Title Page

Internal Investigations

Internal investigations in companies have become an important aspect of companies’ and corporations’ compliance frameworks, be it in response to an internal or external tip-off, or as part of regulatory scrutiny.

To meet clients´ needs, and to assist clients in compliance-related crises, Schoenherr has established a dedicated unit of specialists from different practice areas across our international offices.

Internal investigations, which inter alia include interviewing employees or collecting and processing data, require answers to various criminal, employment, corporate and data protection law questions.

Presenting a general overview of the key legal issues of internal investigations in Central and Eastern Europe, this primer provides answers to the most urgent questions per jurisdiction covered by Schoenherr.

This guide has been prepared for information purposes only and does not purport to constitute (nor may it be interpreted as substituting) legal advice or to be exhaustive in any respect. It is based on the relevant laws and regulations as of 1 September 2017 and may therefore not present an accurate picture of the legal situation in future. The authors of this guide, Schoenherr and any of its officers, directors or employees, advisors or any other third party accept no liability, duty or responsibility with respect to the content of this guide or the conclusions drawn from its content.

Different chapters and jurisdictions can be selected in the filter box on the right side ➜

General

Generally no.

Generally no.

Generally no. The obligation arises only when the company knows about the criminal activity of a member.

In principle yes, as everyone is obliged to report criminal activity brought to its attention and prosecuted ex officio. However, sanction is prescribed only for failing to report more serious criminal activities (see 1.1. below).

Generally, no.
Exceptions may apply for some (grave) criminal activity where a notification duty to local criminal authorities applies.

Generally no.

Generally no.

Generally no.

Generally no. Nevertheless, such an obligation may arise from the obligations of the company’s authorised representatives.

Currently no. But according to the draft law on the liability of collective entities for acts prohibited under penalty (which is now pending negotiations in the Polish parliament) (“Draft Collective Liability Law“), the companies will be obligated to flag any irregularities detected and have a special designated body supervising compliance with the rules and regulations governing the activities of the company.

Generally, no. (see 1.1. below). Our advice excludes general reporting obligations for crimes against life.

Generally no.

Generally no, except for crimes of corruption and certain other grave crimes with a maximum penalty of at least 10 years’ imprisonment.

Generally no.

No.

Generally no.

Generally no.

Generally no. The obligation arises only when the company knows about the criminal activity of a member.

No.

Generally no.

Companies are not generally obliged to conduct an internal investigation if they suspect a member is or has been involved in criminal activity. Due to the increasing importance of compliance and the protection of their reputation, more and more companies are applying measures which aim at investigating such conduct (codes of conduct, internal policies, whistleblowing hotlines, compliance officers). Internal documents may prescribe the legal obligation to report certain suspicious activities and perform investigations.
It is a general principle in Hungary that whoever suspects that a crime has been committed has the right to turn to the authorities. Nevertheless, there are certain crimes where turning to the authorities is mandatory (e.g. money laundering) and where failure to do so is itself a crime.

Stricter rules generally apply to companies bearing increased risk in their activities or active in regulated sectors, including, e.g. financial institutions.

Generally no.

Generally no.
However, if such criminal activity involves damage caused to the company, the latter will be able to request the coverage of the damages caused only if an internal investigation (Ro. ancheta de serviciu) was conducted.

Generally, no. However, pursuant to the applicable law the legal entity might be released from criminal liability if it conducts an internal investigation.

Currently no. But under the Draft Collective Liability Law the company (through its specially appointed authority/body) must investigate any irregularities reported by its employees.

Moreover, the Draft Collective Liability Law provides for the liability of the companies for crimes committed by its governing bodies (members), if the company may be accused of negligence in supervision and control over its members.

No.

Generally no.

Generally no.

Generally no.

No.

Generally yes. A company may generally perform interviews and/or surveillance measures considering certain requirements.

Companies are generally allowed to conduct internal investigations, although the applicable laws and regulations do not provide for the specifics. Surveillance measures and interviews are generally permitted, if certain conditions are fulfilled.

Generally yes. A company may generally conduct interviews and/or surveillance measures considering certain requirements.

Yes. A company may generally perform interviews and/or surveillance measures considering certain requirements (e.g. protection of employee’s dignity, data protection, internal policies).

Generally, yes.
A company may generally perform interviews and/or surveillance measures (subject to meeting certain requirements).

Yes. Interviews and surveillance measures might be applied as long as they do not interfere with the private life of the employee, especially if the rules of such investigation measures are set out in internal policies/documents.

Companies are generally permitted to conduct internal investigations. However, certain measures (such as surveillance measures) can only be performed if certain conditions are fulfilled.

Yes. Both interviews and surveillance measures may be used, subject to fulfilment by the company of certain legal requirements.

Companies are allowed to conduct internal investigations, although the applicable laws and regulations do not provide the specifics. Surveillance measures and interviews are generally permitted, if certain conditions are fulfilled.

Yes. A company may generally conduct interviews and/or carry out surveillance measures considering certain requirements. According to the Draft Collective Liability Law, there should be a special authority appointed within the company structure to perform the supervising activity.

Yes. A company may use both kinds of investigation instruments as well as disciplinary investigations instruments when observing certain legal requirements.

Companies are generally allowed to conduct internal investigations, although the applicable laws and regulations do not provide for the specifics. Surveillance measures and interviews are generally permitted, if certain conditions are fulfilled.

Generally yes. A company may conduct interviews and/or surveillance measures as tools of internal investigations. However, the company must comply with relevant requirements under respective legislation, such as employment law or privacy law.

Generally yes. A company may perform interviews considering certain requirements, which are even stricter in respect of surveillance measures (also see our answer under 3.1.).

Generally yes. surveillance measures and/or interviews may be used during an internal investigation.

Generally no.

No.

Generally no, unless a crime has been found within the internal investigation. The reporting obligation rests with the managing bodies / the persons who conducted the internal investigation.

In principle yes, if they contain evidence and/or traces of the criminal activity (see 1.1. below).

Generally, no.
Exceptions may apply for some (grave) criminal activity where a notification duty to local criminal authorities applies.

Generally no, unless the results of an investigation substantiate the commission of a crime which must be reported to the authorities. Please see our answer to question 2.

No.

Generally no.

Generally no.

No.

Generally no.

No.

Generally no.

Generally no.

No.

Yes.

Yes.

Yes.

Yes.

Yes.*
*For details on the various types of leniency programmes, please refer to the answer to question 6.3.

Leniency measures are known in the Hungarian legislation, but cooperation with the authorities in itself is not enough. Usually, the damage should be avoided or at least minimised, if possible. Hungarian law also provides for the possibility to conclude a “settlement”, thereby avoiding prosecution. The terms thereof are negotiated on a case-by-case basis, but usually include (at least) a partial confession.

Yes.

Yes.

In principle, yes.

Yes.

Yes.

Yes.

Yes, to some extent and not necessarily dependent on cooperation, but rather on restoration of damage caused (see 6.3. for details).

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

1Deciding on whether to conduct an internal investigation

Generally no. However, if a company considers it seriously possible that a member will commit certain crimes imminently or already started committing such crimes, this could lead to reporting obligations under certain conditions. Please also see our answer to question 7.2. concerning ad hoc obligations.

The reporting obligations are not limited to certain persons. Therefore, generally both the company and its managers need to comply with these obligations.

Noncompliance may result in imprisonment of up to two years or – for companies – fines of up to EUR 700,000.

Companies may have a reporting obligation in case of criminal offences subject to imprisonment of more than five years.

The “responsible person” within a company formally has the obligation to report criminal wrongdoing. Under Bosnian laws and practice, the responsible person may be the directors / authorised representatives of the company or any other persons in charge of certain affairs within a company (e.g. a CFO) who knowingly omits to report a crime about which he/she learned in the performance of his/her obligations, if that crime is subject to punishment by imprisonment of five years or more.

A responsible person who fails to meet the reporting obligation is exposed to a monetary fine or up to three years of imprisonment in the Federation of Bosnia and Herzegovina and up to five years of imprisonment in Republika Srpska.

Bulgarian law sets out a general obligation for all citizens to report immediately (as a matter of duty to society) to the police or the prosecutor’s office, or other state authority, if they are aware of a committed crime. The reporting obligation rests with the person who has become aware of the crime.

In addition, the law provides that if the person that has become aware of the crime is a legal representative of a company or in any other way responsible for the management of company assets or property, he must take the necessary measures to collect and save the facts/information related to the crime so that they can be used in the further investigation procedures.

However, the reporting obligation is structured as a moral duty rather than as a strict legal obligation and the law does not provide for (i) particular sanctions or negative consequences for failure to comply with such obligations, or for (ii) any legal benefits for reporting to the authorities.

Yes; it is a felony (i) not to report that a felony – subject to imprisonment of at least five years – is being planned, or (ii) not to report that a felony – subject to imprisonment of at least 10 years – has occurred, or (iii) to conceal or harbour traces of a felony subject to imprisonment of at least five years.

The obligation to report a criminal activity lies with a “responsible person” within a company. Besides directors and authorised representatives, this term may potentially encompass any other person in charge of certain affairs within a company (e.g. CFO) who knowingly omits to report a criminal activity brought to his/her attention in the performance of his/her duties.

A company is only liable for the felony of a responsible person if it thereby violates its duty or realises or should realise monetary gain for itself or another. For the felonies indicated in the first paragraph of this point 1.1., the company may be fined up to HRK 10,000,000 (approx. EUR 1,350,000).

There is no publicly available court practice regarding non-reporting of (suspected) felonies by companies, and in general current court practice regarding non-reporting of felonies is limited to felonies relating to cases where a natural person helps conceal or harbour a criminal activity.

Generally, no.
Exceptions may apply for some (grave) criminal activity where a notification duty to local criminal authorities applies. A notification duty to local criminal authorities applies to companies and their managers as both corporations and natural persons may be criminally liable for the criminal offence of breach of notification obligation under the Czech Criminal Code and the Czech Act on Corporate Criminal Liability. In case of a breach of the notification obligation, natural persons may be punished by imprisonment of up to three years and corporations may be punished by penalty of liquidation, forfeiture of property, monetary penalty, prohibition of the activity or publication of the convicting judgment. Please also see our answer to question 7.2 concerning ad hoc obligations.

There are circumstances / criminal activities where failure to report suspicions of criminal activity to the local authorities is a crime in itself (e.g. money laundering or acts concerning corruption). In theory, only the person with a position (job title) with a reporting obligation may commit this and may generally be punished by up to two to three years of imprisonment. However, there is no general obligation to report unless internal documents (such as codes of conduct, internal policies) prescribe otherwise.

On a side note, companies may also be punished if the criminal activity was committed intentionally, and the crime pursued or actually led to an unlawful advantage for the respective company, or the crime was committed by using the respective company. Additionally, companies may only be punished if (i) the respective crime was committed by a manager within its capacity or if (ii) a manager’s due diligence could have prevented the crime or if (iii) the managers knew about the perpetration of the crime. It follows that the punishment of a company usually arises following the prosecution of a natural person (e.g. the manager).

Generally no.

