply for a joint stock company).

Generally no; however, such a duty usually stems from the company’s instrument of constitution.

Generally no. This issue is not explicitly regulated in Macedonia, although the obligation could exist under the rule of the duties of a director under the Companies Act.

No direct legal obligation.
However, such an obligation may arise from the general obligation of the company’s corporate bodies to present reports with regard to the activity of the company. In addition, the statutes of the company and/or its internal documents (regulations) may provide for such an obligation to report about the internal investigation to its parent company.

This issue is not explicitly regulated, although the obligation could exist under the rule of the duties of a director under the Companies Act.

There are no particular obligations in that respect resulting from the regulations binding in Poland.

There is no legal requirement for the management of the subsidiary to report about the internal investigation to its parent company.

This issue is not explicitly regulated, although the obligation could exist under the rule of the duties of a director under the Companies Act.

Generally no.

Such reporting obligations could arise from the general fiduciary duties of the management towards the shareholders. The specifics depend on the corporate form: generally speaking, the limited shareholders in a liability company (d.o.o.) have relatively broad information rights, while the information rights of stock company (d.d.) shareholders are, by comparison, rather limited.

Such a reporting obligation of the subsidiary towards its parent company could arise out of the “group company” obligations according to Turkish Commercial Code.

8Employment law measures

If the suspicion is reasonable (and due to a possible subsequent legal dispute also provable), generally yes. Immediate termination without notice always presupposes that the employer cannot objectively be expected to continue the employment, even for the period of notice. The most important reasons for immediate termination without notice of white collar employees include:
– if the employee is disloyal to the employer or is unable to perform the promised or appropriate (reasonable) service;
– any breach of the prohibition on competition;
– if the employee disobeys orders or attempts to induce others to
disobey.

No. Under the Labour Act of the Republic of Srpska, an employer can terminate an employment agreement only if the employee is convicted of a work-related criminal offence. On the other hand, labour legislation in the Federation of Bosnia and Herzegovina is silent with respect to this issue and we can thus generally conclude that the suspicion of a criminal activity does not represent lawful grounds for termination of the employment agreement.

No, the suspicion of criminal activity alone is not a ground for termination.
However, if the suspicion is reasonable, the company can find other legal reasons to dismiss the employee without notice due to their objective inability to perform their duties. Among the reasons for immediate termination without notice are “abuse of the employer’s confidence” (grounds for disciplinary dismissal) or “systematic breaches of work discipline” (grounds for disciplinary dismissal).
In any case, the dismissal has to be carefully considered and made depending on the particular case.

Yes, provided there is a reasonable suspicion.

Yes, under certain circumstances. The termination of employment without notice is an exceptional measure and may be (without a final decision of the court in criminal proceedings finding the employee guilty) executed only if the employee breached the duties relating to the performed work in an especially gross manner. The employer must be able to prove such a breach and its gravity. The gravity of a breach is considered with respect to several criteria as set by the case law (among others, the personality of the employee, the employee’s position, the time and situation, intention, etc). Generally, immediate termination is justified if the breach reaches such intensity that the employer cannot objectively be expected to continue the employment. Such a situation usually occurs in case of the employee’s intentional interference with the employer’s property (eg theft). Even if the statutory conditions for immediate termination are met, in some cases the employer may not serve the immediate termination (eg pregnant employee).

If “without notice” in this regard refers to the concept of “with immediate effect”, then generally yes. The grounds for termination stem from two cases: the employee a) wilfully or by gross negligence commits a grave violation of any substantive obligations arising from the employment relationship; or b) otherwise engages in conduct that would render the employment relationship impossible. If there are reasonable grounds to believe that an employee has committed a crime that also qualifies either of the reasons listed under a) or b), then the employee’s employment can be terminated with immediate effect.

No. Under the Labour Act, an employer can terminate an employement agreement only if the employee is convicted of a criminal offence.

No, the mere suspicion of criminal activity is not enough to terminate the employment agreement with the employee.

No. In case of suspicion, an employer cannot terminate the employment agreement with or without notice, but can only suspend an employee from work, provided that the criminal procedure for the work-related criminal offence was commenced against an employee.

No. An employement agreement may be terminated by the employer without notice in case an offence is committed that excludes further occupation of the particular post by the relevant employee. However, the employer’s reasonable suspicion that the employee committed the offence is not sufficient. The fact of committing an offence must be unmistakable or result from a valid court judgment.

No, the employer does not have the right to immediately terminate the individual employment agreement in such a case. Nevertheless, a disciplinary investigation procedure should be performed by the employer, prior to issuing the dismissal decision. However, in case of disciplinary dismissal of the employee, the employee is not entitled to any notice period. Under Romanian labour law, no disciplinary sanction (except written warning) may be applied prior to conducting a disciplinary investigation procedure. In the absence of such a prior disciplinary procedure, the employer could face the risk of annulment of the dismissal decision in court.

No. Under the Labour Act, an employer can terminate an employment agreement only if the employee is convicted of a work-related criminal offence. Termination of the agreement under the suspicion of criminal activity was removed from the Labour Act after the Consistutional Court declared the provision unconstitutional.

Generally no. Immediate termination without notice is possible only if an employee (i) has been lawfully convicted of an intentional crime, or (ii) has seriously violated work discipline. With respect to the latter, Slovak law is restrictive on this issue and the mere suspicion of criminal activity would generally not qualify as a serious violation of work discipline.

If the suspicion is reasonable (and provable in a potential court dispute), generally yes: a violation that (i) has all the elements of a criminal act and which (ii) renders further cooperation with the respective employee immediately impossible (ie even within the applicable termination period) constitutes a reason for an extraordinary termination of employment (ie termination without a notice period).

Within the meaning of Article 15 of the Labour Law, the employer may terminate an employment contract, executed for a definite or indefinite period, before its expiry and without having to comply with the prescribed notice periods under the law, if the employee commits a dishonest act against the employer, such as a breach of trust, theft or disclosure of the employer’s trade secrets. In order to make such a termination, the presence of “suspicion of criminal activity” alone is generally not adequate to terminate an employment agreement and the employee may file a reemployment lawsuit against the employer. However in the scope of the leading cases of the Turkish Supreme Courts, the employer may terminate the agreement stating that its “suspicion of criminal activity” broke the trust relationship between the employee and the employer that is required for the continuity of the agreement, and therefore the employment agreement had to be terminated.

The termination can be made in written form or orally, but must be delivered to the employee. The termination must be declared without undue delay after the employer became aware of the reason for the termination. The employer is not obliged to disclose the reason for immediate termination in the termination
letter.

In the Republic of Srpska, the employer can terminate an employment agreement without notice in the following cases: (i) if the employee is convicted of a work-related criminal offence; (ii) if the employee fails to return to work within five days of the day of expiry of his/her approved leave from work; (iii) intentional violation of work-related duties; and (iv) violation of work discipline. In the Federation of Bosnia and Herzegovina, the employer can terminate an employment agreement without notice in case of a grave transgression and grave violation of work duties when it cannot be reasonably expected that the employment relationship will be continued.

The employer has to send a written order for termination to the employee. The order must contain the grounds for termination without notice. The employment relationship is considered terminated as of the moment of receipt of the order by the employee. If the employee refuses to accept the order, the company may confirm the delivery by inviting two witnesses.
In case of disciplinary dismissal (see 8.1 above), the written explanations of the respective employee have to be collected beforehand. Also, the dismissal itself has to be done with a motivated order delivered to the employee. If the employee refuses to accept the order, the company may ship it via post with return receipt. The order is considered delivered as of the date of receipt of the letter.

An employee must be allowed to present his/her defence, unless there are circumstances due to which it is not reasonable to expect such conduct from an employer. The termination must be drawn up and delivered to the employee in written form.

The immediate termination has to be executed in writing and must contain a clearly (factually) defined reason. Proof of delivery to the employee must be procured (ie personal delivery is recommendable).

The termination has to be in writing and has to include the reasons for the termination. In addition, this may be exercised within a period of 15 days of gaining knowledge of the grounds, but in any case, within not more than one year of the occurrence of such grounds.

An employer must give the employee a written decision of the termination of the employment agreement, with the explanation of the basis and the reason for the termination. Termination without notice is possible in very limited cases, such as if the employee violates work order or discipline, or if the employee fails to meet his or her employment obligations under the Labour Act, employment agreement, etc.

In any case, the termination of an employment agreement is performed on the basis of the employer’s disposition (decision, order), which is to be notified (under signature) to the employee. Certain other documents may need to be prepared (eg conclusions (report) on the internal investigation, protocols, acts, etc) depending on the reasons for the termination.
Certain termination reasons require a specific termination procedure (eg staff redundancy).

The standard procedure implies that the employer is obliged to first provide a written warning to the employee with 5 business days to respond. Once the employee responds to the warning, or if the deadline for a response expires, the employer shall render the decision on termination of employment. In order to determine the employee’s liability, a discipline procedure should be conducted prior to issuing a written warning.

In the situation specified under point 8.1 hereof the employer shall make decisions with respect to termination of the employment agreement following consultation with the company’s trade union organisation representing the affected employee, which shall be informed of any reasons substantiating termination of the agreement. If the company’s trade union organisation has objections as to the grounds of the termination it shall state that immediately, but not later than within three days. The termination notice shall be given in writing, although an oral statement of the employee’s immediate superior shall also be effective. At the same time, the employee shall be informed of the 21-day term for filing objections with the court.