However, the Criminal Code provides that the criminal liability of the legal entity is triggered if the management or supervisory bodies (i) did not prevent the criminal activity, (ii) attempted to hide the criminal activity, or (iii) did not report the criminal activity before the criminal procedure was initiated against the offender.
Depending on the circumstances, if the management or supervisory bodies of the company have reason to suspect that a member is or has been engaged in preparatory activities which may eventually result in a crime, the company may be obliged to report the suspicions of criminal activity.

Generally no. However, reporting obligations may arise, eg as result of external audits or in case of capital market abuse (in accordance with the capital market legislation).

Montenegrin laws do not prescribe any direct obligation of the company to report suspicions of criminal activities, and there is no publicly available case law on how the criminal courts in Montenegro treat the reporting by legal entities of (suspected) crimes committed by its members in the performance of business activities in terms of the actual consequences for these legal entities.

Nevertheless, such an obligation does exist for the “responsible person” within a company under certain conditions. The law defines the “responsible person” as a natural person in charge of particular affairs within the company as well as a person presumed to be authorised to act in the name of the company. A responsible person is also a shareholder authorised to act in the name of the company. Thus, the definition of responsible person is quite broad and encompasses not only directors / authorised representatives, but also managers.

The obligation to report any suspicious activity exists when: (i) a person knows that a criminal offence, for which the prescribed sentence is more than five years of imprisonment, is being prepared (the obligation applies for the period before the act was committed / when it was still possible to prevent it); (ii) a person knows that a criminal offence, for which the highest possible sentence is prescribed (i.e. at least 30 and maximum 40 years of prison) has been prepared but did not report it; (iii) a person knows that a criminal offence, for which the highest possible sentence is prescribed, was committed, but does not report it before the offence and the person who committed it were discovered.

Finally, there is an outside possibility that the criminal courts could analogously interpret this obligation of the responsible persons of the company as the obligation of the company itself, in particular based on the Liability of Legal Entities Act, which provides that all criminal offences prescribed under Montenegrin laws apply to legal entities as well.

No. Under the Criminal Code, individuals are required to report the most aggravated crimes (such as murder, rape) to the appropriate authorities under pain of criminal liability. This does not apply to business-related crimes (white-collar crimes).

Generally, no. However, there are several cases where certain categories of persons are under a legal duty to report:

  1. Persons with control attributions are bound to inform the criminal investigation authorities about any information leading to the conclusion that a corruption offence has been committed; intentional failure to perform such duty constitutes an offence and is punishable by imprisonment of six months to five years, if the act does not amount to a more serious offence. If the failure to report was committed by negligence, the offence is punishable by imprisonment of three months to two years or by a fine;
  2. Public officers, regardless of rank, who, in the course of their duties, become aware of the commission of an offence, regardless of its nature, must immediately notify the criminal investigation authorities; intentional failure to report constitutes an offence and is punishable by imprisonment of three months to three years or by a fine. If the act is committed by negligence, the penalty consists of three months to one year of imprisonment or a fine;
  3. Persons with managing positions within an authority of the public administration or other public legal entities, as well as any person with control attributions, who, in the course of their duties, become aware of the commission of a criminal offence subject to ex officio investigation (i.e. not investigated upon a preliminary complaint), are bound to immediately report to the criminal investigation authorities;
  4. Any person who performs a public-interest service for which they have been mandated by public authorities or who is subject to control or supervision by said authorities as to the performance of the public-interest service, who, in the course of their duties, becomes aware of the commission of a criminal offence subject to ex officio investigation, is bound to immediately inform the criminal investigation authorities.

For the categories of persons in 3. and 4., the aforementioned sanctions 1. – 2. apply accordingly, depending on the nature of the offence and the specific circumstances of the case.

Companies may have a reporting obligation in case of criminal offences subject to imprisonment of more than five years.

The “responsible person” within a company formally has the obligation to report criminal wrongdoing. Under Serbian laws and practice, the responsible person may be the directors / authorised representatives of the company or any other persons in charge of certain affairs within a company (e.g. a CFO) who knowingly omits to report a crime about which he/she learned in the performance of his/her obligations, if that crime is subject to punishment by imprisonment of five years or more. There are no reliable publicly available decisions on how the criminal courts in Serbia treat the reporting by legal entities of (suspected) crimes performed by members in the performance of business activities in terms of the actual consequences for these legal entities.

Generally no, except for all crimes of corruption (irrespective of the sentencing tariff) and certain other grave crimes with a maximum penalty of at least 10 years’ imprisonment.

The reporting obligation lies with the managers (or generally with any natural person) who have credibly learned that a crime for which a reporting obligation applies was committed, is being committed or is being planned. A legal entity does not have a reporting obligation.

Noncompliance is a punishable offence, with a maximum penalty of up to three years’ imprisonment.

Certain exceptions apply; for example, if the reporting obligation could not have been met without endangering one’s own life or the life of a close person.

Yes. While under the Criminal Procedure Act there is no general obligation to report a criminal offence, according to the Criminal Code it is a criminal offence not to report (i) that certain (serious) criminal offences are being planned, or (ii) that such (serious) criminal offences have occurred (where the seriousness is measured against the years of imprisonment that may be imposed). Additional sector-specific reporting obligations apply (e.g. for physicians). The failure to report such offences may be punishable by imprisonment of up to three years.

The Criminal Code does not specify whether the obligation to report rests with the company or its management, instead using the broad term “anyone”. It therefore can be argued that this obligation lies with both. In terms of sanctions, the company may face fines, withdrawal of assets, dissolution and prohibition of disposing with securities.

No. Pursuant to Article 278 of the Turkish Criminal Law, any person who fails to immediately notify the authorised bodies about an offence is punished with imprisonment up to one year. However, this provision only applies in the event of the negligence of real persons in relation to such obligatory notification of criminal activities; and again, within the meaning of Article 20 of the Turkish Criminal Law; no criminal/punitive sanctions may be imposed on legal entities and legal entities cannot be tried as criminals. However, the sanctions applied to legal entities in the form of security precautions stipulated in the law for the offences are reserved. Such security precautions that can be applied are: (i) cancellation of licences given by public bodies, and (ii) seizure of property and income.

Generally no, although such an obligation may arise out of board members’ general duty to act in the company’s best interest.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no.

Generally no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally, no.
Nevertheless, members of statutory/control corporate bodies must duly discharge their due managerial care in the best interests of the company. This may include a need to consider/initiate an internal investigation and/or perform other steps in relation to the suspicion of a criminal activity (e.g. notification duty [see answer to question 1.1]).

Generally no, although such an obligation for the members could arise out of their general duty to act in the best interests of the company. Such an obligation also may arise if the company has a whistleblowing system. If it does and suspects that a crime has been committed, it is also obliged to report it to the authorities.

Generally, no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no.
However, if such criminal activity involves damage caused to the company, the latter will be able to request the coverage of the damages caused only if an internal investigation (Ro. ancheta de serviciu) was conducted. Also, such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

The company has an obligation to perform “efficient, required and reasonable measures” both for determining and preventing criminal activities. Montenegrin laws (in particular the Liability of Legal Entities Act) envisage internal investigations as part of those measures.

Currently no. Please see question 2 above. Under the Draft Collective Liability Law, the company (through its specially appointed authority/body) must investigate any irregularities reported by its employees.

Generally, no. However, the company’s management might take such a step to act in the best interests of the company (compliance reasons).

Generally, no, although such an obligation for the members of the board could arise out of their general duty to act in the best interests of the company.

Generally no; however, such an obligation may arise under the statutory bodies’ general fiduciary duty of care or the company’s internal policies or compliance programmes.

Generally no. However, the management / supervisory board members may be obliged to conduct an internal investigation under their general duty of care towards the company.

No. As explained under point 1.1., companies/legal entities offence, and therefore are not obliged to perform such an internal investigation. However, within the meaning of Article 269 of the Turkish Commercial Code, (i) members of the board of directors of a company or (ii) third parties that are in charge of the governance of a company are obliged to act as cautious executives and to protect the interests of the company while performing their duties in accordance with the principle of good faith. A cautious executive must make business judgments pursuant to the principles of corporate governance. Furthermore, again as explained under point 1.1., if a real person has strong grounds in relation to the commission of a crime, that person is obliged to notify the authorised bodies about the related criminal offence.

This generally depends on the legal form of the company. A limited liability company (GmbH) may be obliged by a binding shareholder resolution (of the parent company), while a joint stock company (AG) may be obliged by initiating a  respective resolution of the company’s management board / supervisory board. However, the management of an AG is rather independent of its parent company, which limits the scope of the parent company’s (legal) influence.

Depending on the internal acts of a local subsidiary (i.e. articles of association, articles of incorporation), the parent company as a shareholder could through its voting rights influence the shareholders’ meeting of the subsidiary in Bosnia and Herzegovina to enact a decision reflecting the demands of the parent company for an internal investigation.

This depends on the legal form of the company. If it is a limited liability company (OOD), it can be obliged by a binding shareholder resolution (of the parent company). If it is a stock company (AD), it can be obliged by initiating a respective resolution of the board of directors / management board of the company.

This generally depends on the legal form of the company. If the company is a limited liability company (d.o.o.), it can be obliged by a binding shareholder resolution (of the parent company). If the company is a stock company (d.d.), it can be obliged by initiating a respective resolution of the management board / supervisory board of the company. However, the management of a stock company is rather independent of its parent company, which limits the scope of (legal) influence of the parent company.

In principle, an obligation of a local subsidiary to perform an internal investigation imposed by a parent company upon a binding instruction is only available (i) within an integrated corporate group (koncern) where the controlling entity gives a binding instruction to the controlled entity, or (ii) upon direct request for a binding instruction submitted by the members of the statutory body of the local subsidiary to the parent company.
Generally, access to information by a parent company is significantly easier in a private limited liability company (s.r.o.) than a joint stock company (a.s.).

Generally, the parent company may instruct its subsidiary to carry out an internal investigation by means of a binding shareholder resolution. Alternatively, the parent company may introduce directives or policies (e.g. group code of conduct or group compliance policy) in which it describes circumstances under which an internal investigation must be carried out by the subsidiary or the parent company itself.

Depending on the internal acts of the local subsidiary (i.e. articles of association), the parent company as a shareholder could through its voting rights influence the shareholders’ meeting of the North Macedonian subsidiary to enact a decision reflecting the demands of the parent company to conduct an internal investigation. Moreover, the work rulebook may contain additional obligations for the employees/managers.

By means of a decision taken at the general assembly of shareholders / decision of the sole shareholder.

Depending on the internal acts of the local subsidiary (i.e. articles of association, statutes), the parent company as a shareholder could through its voting rights influence the shareholders’ meeting of the Montenegrin subsidiary to enact a decision reflecting the demands of the parent company to conduct the internal investigation.

There are no such means. Both in the case of a limited liability company and a stock company, neither the supervisory board nor the shareholders/stockholders may issue binding instructions for the management board. But the articles of association may expand the powers of the supervisory board and, for example, grant the supervisory board the right to suspend the management board member from its duties.

As a matter of principle, the parent company has limited legal instruments to order a subsidiary to perform an internal investigation, such as requiring the subsidiary to include the obligation to perform internal investigations in its statutory documents or internal policies. Generally, the cooperation of local management is crucial for the success of the internal investigation.

Depending on the internal acts of the local subsidiary (i.e. articles of association), the parent company as a shareholder could through its voting rights influence the shareholders’ meeting of the Serbian subsidiary to enact a decision reflecting the demands of the parent company for an internal investigation.

Generally, the parent company can instruct the directors of the local subsidiary to conduct the investigation by means of a shareholder resolution. However, shareholder resolutions are not binding upon the directors.

This generally depends on the company’s legal form. In a limited liability company (d.o.o.), a shareholder (i.e. the parent company) can pass resolutions that are binding on the management (limitations apply). In a joint stock company (d.d.), the shareholders in principle cannot pass such binding resolutions; the management of a d.d. is generally independent. However, there are ways in which the management of a d.d. can be obliged to conduct an internal investigation, such as a domination agreement, under which the subsidiary’s management is obliged to act as instructed by the parent’s management.

Generally a local subsidiary can be obliged by its parent company to perform an internal investigation by a shareholder resolution. Furthermore, under the group company provisions of the Turkish Commercial Code, each shareholder of a parent/controlling company can request at the general assembly of the related company that information be provided regarding a subsidiary/dependent company’s (i) position in terms of its finance and assets and accounting results; (ii) the relations of the controlling company with dependent companies; (iii) the relations of dependent companies with each other; (iv) the relations of controlling and dependent companies with their shareholders, managing directors and their relatives; and finally (v) the transactions they have conducted and the results thereof. Furthermore, within the meaning of Article 207 of the Turkish Commercial Code, if an auditor, operational auditor, special auditor, early risk identifier and the management committee have delivered an opinion stating the existence of fraud and conspiracy in a subsidiary/ dependent company’s relationship with the controlling/ parent company or with another dependent company, any shareholder of the dependent company can request the assignment of a special auditor from the commercial court of first instance at the location of the company’s headquarters for the purpose of clarifying this matter.

(i) The authorities are generally not prohibited from using this information against the company itself.
(ii) The authorities can generally also use this information against others (including members).
However, some restrictions could follow out of the method of the internal investigation (e.g. testimony of a member extracted by threats).

The public authorities (public prosecutor or police) would examine the information in the internal investigation report and (i) pursue the investigation or (ii) reject the criminal charges in cases against the company and/or others. However, the report on the findings of the internal investigation would represent a source of information on a potential criminal activity for the public authorities, rather than evidence of criminal activity.

In Bulgaria only natural persons can bear criminal liability and therefore criminal proceedings cannot be initiated against a company. Generally, the authorities can use information gathered during an internal investigation against a member or other third person. To use such information as evidence in criminal proceedings, the information must be acquired through the proper means, which are specified in the Bulgarian Criminal Procedure Code. For example, if during an interview a member discloses information that implicates another member in a crime, the interview transcripts may indicate that a criminal offence was committed, but the authorities would probably require a witness interrogation as a proper way of obtaining the information against the member.

Depending on the type of evidence and the method of information collection, there may be limitations on the use of information gathered by an internal investigation.

The authorities are generally permitted to use this information against (i) the company and/or (ii) against others (including members), provided such information has not been gathered unlawfully (e.g. testimony of a member extracted by threats, unauthorised video monitoring).

Generally, the authorities are not prohibited from using such information against the company itself. The authorities can also use such information against others (including members).
Restrictions apply to how internal investigations will be organised not to disqualify its outcomes for the purposes of criminal proceedings (i.e. a testimony of a member extracted by threats).

There is no limit as to what sort of information the authorities may or may not use or against whom. In other words, it is at the authorities’ discretion to decide how to carry out an investigation.

The public authorities (public prosecutor or police) learn of a crime based on rumours or a criminal report. Based on this it examines the information and (i) pursues the investigation or (ii) rejects the criminal charges in cases both against the company and/or others. If going ahead towards investigation proceedings, the public authorities, i.e. the public prosecutor, cannot assess whether the allegations are credible, they shall collect all information necessary to decide on the charges itself or with the assistance of the police or other authorities.

Generally, the disclosed information can be used against both the company itself and others (including members).

The public authorities (public prosecutor or police) would examine the information and (i) pursue the investigation, or (ii) reject the criminal charges in cases both against the company and/or others. There may be certain restrictions of such use based on the method of the internal investigations, i.e. whether or not the information was obtained illegally (contrary to the Constitution and/or applicable laws; for instance, if a member’s testimony was extracted by threats or if information was gathered by reviewing personal email correspondence without a member’s consent).

Such evidence is treated as any other evidence. However, the interrogation records are of lower value, as when it comes to the criminal proceedings the authorities rely on the principle of direct evidence taking. For their validity and procedural value, testimony must be given before a competent official.

According to the Romanian Code of Criminal Procedure (the “RCCP“), any piece of evidence which is not forbidden under the law generally may be used in a criminal trial against the company and/or third parties. Additionally, the RCCP provides that personal recordings (interceptions) can be used as evidence if they concern the parties’ private communications. Any other recordings also may constitute evidence, unless prohibited by law.

The public authorities (public prosecutor or police) would examine the information in the internal investigation report and (i) pursue the investigation or (ii) reject the criminal charges in cases against the company and/or others. However, the report on the findings of the internal investigation would represent a source of information on a potential criminal activity for the public authorities, rather than evidence of criminal activity.

The authorities are generally not prohibited from using this information against the company and/or others. However, should any information be obtained unlawfully, restrictions on its use will apply.

The use of information gathered by an Internal Investigation is generally permitted, both against (i) the company and (ii) others. Limitations apply; for example, the use of such information may be limited if the internal investigation was conducted illegally / in circumvention of the suspects’ procedural rights (e.g. in case of unlawful wiretapping or video recordings).

There are no regulations under Turkish Criminal Law or Criminal Procedure Law prohibiting the use of information voluntarily provided (by the company) against the company and/or others. However, if such an internal investigation includes information that has been obtained through unlawful methods (ie voice records recorded without one’s consent), such unlawful information present in the internal investigation cannot be used against the relevant person, member, etc.

Yes. Actually, it is recommendable to perform internal investigations in parallel to criminal investigations to be up-to-date regarding the development of the case. The most important issues are (i) to use proven and reliable procedures within the internal investigation, (ii) to have a clear internal and external communication policy, and (iii) to handle the timing of the investigation process.

Generally yes. There are no legal obstacles to conducting an internal investigation in parallel to the criminal investigation.

If a company discovers that a reportable crime (which had not already been reported) may have been committed, it and/or the responsible persons within the company may have reporting obligations. For the information on (i) which crimes are reportable and (ii) which persons may be considered “responsible persons” within a company, please see the answer to question 1.1. above.

Another important aspect to consider is that the company cannot dismiss an employee only because internal investigation proceedings have been initiated against him/her. Please see section 8 for more details.

Generally yes. Bulgarian law does not regulate internal investigations. However, the internal investigation should not impede or in any other way interfere with the criminal investigation.

Generally yes.

The internal investigation must not interfere with the criminal investigation.

Generally, yes.

If during the internal investigation the management learns about facts relevant to the criminal investigation, and the criminal authorities ask for these facts during the criminal investigation, the members of the management are obliged to answer truthfully, otherwise they could be prosecuted for giving untrue testimony. This may be an issue especially when the company does not want to make the whole story public.

Generally yes. If an internal investigation is conducted it should not obstruct the criminal investigation.

Generally yes. If a company discovers that a reportable crime which had not already been reported may have been committed, it and/or the responsible persons within the company may have reporting obligations (see the answer to 1.1. above). Another important aspect to consider is that the company cannot dismiss or suspend an employee against whom an internal investigation is being conducted only on the grounds of initiating a dismissal/suspension procedure against him/her. Please see section 8 for more details.

Generally yes.

If a company discovers that a reportable crime (which had not already been reported) may have been committed, the company and/or responsible persons within a company could have reporting obligations.

For the information on (i) which crimes are reportable, and (ii) which persons may be considered “responsible persons” within a company, please see the answer to 1.1. above.

Another important aspect to consider is that a company cannot dismiss an employee against whom a criminal investigation has been commenced until a final decision in such proceedings is reached. Please see section 8 for more details.

As a rule, there is no legal prohibition, but this might be seen as risky, since once the criminal proceedings are ongoing, any investigations conducted on your own may be seen by the authorities as obstruction of justice.

Generally, yes. However, the internal investigation must be conducted carefully so as not to tamper with the criminal (official) investigation. The internal investigation team must not undertake the prerogatives of criminal investigation authorities and attempt to entail criminal liability. This is permitted only within criminal proceedings, where procedural safeguards are expressly guaranteed. One important issue for the team of internal investigators is to make sure during the proceedings that the persons subject to investigation cannot steal, destroy, withhold, conceal or alter material evidence or documents which might prevent the criminal investigation authorities from finding out the truth in a judicial proceeding. Such acts may amount to a criminal offence, punishable by imprisonment of six months to five years. This applies mutatis mutandis also to the team of internal investigators.

Generally, yes. If a company discovers that a reportable crime (which had not already been reported) may have been committed, it and/or the responsible persons within the company may have reporting obligations. For the information on (i) which crimes are reportable and (ii) which persons may be considered “responsible persons” within a company, please see the answer to question 1.1. above.

Another important aspect to consider is that the company cannot dismiss or suspend an employee only because internal investigation proceedings have been initiated against him/her. Please see section 8 for more details.

Generally yes. An internal investigation should not obstruct the criminal investigation. The directors or employees are not protected by a duty of confidentiality and may be required to give testimony about facts that they have learned or identified during the investigation.

Generally yes. There are no general limitations. However, the internal investigation should be planned carefully so that the criminal investigation is not obstructed.

2Legal privilege

Basically, lawyers, notaries and economic trustees (Wirtschaftstreuhänder) are covered by legal privilege. These persons have the right to refuse to give evidence on matters about which they have learned in the scope of their profession. Authorities must not circumvent this right, e.g. by interrogating employees of the privileged person or by seizing documents containing privileged information.
Anyone has the right to refuse to give self-incriminating evidence.

Legal privilege only applies to attorney-client communication, including everything revealed by the client to the attorney, and all the information that the attorney acquired in any other way while representing the client, irrespective of whether the client informed the attorney of the confidentiality of the information or if this could be inferred from the case itself. The attorney is also obliged to keep confidential data, submissions, information, records, objects, minutes and deposits of parties that he or she has chosen not to represent and which were provided to the attorney for the purpose of representation. The aforementioned also applies to parties who decided not to engage the attorney. Legal privilege (i) covers attorneys (and trainee attorneys, associates and employees, given that they act in accordance with the attorney’s instructions) and (ii) only applies to the objects and documents placed in the attorney’s office.