Keeping in mind the above answer, we will only refer to the situation of disciplinary dismissal.
For performing the disciplinary dismissal of the employee, the following main procedural steps must be followed, subject to observance of the disciplinary procedure settled by the Internal Regulation of each employer: (i) setting up of a disciplinary committee; (ii) summoning of the employee; (iii) disciplinary investigation meeting; (iv) issuing the minutes of the disciplinary investigation meeting; (v) issuing the disciplinary dismissal; (vi) communication of the dismissal decision to the employee, meaning that the individual employment agreement is terminated.

The employer can terminate an employment agreement without notice in three cases: (i) if the employee is convicted of a work-related criminal offence (employment contract terminates ex lege in this case); (ii) if the employee refuses to conclude the annex to the employment agreement, and (iii) in case of organisational restructuring or decrease in workload. In all other situations, the employer must issue notice of termination to the employee.

Immediate termination must be done in writing and must be delivered to the employee. It must mainly provide clear determination of the reason for immediate termination.

The termination must be made in writing and provide a detailed explanation of the reasons for the termination. Before the termination is effected, the employee must be notified in writing of the alleged violation(s) and must be afforded a hearing within not earlier than 3 days following the notice.

Such termination can be made orally or in written form, but is recommended to be made in written form for evidential purposes, and the termination must be notified to the relevant employee. Moreover, the right to break the employment agreement for the immoral, dishonourable or malicious behaviour of the other party may not be exercised after 6 business days as of learning the facts, and in any event after one year following the commission of the act has elapsed. The one-year statutory limitation shall not be applicable, however, if the employee has extracted material gains from the act concerned.

The termination has to be declared immediately after the company learnt about the suspicion of criminal activity or after this suspicion becomes “reasonable”. Otherwise, postponing the termination could be regarded as a waiver of the company’s right to terminate the employment agreement due to this reason.

In the Republic of Srpska, an employment agreement can be terminated if a sentence for the work-related criminal offence became final and binding, and at the latest within 30 days from the delivery of the final and binding decision of the court. The laws of the Federation of Bosnia and Herzegovina provide that the employment agreement can be terminated within 60 days from learning about the grounds for termination or at the latest within one year from the date when the violation was committed.

Generally no, as long as the grounds for termination are still valid at the moment of termination. In case of disciplinary dismissal (see 8.1 above), the employee has to be dismissed not later than two months as of the day when the company learned about the breach serving as grounds for dismissal, but not later than one year as of the breach.

Termination must be made within 15 days of learning about the facts on which the termination is based.

Yes. The immediate termination must be served within two months after the employer learned about the employee’s breach of duties; however, not later than within one year after the occurrence of the breach. Under certain circumstances (eg investigation of authorities) the two-month period may be prolonged (a one-year period cannot be prolonged).

Please see our answer to question no. 8.2.

An employment agreement can be terminated if the sentence for the work-related criminal offence became final and binding. In this case, an employer can terminate the agreement until the statute of limitations for that criminal act expires.

Under the Moldovan Labour Code, certain termination reasons are regarded as disciplinary sanctions, which are to be applied within 6 months (2 years in respect of certain circumstances).

The discipline procedure can be initiated within three months of learning of the breach of work duty / work discipline and the offender. If the breach contains elements of a criminal offence, the procedure can be initiated within six months of learning of the criminal offence and the offender, ie within the statute of limitations period for the particular criminal offence. The discipline procedure must be terminated within three months or it will be time barred. Unless the discipline procedure is initiated within three months of the breach coming to light and closed within three months of its initiation, the employee could not be terminated as a consequence of the discipline procedure (otherwise the court would annul the termination).

An employment agreement cannot be terminated without notice due to the reason specified under point 8.1 hereof later than one month after the employer learnt about the circumstance justifying termination of the agreement.

Only from the perspective of applying a disciplinary sanction. Namely, the employer may issue the decision for disciplinary sanctioning of the employee within 30 calendar days as of the date of acknowledgement of the disciplinary misconduct (ie the minutes of the disciplinary investigation meeting) and not later than 6 months from the commission of the deed by the employee.

An employment agreement can be terminated if the sentence for the work-related criminal offence became final and binding. Regarding the termination of the agreement explained in our answer under 8.1, the employer can terminate the agreement until the statute of limitations for that criminal act expires. Otherwise, the termination would be considered time barred.

Yes. The immediate termination generally must be served within 2 months after the employer has learned about the employee’s breach of duties, but not later than within one year after the occurrence of the breach.

The employment may be terminated within (the earlier of): 6 months of the occurrence of the violation / criminal activity and 30 days upon the employer having gained knowledge of the qualified violation.

Please see our answer to question 8.2 above.

Christoph Haid

Christoph Haid

Austria

c.haid@schoenherr.eu

Klara Kiehl

Klara Kiehl

Austria

k.kiehl@schoenherr.eu