Basically only lawyers are covered by legal privilege.
Under both the Civil Procedure Code and Criminal Procedure Code, the lawyers of the parties to a court case have the right to refuse to testify (i.e. the right applies to both civil and criminal proceedings). The lawyers of the parties in competition proceedings enjoy the same level of protection. This means that in civil, administrative and penal proceedings, the legal privilege fully applies to lawyers and they may refuse to testify or to otherwise be interrogated in relation to their activities as lawyers. Legal protection applies to (i) lawyers registered with the Bulgarian Bar Association; (ii) EU or EEA lawyers registered with the Single Register of Foreign Attorneys-at-Law of the Supreme Bar Council and in the register of foreign attorneys-at-law kept by the relevant Bar; and (iii) lawyers’ assistants registered in a special register at the respective Bar Council. Apart from lawyers and lawyers’ assistants under (i) to (iii) above, lawyers who are citizens of other countries might enjoy the protection of legal professional privilege pursuant to the provisions of an international treaty between the Republic of Bulgaria and the country of nationality of the lawyer in question or on the basis of reciprocity between the two countries.
Certain violations of this duty of professional secrecy committed by lawyers are criminalised by the Bulgarian Criminal Code.
Notary publics are also obliged to keep confidential circumstances that were entrusted to them in their capacity as a notary. The same rules apply to all notary assistants. However, the protection that applies to notaries is not absolute and a document kept with the Notary Register may be delivered by the notary in the case of a written order (ruling, order) issued by a judge or prosecutor.

Basically, attorneys, notaries and tax advisors. In general, these persons have the right to refuse to give evidence about matters of which they have learned within the scope of their profession. This right must further not be circumvented by the authorities inter alia by interrogating employees of the privileged person. Moreover, anyone has the right to refuse to give evidence if doing so would expose them to the risk of prosecution, disgrace or significant material damage.

Besides the above-mentioned, the following people cannot be heard as witnesses: (i) spouses (including extramarital); (ii) close relatives; (iii) family by marriage; (iv) adoptive parents / children; (v) religious confessors, physicians, psychologists, dentists, probation officers and social workers who obtain information in the course of their profession; (vi) journalists and editors about their sources when the information received was used to inform the public; (vii) persons to whom the material gain obtained by criminal activity has been transferred.

Basically, attorneys-at-law and public notaries are covered by legal privilege. These persons have the right to refuse to give evidence on matters about which they learned in the scope of their profession. Authorities must not circumvent this right inter alia by interrogating employees of the privileged person or by seizing documents containing privileged information.
Moreover, anyone has the right to refuse to give self-incriminating evidence.

In general, attorneys, notaries and auditors are covered by legal privilege.

Lawyers (and counsels), notary and defence attorneys are bound by legal privilege with their clients. Everything that the client entrusts to the attorney/notary with regard to the requested legal advice, representation or defence, and everything that the attorney has learned about the case in any other way, and any records which the attorney keeps in his/her archive and which are confidential, represents a professional secret and is covered by legal privilege. If the attorney chooses not to represent a client, he/she is obliged not to undertake anything which could harm the party. Also, a notary public and all employees of a notary public are obliged to keep confidential data that they have learned about in the course of their work, unless it follows otherwise from the law or the will of the parties.

Generally, under the Moldovan legislation, legal privilege refers only to certain categories of persons, which cannot be heard as witnesses within a penal investigation:
(i) persons with physical or mental issues, if such issues do not allow them to understand the circumstances of the case;
In certain cases:
(ii) defenders (lawyers) and employees of the lawyer’s office, representatives;
(iii) judges, prosecutors, criminal investigation officers, secretaries (recorders);
(iv) journalists;
(v) clergymen;
(vi) doctors (other persons providing health treatment);
(vii) Peoples’ Advocates, Peoples’ Advocates for children’s rights, their deputies and employees of their offices.
Also, a person has the right to refuse to make declarations, disclose information, present documents and goods, if such can be used against him/her or against his/her close relatives.

The Moldovan Code of Penal Procedure, however, does not contain an express prohibition on the seizure of documents of the persons listed in (i) – (vii) above.

Legal privilege applies to attorney-client communication, including everything revealed by the client to the attorney, and all the information that the attorney acquired in any other manner while representing the client, irrespective of whether the client informed the attorney of the confidentiality of the information or if this could have been inferred from the case itself. The attorney is also obliged to keep confidential data, submissions, information, records, objects, minutes and deposits of parties that he or she has chosen not to represent and which were provided to the attorney for the purpose of representation. The aforementioned also applies to parties who decided not to engage the attorney. As the attorney is liable towards the client for the violation of legal privilege committed by its employees and associates, the legal privilege also covers these persons.

Also, a notary public and all his/her employees are obliged to keep confidential data obtained in the course of work, unless it follows otherwise from the law, the will of the parties, or the content of the legal transaction.

Defence attorneys, advocates or legal counsels contacting the arrestees are covered by legal privilege, which may not be lifted or circumvented. Legal privilege applies to facts learned while giving legal advice or working on a case. It also covers defence documents as referred to in point 2.3.
Clergymen are covered by legal privilege with regard to facts learned during confession.
Mediators are generally covered by legal privilege with regard to facts learned from the accused or the aggrieved party while conducting mediation proceedings.
Persons obliged to not disclose information classified as “confidential” or “strictly confidential” may testify as to information to which the above obligation applies only after they are released from the duty of confidentiality by an entitled superior authority.
Persons subject to notary, advocate, legal advisor, tax advisor, physician, reporter, statistical or counsels of State Treasury Solicitor Office privilege may be questioned with regard to the facts covered by this privilege only when this is indispensable for the interests of the administration of justice and such facts cannot be established on the basis of any other evidence.
The next of kin of the accused may refuse to testify. Witnesses accused of being an accomplice in the crime in a separate trial in progress also have the right to refuse to testify.
A witness may refuse to answer a question if the answer might incriminate him or his next of kin for an offence or a fiscal offence.

Lawyers and notaries public are covered by legal privilege.

Legal privilege only applies to attorney-client communication, including everything revealed by the client to the attorney, and all the information that the attorney acquired in any other way while representing the client, irrespective of whether the client informed the attorney of the confidentiality of the information or if this could be inferred from the case itself. The attorney is also obliged to keep confidential data, submissions, information, records, objects, minutes and deposits of parties that he or she has chosen not to represent and which were provided to the attorney for the purpose of representation. The aforementioned also applies to parties who decided not to engage the attorney.

Legal privilege in Serbia is regulated by the Serbian Attorney Act. Legal Privilege (i) covers attorneys (and trainee attorneys, associates and employees, given that they act in accordance with the attorney’s instructions) and (ii) only applies to the objects and documents placed in the attorney’s office or that were temporarily transferred elsewhere under the instructions and supervision of the attorney. Notaries and their offices are not covered by legal privilege under Serbian law.

Legal privilege covers attorneys, including their employees and associates. Attorneys cannot therefore be subject to interrogation with respect to the provision of legal services, and their communication with a client cannot be used in criminal proceedings as evidence. A similar regulation applies to notaries.

Anyone has the right to refuse to be interrogated if interrogation would expose them or their close persons to risk of prosecution.

In a nutshell, legal privilege – in the sense of the right to refuse to give evidence against the suspect – extends to spouses, close relatives / family by marriage, adoptive parents / children, (religious) confessors, attorneys, physicians, social workers and other persons who obtain information in the course of their profession and are bound by a duty of confidentiality. Furthermore, privilege against self-incrimination applies to all natural persons. In all these cases, the people have a right to decide whether they will give evidence.
In addition, attorneys are prohibited from testifying about information obtained from suspects in their role as their attorney, unless they are released by the suspect. Such evidence is in principle always inadmissible.

The Attorneys Act and the Criminal Procedure Law provides legal privilege provisions. Within the meaning of Article 36 of the Attorneys Act, attorneys are prohibited from disclosing information that has been entrusted to them or that they come upon in the course of performing their duties both as an attorney and as members of the Union of Bar Associations of Turkey and various bodies of bar associations. Attorneys’ testimony on the abovementioned matters is contingent upon having received their client’s consent. However, even under such circumstances, the attorney may refrain from testifying. This obligation of the attorney is only towards the client, and a breach of this regulation may lead to the civil and criminal liability of the relevant attorney. Likewise, Article 130 of the Criminal Procedure Law states that the offices of lawyers can only be searched with a court decision and with the supervision of a public prosecutor. The lawyer whose office is being searched is entitled not to permit confiscation of a document during such search, which relates to a client, by claiming legal privilege. In such a situation the related documents should be sealed and the court will decide whether the claimed document is protected by legal privilege. As the above-stated confidentiality is considered to be in the scope of public interest under Turkish law, it is applicable to all litigations and investigations, including competition investigations.

In particular documents drafted by a lawyer for the purposes of advising and defending an accused person (“defence documents“).

All documents, records (in electronic, audio or picture form), files, minutes and deposits located at the attorney’s office are covered by legal privilege.

Legal professional privilege covers all data, documents and correspondence (documents on hard and soft copy, computer equipment, files and other information carriers), which are in the possession of lawyers and which relate to their clients. Client-attorney correspondence is also explicitly protected by legal privilege. Conversations between client and attorney cannot be intercepted and recorded. Any recordings, where available, cannot be used as evidence and are subject to immediate destruction. These rules apply in all kinds of proceedings (civil, criminal or administration).

All documents associated with the relevant client-attorney relationship found at the attorney’s office. This may include writings, audio, computer, video or similar records as well as client’s deposits.

Notaries may not share documents with public authorities, unless the public authority seeks the individually specified document in writing.

Any attorney-client communication, including documents drafted by an attorney-at-law for the purposes of advisory and defence of an accused (“defence documents”), is covered by legal privilege. Such defence documents are excluded from scrutiny by any public authority (see our answers to questions 2.3 and 2.4 below for limitations).

Documents, statements and notes drafted by the attorney for advice and defence of the accused.

Any documents that the lawyer, notary or defence attorney keep in respect of the client.

Generally, there are no documents covered by legal privilege. In other words, the Moldovan Code of Penal Procedure does not expressly prohibit the seizure by the penal investigating authorities of a person’s / entity’s documents (including containing information arising out of the attorney-client relationship).
It is, however, indicated that documents containing state, trade and banking secrets, as well as information with regard to telephone conversations, may be seized on the basis of a court decision.

Documents drafted for the purpose of advising and defence of a client (i.e. data, submissions, information, records, objects, minutes and deposits of parties he or she has chosen not to represent and which were provided to the attorney for the purpose of representation, also for the parties who decided not to engage the attorney). Legal privilege also covers documents concerning representation with which the attorney was acquainted, which were shown or handed over to the attorney during the representation.

Correspondence or other documents surrendered or found in the course of the search containing information pertaining to the performance of function of the defence counsel as well as documents containing confidential information or information constituting professional or other legally protected secrets or that is of a private nature.

Documents drafted by lawyers for advisory purposes and the defence of an accused (“defence documents“).

Documents drafted for the purpose of advising and defence of a client (i.e. data, submissions, information, records, objects, minutes and deposits of parties that the attorney has chosen not to represent and which were provided to him/her for the purpose of representation as well as for the parties who decided not to engage the attorney). Legal privilege also covers documents concerning representation with which the attorney was acquainted that were shown or handed over to the attorney during the representation.

Mainly legal documentation prepared in connection with the provision of advisory services and for the defence of an accused person. It also includes all information communicated to an attorney by a client.

Legal privilege, in principle, extends to the attorney’s activities conducted “in the course of their profession”. Hence all documents associated with the client-attorney relationship are generally covered.

Documents covered by legal privilege have not been clearly listed under Turkish law. However, legal privilege should apply to all information exchanged between a client and an attorney, regarding the client’s right of defence, without a time limitation.

Legal privilege is not applicable if already existing evidence has been handed over to a privileged person to hide it from potential seizure. It also no longer applies if the defence documents have been handed over to a third party and are therefore no longer within the sphere of the accused or the privileged person.

In the Federation of Bosnia and Herzegovina there are four exceptions where the attorney is relieved from the confidentiality obligation: (i) the client explicitly or tacitly allows it; (ii) it is necessary to prevent the commission of a criminal offence; (iii) it is necessary for the attorney’s or his/her associate’s defence; and (iv) an attorney initiates litigation for the settlement of costs and expenses owed by the client. In Republika Srpska, the attorney is relieved from his/her confidentiality obligation if (i) the client undoubtedly allows it, (ii) it is necessary for the defence of the client, and (iii) it is necessary for the justification of the attorney’s decision to refuse the defence of a client.

The legal privilege protection begins as soon as the attorney is instructed by the client. There are no explicit limitations provided under the law. The exception of the legal privilege protection would be for documents handed over to the attorney in relation to the attorney’s obligation to identify his/her clients under the Measures against Money Laundering Act. Documents/information collected under this act are stored by the attorneys and, if requested by the State Agency for National Security, delivered to it.

An attorney is relieved from the confidentiality obligation if: (i) a client undoubtedly allows it; (ii) it is necessary for the attorney’s defence; or (iii) it is necessary to justify the attorney’s decision to leave the defence.

Legal privilege is also not applicable in various abuse cases (e.g. planning of criminal activity, handing over documents for the sole purpose of hiding/protecting them from potential seizure).

Legal privilege is not applicable if defence documents have been handed over to a privileged person for the sole purpose of hiding/protecting them from potential seizure. Legal privilege also no longer applies if the defence documents have been handed over to a third party and are thus no longer within the sphere of the accused or the privileged person.

Under the general confidentiality obligation of attorneys, attorneys have the right to refuse to give evidence on matters covered by legal privilege while that document is in the possession of the attorney and unless the client consents to the release. In criminal cases, the attorney acting for the defence cannot be heard even if the client gave his prior consent.

Legal privilege by an attorney can only be revealed (i) when the client authorises the disposal, (ii) if it is necessary for the defence, or (iii) if authorised by the Bar Association.

Please see 2.1 and 2.2 above.

There are three exceptions where the attorney is relieved from the confidentiality obligation: (i) if the client undoubtedly allows it; (ii) if it is necessary to prevent the commission of a criminal offence; and (iii) if it is necessary for the attorney’s or his/her associate’s defence.

Point 2.1. contains limitations related to the lifting of legal privilege based on the decision of a competent authority. The legal privilege as specified in point 2.2. does not apply to correspondence or other documents containing information classified as “privileged” or “confidential”, or information constituting a professional or other legally protected secret, if their holder is suspected of having committed an offence. It also does not apply to letters or other documents of a personal nature, if the person suspected of having committed an offence is their holder, author or addressee.

In practice it means that if documents containing privileged information (produced by an attorney, e.g. legal opinion) are in the possession of a manager accused of a crime, the document may be seized by the authority and admitted as evidence

Under the RCCP, the professional relationship between a lawyer and their client may be subject to electronic surveillance only when there is information that the lawyer is committing or is preparing to commit certain very serious offences (e.g. money laundering, tax evasion, corruption offences, offences against the financial interests of the EU, etc.). It seems that no similar provisions have been enacted in the case of notaries.
If the documents are found outside the sphere of the privileged person, they might no longer benefit from immunity.

There are four exceptions where the attorney is relieved from the confidentiality obligation: (i) if the client  undoubtedly allows it; (ii) if it is necessary to prevent the commission of a criminal offence; (iii) if it is necessary for the attorney’s or his/her associate’s defence; or (iv) if it is necessary for the defence of rights and interests of the attorney or his/her close relatives and associates, if these rights and interests are objectively more important than the confidentiality of the information.

Attorney legal privilege does not apply where the attorney has a reporting obligation with respect to a crime that is being committed or is being planned, even if this information comes from the client (the legal privilege applies only to crimes that the client has already committed).

Legal privilege is generally limited to the provision of legally permitted services by the attorney to the client. It is therefore inapplicable in various cases of abuse (e.g. active attempts to hide evidence) or even criminal activities planned/conducted by the attorney and the client together. Legal privilege does not apply if information has not been obtained from the client (but from another source) or has been handed over to a third party (despite being originally obtained from the client).

Documents and information exchanged shall not be subject to legal privilege, if (i) the document/information exchanged does not relate to the client’s right of defence, or (ii) is executed/ exchanged for the purpose of hiding or helping a breach of law.

Authorities may under certain conditions seize documents containing legally privileged information, but it is prohibited if doing so would circumvent legal privilege (see our answer to question 2.1.). Therefore, the admissibility of such a seizure depends on (i) the location of the documents (e.g. in the attorney’s office or company’s office) and (ii) the kind of documents (e.g. defence documents or documents drafted by the company itself, such as a summary report of an internal investigation). There is a high risk that authorities will access actual privileged documents if these are kept in the company’s offices and not with the accused or a privileged person.

Legal privilege cannot be violated “to the detriment of the attorney or the client”, including during a court-ordered search. If a court-ordered search of a law firm concerns the information gathered during an internal investigation, than the public authorities potentially could have access to it. However, the cases, documents and files (except those seized based on a court decision), as well as findings discovered during the search of the law firm cannot be used to conduct proceedings against the clients of the attorneys from that firm.

Yes. See our answer under 2.3. above.

Authorities may under certain conditions access/confiscate legally privileged information gathered during an internal investigation (e.g. during the search of an attorney’s office). However, the use of accessed/confiscated documents (except those based on a court decision) will be inadmissible. Also, any evidence gathered from such documents will be inadmissible (“fruit of the poisonous tree doctrine”), unless public interest prevails over the defence rights of the accused. In any case, there is a high risk that the authorities could access privileged documents if these are kept within the premises of the company and not with a privileged person.

Generally, public authorities may (under certain conditions) seize documents containing legally privileged information if and to the extent such seizure does not circumvent legal privilege (see our answer to question 2.1). The admissibility of such a seizure depends on the nature of the documents (i.e. defence documents prepared by an attorney-at-law vs. documents drafted by the company itself, such as a summary report of an internal investigation). The location of the documents is generally irrelevant. In each case, there is a substantial risk that public authorities will access actual privileged documents if these are kept in the company’s offices.

Under certain circumstances, the authorities may access legally privileged information, although a court order is required. In case of a search warrant, apart from the court order, the presence of the prosecutor is also required.

Attorney-client communication cannot be subject to review, copying, examination or confiscation, and cannot be used as evidence in court proceedings.

Generally, there are no documents covered by legal privilege. However, documents (related to internal investigation) containing state, trade and banking secrets may be seized on the basis of a court decision.

If a court orders a search of a company, then the information gathered during the internal investigation could potentially be seized by public authorities.

If a court orders a search of a law firm, then pursuant to the Attorneys Act, none of the documents provided by the client to the attorney (including information gathered during the internal investigation) can be used in the proceedings against that company or against any other clients of that firm.

During criminal proceedings, however, the following cannot be seized: (i) written documents (spisi) and documents issued and held by competent state authorities if publication thereof would violate the duty of confidentiality; (ii) letters of the suspect to his/her attorney (this does not apply if the attorney was an accomplice, if he helped the suspect after committing a crime, and concealed the crime); (iii) any documents (thus also including defence documents), minutes or excerpts made by professionals who are under a confidentiality obligation (i.e. attorneys), and which were made or acquired while performing their work.

Nevertheless, the court may order seizure of any and all documents prepared or held by the attorney if there is a justified suspicion that the attorney collaborated and/or participated in any way, jointly with the suspect, in the performance of the criminal act.

Therefore, the possibility of a seizure depends on (i) the location of the documents (i.e. at the attorney’s office or the company’s office), (ii) the kind of documents (i.e. defence documents or documents drafted by the company itself, such as a summary report of an internal investigation); and (iii) special circumstances (such as the attorney’s collaboration). In any case, there is a high risk that the authorities will access actual privileged documents if these are kept in the company’s offices and not with the suspect or a privileged person.

If a document found or surrendered contains confidential information or information constituting professional or other legally protected secrets or is of a private nature, the agency conducting the search shall hand the document over immediately without reading it to the public prosecutor or to the court in a sealed envelope.
If the defence counsel or other person summoned to surrender an object or whose premises were searched declares that correspondence or other documents surrendered or found in the course of the search contain information pertaining to the performance of function of the defence counsel, the agency conducting the search shall leave the documents to the said person without examining their contents or appearance. However, if such a statement made by a person who is not a defence counsel raises doubts, the agency conducting the procedure shall hand these documents over to the court. The court, having acquainted itself with the documents, shall return them in their entirety or in part to the person from whom they were taken or shall issue a decision that the documents be seized for the purposes of the proceedings.

Generally, the following should be exempted from access and confiscation: documents containing communications between the lawyer and the client as well as documents containing notes made by the lawyer in defence of his client.
Apparently, there are no similar provisions in the case of notaries.
In practice, however, such documents may be accessed and removed if they are found at the company’s premises, especially if the company is subject to investigation.

If a court order to search a law firm concerns the information gathered during the internal investigation, then the public authorities potentially could have access to it. The procedure for searching a law firm is regulated by the Attorneys’ Act. The legal framework and relevant practice do not provide clear guidance on the scope of documents that could be subject to search and seizure in the law firm. Nevertheless, the cases, documents and files (except those seized based on a court decision), as well as findings discovered during the search of the law firm, cannot be used to conduct proceedings against the clients of the attorneys from that firm.

Yes, for instance if documents containing legally privileged information are not stored with the attorney.

There are two aspects to legal privilege. Firstly, it is a procedural right of persons mentioned above (see 2.1. above), allowing them to refuse testimony (and, by extension, limiting certain ways of obtaining evidence, such as wiretapping, which could be used as circumvention of legal privilege). Secondly, it is a procedural caveat, which prohibits the use of certain methods/information in a criminal investigation (e.g. unwarranted searches of private premises). It follows that obtaining information gathered during an internal investigation in the course of a criminal investigation is, in principle, possible and permissible, e.g. on the basis of a search warrant for the company’s premises or testimony by a person who is not covered by legal privilege.

However, measures used for obtaining information during a criminal investigation should not be used to circumvent other procedural caveats. For example, an attorney is prohibited from testifying against their client (see 2.1. above). By extension, use of attorney’s notes (including information about a client) that are found during a search of an attorney’s office is not permissible, even if the search itself was (procedurally speaking) lawful.

As explained under point 2.1 above, it is possible, following a legal privilege claim made by a lawyer, to seize and seal in an envelope information gathered from an internal investigation, which is present at the lawyer’s office during a search held by public authorities. In order for such a sealed document to become accessible by public authorities, the judge of a “peace court of criminal jurisdiction” at the investigation phase, or a judge/court at the prosecution phase shall give the necessary decision in relation to the access of public authorities to such documents seized and sealed during a public investigation.

Documents drafted by (i) and (ii) can be protected by legal privilege. Documents drafted by (iii) and (iv) are generally not protected by legal privilege.

In Republika Srpska only documents drafted by a foreign or national attorney are protected by legal privilege. On the other hand, in the Federation of Bosnia and Herzegovina, only documents drafted by a national attorney are protected by legal privilege.

Yes. In-house counsels are not covered by legal privilege (unless the correspondence is between external attorney – client and an attorney). Other professionals (i.e. tax advisors) are also not covered by legal privilege.
For foreign attorneys the legal privilege applies if they are (i) EU lawyers who are citizens of another EU Member State, of a state party to the EEA Agreement or of Switzerland who are qualified to practice law in at least one of the said countries; and (ii) are registered with the Single Register of Foreign Attorneys-at-Law of the Supreme Bar Council and in the register of foreign attorneys-at-law kept by the relevant Bar. In addition, lawyers who are citizens of other countries might enjoy the protection of legal professional privilege pursuant to the provisions of an international treaty between the Republic of Bulgaria and the country of nationality of the lawyer in question or on the basis of reciprocity between the two countries.

Generally no, as the legal privilege extends to (i) information that the attorneys (and other privileged persons) obtained “in the course of their profession” and (ii) documents located in the attorney’s office (see 2.1. and 2.2. above). It is generally irrelevant who drafted the interview notes and/or reports summarising the internal investigation.

Generally, documents drafted by (i) and (ii) can be protected by legal privilege (some restriction on foreign attorneys may apply). Documents drafted by (iii) and (iv) are generally not protected by legal privilege (for the sake of completeness, documents drafted by tax advisors may under certain conditions be protected by legal privilege).

Generally yes. The protection is granted if a certain document was drafted by an attorney or in-house counsels belonging to the Hungarian Bar (irrespective whether the lawyer is Hungarian or a foreigner). The same applies to junior attorneys (associates) belonging to the Hungarian Bar. Tax advisors are generally not granted legal privilege.

The relevant legislation does not provide for an explicit answer, but it can be assumed that only documents drafted by a foreign or national attorney are protected by legal privilege.

Please see 2.2. above.

Only documents drafted by (i) Serbian or Montenegrin attorneys, or (ii) foreign attorneys who comply with national requirements and whose licences are recognised by the Montenegrin Bar Chamber, are protected by legal privilege.

It does not matter who the author of the documents is. The important thing is whether the documents are covered by professional secrecy or any other legally protected secrecy.

In practice it is rather unclear and there may be doubts about how to deal with documents authored by foreign attorneys not officially registered in Poland.

Yes. If the mentioned documents have been drafted by lawyers (e.g. national lawyers/in-house counsels) it can be argued that they are covered by legal privilege (even though there is no certainty about this aspect). Documents drafted by other professionals (e.g. tax advisors) are not protected by legal privilege.

Only documents drafted by a foreign or national attorney are protected by legal privilege.

Strictly from the reading of the Slovak law, only documents drafted by national attorneys and attorneys registered in Slovakia as European attorneys are protected by legal privilege. Foreign attorneys should be covered by legal privilege by referring to their confidentiality obligation under laws applicable to their business conduct. Other documents are generally not protected by legal privilege, although exceptions may apply.

Generally no. Legal privilege extends to information that the attorneys (and other privileged persons) obtain “in the course of their profession” (see 2.1. above). It is generally irrelevant who drafted (i.e. technically put together) the interview notes or similar documents containing privileged information.

Documents drafted by national attorneys are covered by legal privilege, while documents drafted by foreign attorneys, other professionals and in-house lawyers are generally not protected by legal privilege. However, foreign lawyers that are not qualified in Turkey but carry out business in Turkey pursuant to the Attorneys Act can be considered within the protection of legal privilege, as long as they are not in-house lawyers. In-house lawyers are not considered to be independent from their clients, where being independent from a client is considered of the main conditions of being in the scope of legal privilege.

(i) Privileged information located in the accused person’s office/home is generally protected.
(ii) Privileged information located in the attorney’s office is generally protected.
(iii) Privileged information located elsewhere is generally not protected.

Legal privilege covers only the information located in the attorney’s office.

The legal privilege of an attorney is not absolute in Republika Srpska, as there are no legal obstacles to the documents covered by legal privilege being seized by the court under the Criminal Proceedings Act. Also, we cannot rule out that documents protected by legal privilege in the Federation of Bosnia and Herzegovina may be used in the court if the court considers them not to be detrimental to the attorney or his/her client.

Generally no. However, if the legally privileged information/documents is/are stored within the company or somewhere else, it is recommended to indicate the documents that contain such information indicated as “legally privileged”. If legally privileged information/documents is/are taken by the authorities within ongoing proceedings (e.g. within dawn raids organised by the Bulgarian Commission for Protection of Competition) an appeal against the admissibility of these legally privileged documents can be made.

(i) Information located within a company may be accessed based on a search warrant, except under certain circumstances when a search warrant is not necessary.

(ii) Information located in the attorney’s office is generally protected and may be accessed based on a search warrant (issued only under specific circumstances) and in the obligatory presence of the Bar Association’s representative.

(iii) Information located in public places may be generally accessed.

Generally, no. All information subject to legal privilege is protected regardless of its location.

Generally, only information communicated to or being in the possession of an attorney is protected by legal privilege.

Legal privilege covers only information located in the attorney’s office.

Generally no.

Generally, yes. As described in point 2.4. above, legal privilege covers the information located at the attorney’s office, in such a way that normally the client’s information gathered in the law firm cannot be used either against that company or any other clients of that firm.

Except for the limitations specified in point 2.3. above, it does not make any difference where the documents in question are located.

Yes. If located at the attorney’s/notary’s office, the information should be inviolable, since it is covered by professional secrecy. If the privileged information is located within the company, there is a risk that it may be accessed by investigation authorities (see also 2.4.)

Legal privilege covers only the information located in the attorney’s office.

Yes, legal privilege could be suspended (but only in line with the court’s order), for certain documents generally covered by legal privilege.

The use of and access to legally privileged documents located in the attorney’s office is limited due to legal privilege. The same applies to an attorney’s home. Legal privilege generally does not apply to documents stored in other places.

(i) In principle, information located in the company is not specially protected; however, a court warrant is required to search a suspect’s home/office and, in some cases, the company’s premises.
(ii) Information located in the attorney’s office is also specially protected (obligatory presence of the attorney and Bar Association representative, various other procedural protections, etc.)
(iii) The status of information located elsewhere depends on the status of the location (e.g. private vs. public premises, suspect’s premises vs. premises of third parties, etc.).

Moreover, information located in an attorney’s office is more likely to be subject to other procedural caveats (see 2.1. and 2.4. above) and hence be inadmissible.

 

The concept of a “privileged document” (or “privileged information”) is misleading, as under Slovenian law no document is privileged in and of itself and there is no document whose use is in and of itself prohibited in criminal proceedings. In short, what is prohibited are certain ways/modes of obtaining documents/information, as outlined in point 2.4. above.

It is correct that both the company’s premises and the attorney’s office may be lawfully searched based on a search warrant, provided that certain procedural caveats have been observed. It is also correct that information found during such searches may be used by the authorities (in criminal proceedings against the suspect), and in this sense legal privilege is not “absolute”, provided, however, that such information does not contravene (or constitute a circumvention of) procedural caveats. Particularly inadmissible is use of evidence that goes against the caveats mentioned in point 2.1. above, but – more generally – any evidence obtained in breach of Slovenian constitutional rights. It follows that the question of the admissibility or inadmissibility of evidence cannot be addressed with broad rules, but requires comprehensive analysis of the specific circumstances.

To illustrate, two examples: (1) As previously pointed out (see 2.1. above), attorneys are prohibited from testifying about their clients (i.e. attorney-client privilege); by extension, obtaining such information through a search of the attorney’s office would, in principle, be seen as circumventing attorney-client privilege, and hence such evidence would be inadmissible (i.e. not because the search itself would be inadmissible, but because it would circumvent attorney-client privilege). It follows that “privileged defence documents” (referred to above), i.e. documents containing information covered by attorney-client privilege, in principle would not constitute admissible evidence. (2) Evidence about a suspect – such as notes about an internal investigation – obtained during a lawful search of the company’s premises would in principle constitute admissible evidence, because prima facie there appear no procedural caveats that would be circumvented by this. However, it cannot be excluded that in a particular case such circumvention could be identified (e.g. in relation to the suspect’s privilege against self-incrimination), and hence such evidence would be rendered inadmissible.

Within the meaning of the above-mentioned Article 130 of the Criminal Procedure Law, only the privileged information located within the attorney’s office is protected. Such information located within the company or anywhere else is generally not protected.

3Data collection – Investigating past violations

Companies have an interest in detecting and preventing the criminal activity of their members and may also search their email accounts for this purpose. However, the fact that these email accounts presumably do not contain any private data (e.g. because the company has prohibited its members from using their email accounts for private purposes) does not mean these email accounts may be searched without limitation. In other words, the searching of email accounts that are (or should be) used for business purposes only may infringe the members’ privacy rights. Therefore, to lawfully conduct the search as outlined above, certain requirements and limits must be met. First and foremost, there must be a concrete suspicion (konkreter Verdacht) against the individual member to justify the search. Moreover, a balance must be struck between the interest in maintaining the member’s confidentiality (Geheimhaltungsinteresse) and the company’s interest in control and access (Kontroll- und Zugriffsinteresse). Factors to be considered for the balancing test could include the severity of the alleged crime and whether the company itself is already being investigated for the alleged crime. This balancing of interests must be considered separately in each individual case. Furthermore, Members should be generally informed of a potential search of email accounts within internal investigations (e.g. within the employee privacy policy).

Generally yes. However, under data protection laws and regulations, the definition of personal data is quite broad and includes any data based on which the identity of a person is determined or could be determined directly or indirectly (i.e. could also potentially include the business email address itself if the identity of a person could be determined based on it). Thus, if email itself would be considered personal data, and if any personal data would be reviewed by searching company-related data, the following should be complied with: (i) the affected members should be informed before the search of the company-related data is conducted and should consent to it in writing; (ii) the intention to perform an internal investigation should be notified in principle to the Bosnian Data Protection Authority (“BDPA“); (iii) notification on the created data records concerning the internal investigation would then need to be filed to the BDPA within 15 days of the creation of such data records; and (iv) limitations to data transfer abroad under 5.2 below should be observed. In addition, the collected company-related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access. The requirement to obtain the consent of the affected member may be waived only where the lawful rights and interests of the company do not conflict with the right of the affected member to protect his/her privacy and personal life. However, this balancing has to be considered separately in each individual case. Obtaining the consent of the affected members is recommended, as the BDPA’s practice is generally restrictive.

As in Austria.

Generally yes. A company must take into consideration the individual rights of an employee and limit the processing of employee data only when it is allowed by law, or if the processing is necessary for the sake of compliance with the rights and obligations arising from or in connection with the employment relationship. In the case of the collecting, processing or use of employee data or their disclosure to third parties for the sake of compliance with the rights and obligations arising from or in the connection with the employment relationship, the employer must determine, in advance, in its work regulations which data shall be collected, processed, used or disclosed to third parties for that purpose. Thus, an actual suspicion of criminal activity against individual employees is required to justify such a search on an individual basis. A balance of interests between the interest in maintaining an employee’s confidentiality on the one hand and the control and “access” interest of the company on the other must be made. With respect to business emails, such an interest on the part of the company might almost always be given. Nevertheless, this balancing of interests must be considered separately in each individual case. Although it cannot be regarded as a valid legal basis per se it would be advantageous if a prior approval by the affected members (e.g. within the employment contract) is obtained or if internal investigation methods are prescribed in detail by the company’s internal policies.

Decisions requiring a balancing of interests should involve the input of the Data Protection Officer (DPO). In addition, a Data Protection Impact Assessment (DPIA) might be required by a company (data controller) when the processing operations are likely to result in a high risk to the rights and freedoms of natural persons.

Yes, but only under certain circumstances.

The Czech Constitution (Bill of Rights) protects privacy and message secrecy, which also applies to all emails sent to or from work, email addresses containing the employee’s name (e.g. klara.kiehl@schoenherr.at). Employees may not waive this protection in advance. This makes reading employee emails problematic, even with the employee’s prior consent.

However, if the employee grants consent subsequently (after the suspicion arises), his/her emails may be reviewed, particularly if the employee is given a chance to set the private email aside (not to be searched).

In addition, Czech employment law prohibits any monitoring of employees unless (a) the employer is monitoring compliance with prohibited private use, or (b) the scope of the employer’s activity, such as public security or largescale financial transactions, constitute a significant reason for such monitoring. Even in these cases, the monitoring must be adequate and proportionate. If one of these reasons is present, a number of messages and their addressees (senders) may be monitored, but according to the guidelines of the Czech Office for Personal Data Protection (the “Office”) the emails may not be opened.

Despite this legal uncertainty, opening work-related emails as part of internal investigations is common in the Czech Republic. Even the Office, during unofficial consultation, approved this practice as long as robust precautions are taken: (i) employees should not be allowed to use the employer’s communication equipment for private purposes; (ii) the privacy policy duly communicated to all employees should urge them to immediately delete any private emails received at their work email address; (iii) the privacy policy should inform the employees about the possibility of internal investigation and related disciplinary action; (iv) the suspicion directed against a specific employee should be well-founded and the search should be limited only to the relevant time period; (v) only suspicious emails based on a keyword search may be opened (in contrast, obviously private emails may never be opened); and (vi) as few investigators as possible, all of them bound by a confidentiality obligation, should be involved. To be on the safe side, however, a written guideline of the Office approving such an investigation practice would have to be issued (there is none).

Generally yes, given that i) the employee’s private life cannot be violated and ii) the employee should be notified beforehand about the technical means used for the surveillance.

Generally no. However, the company might be allowed to proceed as outlined in Example 1 if the intention to perform an internal investigation, i.e. searching email accounts with company-related data if criminal activity is suspected (i) is at least prescribed in the company’s internal acts / employment agreement or, ideally, the affected member has consented to the email search, and (ii) the member is informed prior to the search. However, due to loopholes in the data protection legislation and practice, it is recommended to notify the North Macedonian Data Protection Authority (“NMDPA“) prior to commencing the search.

Namely, under data protection laws and regulations the definition of personal data is quite broad and includes any data based on which a natural person is identified or identifiable (i.e. personal data could also potentially include the business email address itself if the identity of an affected member could be determined by it). Thus, if email itself would be considered personal data, and if any personal data would be reviewed by conducting the search of company-related data, the above requirements should be complied with.

Generally yes.
General conditions:
(a) the obligations in connection with the company related data are notified to the employee;
(b) consent is granted (eg at the conclusion of the employment agreement) by the employee in connection with the processing of the e-mail information.
The processing of e-mail data without the employee’s consent is to be assessed in each individual case.

Generally yes.

Under data protection laws and regulations the definition of personal data is quite broad and includes any data based on which the identity of a person is determined or could be determined directly or indirectly (i.e. could also potentially include the business email address itself if the identity of a person could be determined based on it). Thus, if email itself would be considered personal data, and if any personal data would be reviewed by conducting the search of company-related data, the following should be complied with: (i) the affected members should be informed before the search of their emails is conducted and should consent to it in writing; (ii) the intention to perform an internal investigation should in principle be notified to the Montenegrin Personal Data Protection and Free Access to Information Agency [Agencija za zaštitu ličnih podataka i slobodan pristup informacijama] (“MNDPA“); and (iii) the limitations to data transfers abroad noted under 5.2.

Finally, if the affected members have previously been informed (e.g. through corporate documents) that the company records and oversees their emails, and taking into account the purpose of the internal investigation, the MNDPA might not sanction the processing of the company-related data without the express consent of the affected member given for the purpose of the internal investigation. However, as the MNDPA’s practice is very restrictive, we cannot rule out the possibility that the MNDPA will consider the written consent of an affected member necessary for the search of company-related data. Moreover, the intention to perform an internal investigation should be notified to the MNDPA.

Yes, the company is permitted to proceed as outlined in Example Case I. Suspected criminal activity of members constitutes a justified reason to search email accounts of potential suspects, as it potentially leads to enforcement of claims arising out of the company’s business. In such a case, obtaining consent from the affected member is not mandatory.
The affected members should be informed that such a search may take place before using the email account altogether. It may also result from the company’s internal bylaws. If it is not the case, the affected member should be provided with the applicable information before the search begins.
All emails may be subjected to the search if use of the company email address has been restricted to professional purposes only.

If the case refers to the company’s employees there are specific regulations resulting from Polish Labour Law that must be observed.

Firstly, the company as an employer may conduct such a search (email monitoring) if it is necessary to ensure the organisation of work enabling full use of working time and proper use of work tools made available to the employee.

Such email monitoring may not, however, violate the confidentiality of correspondence and other personal rights of an employee.

The goals, scope and method of monitoring are laid down in the collective agreement or in the work regulations or notice, if the employer is not covered by a collective agreement or is not obliged to set work regulations.

The employer must inform the employees about the monitoring no later than two weeks before it begins.

There is a risk under Romanian law that this may be seen as a breach of the member’s right to private life, and as a criminal offence, if the consent of the relevant employees is not obtained or if the company cannot invoke a specific right to carry out such an investigation.

From a data protection perspective, e-discovery procedures such as the one described in Example I may be qualified as monitoring of an employee’s activity by electronic means of communication, which are typically carried out relying on the legitimate interest of the employer (as there is no other legal ground under Romanian law to carry out such an investigation). Such processing is subject to specific requirements under Romanian law, including:

  • the thorough justification of the employer’s legitimate interests through a data protection impact assessment (DPIA);
  • prior information to employees on the conduct of such an investigation;
  • prior consultation with the trade union/employees` representatives;
  • evidence that less intrusive ways for reaching the same legitimate interest were not effective; and
  • the limitation of storage of the data obtained during the investigation to 30 days.

It is advisable that companies prepare the performance of such investigations by ensuring that the above requirements are met. If prior preparation is not completed, one-time investigations should be structured to ensure that they are not qualified as monitoring subject to the above requirements. In any case, prior information to the member in relation to the conduct of the investigation is essential.

Furthermore, this kind of monitoring must be approved by the senior management or relevant corporate body and should be performed for a limited period of time. Generally, investigations may be performed only further to a balancing test of the legitimate interest and the proportionate processing of personal data or to conducting a prior DPIA. Simple balancing tests may be used in the case of one-time investigations, while it is highly recommended to conduct DPIA for general investigation practices. Although the legitimate interest in investigating business email accounts could be justified in the balancing test, the particular conditions of the member and his activity should be considered. Companies can also consider obtaining the member’s consent (at the risk of subsequent challenge to the validity of such consent by the member). In addition, internal company policies, including employee privacy notices, and employment documents should be checked to understand the company’s privacy-related rights and obligations/commitments towards its employees.

Particular attention must be given to circumstances where the investigation is made by, or at the initiative of, the shareholders of a company or other companies within the group. Disclosure of correspondence and other data to such third parties triggers their qualification as a data controller and the need that these third parties observe the general applicable privacy legislation requirements.

Generally yes. However, under data protection laws and regulations, the definition of personal data is quite broad and includes any data based on which the identity of a person is determined or could be determined directly or indirectly (i.e. could also potentially include the business email address itself if based on the identity of a person could be determined based on it). Thus, if email itself would be considered personal data, and if any personal data would be reviewed by conducting the search of company-related data, the following should be complied with: (i) the affected members should be informed  before the search of the company-related data is conducted and should consent to it in writing; (ii) the intention to perform an internal investigation should in principle be notified to the Serbian Data Protection Authority (“SDPA“); (iii) notification on the created data records concerning the internal investigation would then need to be filed to the SDPA within 15 days of the creation of such data records; and (iv) limitations to data transfer abroad under 5.2 below should be observed. In addition, the collected company-related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access. For the time being, the listed requirements are mandatory, i.e. the Company should observe them to fully comply with the applicable data protection laws and regulations. Our response to this question will be up-to-date until the implementation of the new Serbian Data Protection Act (which has been modelled after and largely complies with the GDPR) on 21 August 2019.

Generally yes; however, companies must consider the individual rights of employees and further restrictions under employment law. As to the individual rights of employees, the most important restriction is that private letters (i.e. also emails) cannot be monitored. It is subject to discussion whether an employer is entitled to monitor the content of work emails or to monitor only basic information about the email, such as the sender, receiver and subject. Each case should therefore be assessed individually, taking into account its specific circumstances.
Under Slovak employment law, an employer is entitled to check the emails of an employee in the work email account only when it has a serious reason for monitoring related to the special nature of the employer’s business activities and must notify the employee in advance of such monitoring. Implementation of a comprehensive checking mechanism in this respect requires prior consultation with employee representatives.

Generally no. Activities in Example Case I (searching the employees’ emails for specific keywords and in particular the use of Surveillance Measures) may be seen as an (unlawful) review of the content of the employees’ emails, and, in turn, an (unlawful) interference with the right to privacy and the privacy of communication, safeguarded by the Constitution and the Criminal Code. According to case law, the said right extends to work correspondence as well as private emails.
Slovenian law does not clearly spell out the conditions for the lawful review of employees’ emails. According to (non-binding) guidelines of the Information Commissioner, the content of emails may only be lawfully retrieved:
(i) based on a court order;
(ii) in very rare, exceptional cases, where there is risk of immense damage being inflicted to the employer which cannot be prevented through any other (less-intrusive) measure, provided that the employee was acquainted in advance with the rare instances in which such actions may be taken by way of internal acts adopted by the employer;
(iii) in exceptional circumstances, based on an explicit voluntary consent (however, the voluntary nature of any consent given by employees to the employer is generally questioned by the data protection authority).

Q: Could a concrete suspicion against a Member concerning serious company related offences qualify as (ii) and thus lead to the admissibility of the search of Company Related Data without the prior written consent of this Member?

A: Generally, no – the concrete suspicion alone would not suffice; there would also have to be a serious risk of damage and the employee would have to be acquainted with the possibility of the review taking place (cf. (ii)). According to the opinions and guidelines of the Information Commissioner (NB: case law here is non-existent / extremely scarce), the review of employees’ emails is (almost) entirely limited to instances where it is conducted based on a court order. The existence of (exceptional) circumstances and fulfilment of other conditions for the lawful review of the employees’ emails should be carefully examined on a case-by-case basis. The suspicion of criminal activity alone does not automatically justify the review of the employees’ emails – the employer is generally deemed able to protect its interests by notifying its suspicions to competent authorities (who may adopt adequate measures – obtain a court order to examine email correspondence). Accordingly, there is a risk that Example Case I would constitute a breach of the constitutional right to privacy and privacy of communication.

Q: We understand that a suspicion of criminal activity alone does not justify the review of the employees’ company emails by the employer. The employer has rather to appeal to the authorities to review the employees’ mails with the involvement of the authorities. Could you please confirm/clarify our understanding? (Basically we would like to know, under what circumstances a company is permitted to review its Company Related Data.)

A: Correct – please also see above. The circumstances under which Example Case I would be permitted (according to the guidelines) are extremely limited. The unlawful interference with the employees’ emails may in some instances even trigger the criminal liability of the employer.

In addition to the above, various restrictions and requirements apply for the performance of video surveillance.

In line with the decisions given by the Supreme Courts of Turkey, an employer always has the right to inspect, with the aim as stated under Example Case I¹, an employee’s e-mails, electronic devices, mobile phones and computers directly given for the conduct of the related business. However, such documents, information and devices that do not relate to the business of the employer and only relate to the private life of the employee, cannot be searched by the employer (or by its auditor, etc) in any way, or else the employer could become liable for the violation of the “right of privacy” of the employee in the scope of Turkish Criminal Law, and the information obtained from such a search will be considered illegal evidence if used in a criminal proceeding.

No.

No.

No.

No.

No.

No.

No.

Yes, the probable cause (Ro. banuiala rezonabila) is defined as suspicion arising from the existence of certain facts and/or information that would convince an objective observer that an offence was committed or will be committed, and that no facts and/or information exists that would remove the criminal character of the fact.

No.

No.

No.

No.

No.

No.

No.

Yes. Felonies are intentionally committed criminal offences carrying a potential prison sentence of three years or more. All other criminal offences are misdemeanours. Although there is no direct impact on our answer under 3.1., the balancing of interests also depends on the gravity of the potential criminal offence. Generally, the company’s interest in conducting an internal investigation will increase with the severity of the criminal offence.

Yes. Applicable criminal acts in Republika Srpska and the Federation of Bosnia and Herzegovina define a felony as an act set forth by the law as a criminal offence, which is unlawful and committed with a guilty mind. On the other hand, Republika Srpska’s Misdemeanours Act defines a misdemeanour as an unlawful activity that violates public order or regulation on economic and financial businesses determined by the law or other regulation. The Federation of Bosnia and Herzegovina Misdemeanours Act defines a misdemeanour as a violation of law, public order or other public values that are not protected by the Criminal Act or other act regulating criminal offences.

Yes. A felony is an act dangerous to society (action or inaction), which has been committed intentionally and which has been declared punishable by law.
A misdemeanour formally contains the elements of a felony, but is not sanctioned, as it is not dangerous to society due to its insignificance.
Regardless of whether a suspected act may qualify as a felony or misdemeanour, the company would not be allowed to perform email searches, unless permitted by the employee.

The difference between a felony and a misdemeanour is only of a formal nature. Misdemeanours are minor violations of social values and the penalties are less severe than for felonies. Misdemeanours are prescribed in several regulations, whereas felonies are exclusively prescribed by the Criminal Code.

The balancing of interests also depends on the gravity of the potential criminal activity. Generally, the company’s interest in conducting an internal investigation will increase with the severity of the criminal activity.

Yes.
Misdemeanours are (i) all negligently committed criminal offences or (ii) intentionally committed offences with a maximum potential prison sentence of five years. All other criminal offences are felonies. Generally, there is no impact on our answer to question 3.1. when balancing misdemeanours and felonies.

Yes. Felonies are intentionally committed criminal offences with a potential prison sentence of two years or higher. All other criminal offences are misdemeanours. It has no direct effect on how emails may or may not be investigated; however, the more severe the offence, the higher the company’s interest in discovering the circumstances.

Yes. A felony is defined in the Criminal Act as an act which is set forth by the law as a criminal offence that is unlawful and whose characteristics are set forth in the Act. The Misdemeanour Act defines a misdemeanour as an unlawful act which is determined by law as a misdemeanour whose characteristics are described by law and which entails misdemeanour sanctions.

The Moldovan legislation distinguishes between crimes (Ro. infractiuni) and administrative offences (Ro. contraventii). Crimes are also classified into: (a) minor crimes (Ro. infractiuni usoare); (b) crimes of average gravity (Ro. infractiuni mai putin grave); (c) felonies (grave crimes) (Ro. infractiuni grave); (d) very grave crimes (Ro. infractiuni deosebit de grave); and (e) extremely grave crimes (Ro. infractiuni exceptional de grave).

The Montenegrin Criminal Code defines a felony as an act which is set forth by the law as a criminal offence, which is unlawful and committed with a guilty mind. The Misdemeanours Act defines a misdemeanour as an act violating public order as determined by law or by other regulation for which a sanction has been prescribed.

Yes. Felonies are intentionally committed criminal offences with a potential prison sentence of three years or higher. All other criminal offences are misdemeanours. There is no direct impact on our answer under 3.1.

The RCCP in force does not distinguish between general categories of offences, such as “misdemeanour” and “felony”. The only areas where such a distinction is made, depending on the seriousness of the offence, and where there is a specific definition of felonies, are the laws on organised crime and the protection of witnesses.

Yes. The Criminal Act defines a felony as an act set forth by the law as a criminal offence, which is unlawful and committed with a guilty mind. The Misdemeanours Act defines a misdemeanour as an unlawful culpably committed act provided for as a misdemeanour by law or another act of a competent body.

Yes, a misdemeanour is a criminal offence committed through negligence or intentionally with a potential prison sentence of up to five years. All other criminal offences are felonies. There are no possible implications to our answer under 3.1.

Yes. Felonies are criminal offences set out in the Criminal Code, and may be sanctioned with imprisonment. Misdemeanours are violations of law, set out in statutes other than the Criminal Code, which may only attract the imposition of fines or administrative measures (e.g. cessation of activity), but may not be sanctioned with imprisonment. Generally, there is no direct impact on the answer under 3.1.

Pursuant to Article 2 of the Turkish Misdemeanour Law, a misdemeanour means a civil wrong in which the related law foresees the application of an administrative fine or an administrative sanction to the detriment of the misdemeanant. Misdemeanours (like felonies) can be committed both intentionally and by negligence. Felonies, which have been regulated under the Turkish Criminal Law, have more serious sanctions when compared to misdemeanours, and both administrative sanctions and prison sentences can be applied in the event of a violation of law. Prison sentences applied to felonies can be as short as less than 30 days and can go up to a life sentence. The differentiation between a misdemeanour or a felony does not have a direct impact on our answer under 3.1. However, as explained under question 3.1 above, if an employer violates its privilege of searching the documents and devices of an employee and violates the relevant employee’s private life, the sanction that shall apply cannot be evaluated as a misdemeanour and the employer shall be liable for committing a felony.

The likelihood of an infringement of personality rights is much higher when searching company email accounts that contain private data. As outlined in our answer to question 3.1., the admissibility of such a measure requires (i) a concrete suspicion of criminal activity, and (ii) prevailing interests of the company within the balancing test (e.g. if the alleged crime could severely impact the company’s viability). In any case, the procedure in Example II requires a greater degree of diligence. The creation of a list of predefined keywords that are not related to private correspondence could be an appropriate measure to ensure that private emails are kept outside the scope of the search. The lawfulness of searching email accounts that contain private data must be assessed in each individual case. Again, members should be generally informed of a potential search of email accounts within internal investigations (e.g. within the employee privacy policy).

Generally yes, if the requirements under point 3.1. are complied with. Due to its restrictive practice, the BDPA could take a stricter stance towards the appropriateness of searching members’ private data. Thus, the company should observe the requirements under point 3.1. to be in full compliance with the applicable data protection laws and regulations, given that it cannot rule out with certainty that personal data will be processed during the internal investigation.

As in Austria.

Please see our answer under 3.1. above. The interest in maintaining an employee’s confidentiality on the one hand must be balanced with the company’s control and “access” interest on the other. Since private data is generally deemed “worthy of protection”, the level of the required justification for the company to access such data will be higher compared to company-related data. However, if the risk that private data could be affected by the search is reduced to a minimum and the possible offence could severely impact the viability of the company, such measures could be admissible. This always has to be assessed in each individual case. Again, it is advisable that the members give their prior written consent to the planned measure in each case or that internal investigation methods are prescribed in detail by internal policies.

Please keep in mind that decisions requiring a balancing of interests should involve the DPO’s input. Such processing operations are also most likely subject to the requirement for a DPIA.

See our answer to question 3.1., particularly the above-mentioned precautions.

The employee’s private life cannot be violated. Therefore, such emails cannot be subject to the investigation, i.e. cannot be read. If the company obtains private data without adequately informing the employee or obtaining the employee’s prior consent for its activities, such evidence may be deemed unlawfully obtained. When such evidence is presented before the court, it cannot be considered and should be excluded. On the other hand, if there is no other way of proving the relevant conduct, in exceptional cases the courts may decide to accept the evidence collected unlawfully if the general public interest in the case overrides an individual’s right to privacy.

The general prerequisites from our answer under 3.1. also apply here. However, since opening private data without the consent of the owner of the communication is a criminal act in itself (unless there is a warrant to open such communication), the company must obtain the prior consent of the affected member to access the member’s private data.

Generally yes.
The conditions indicated in 3.1 above are generally applicable.Also, the company’s vs. the employee’s interests are to be taken into consideration (ie there must be justification for the company to access the employee’s e-mails containing both company related data and private data).
The processing of the e-mail data without the employee’s consent is to be assessed in each individual case.

Generally yes, if requirements under point 3.1. are complied with.

Due to its restrictive practice, the MNDPA could take a stricter stance as regards the appropriateness of searching members’ private data. Thus, the company should observe the requirements under point 3.1. to fully comply with the applicable data protection laws and regulations, given that it cannot exclude with certainty that personal data will be processed during the internal investigation.

The prerequisites as specified in point 3.1. apply accordingly. Additionally, the company must safeguard that private emails are excluded from the search. Moreover, the employer shall stop reading if it stumbles across a private email of an employee.

In this particular case, the chances to breach the right to private life are higher, considering the possibility of the member to use the email accounts for private purposes. Internal company policies, including the employee privacy notices, and employment documents should be checked to understand the company’s privacy-related rights and obligations/commitments towards its employees. Also, the increased likelihood of the presence of private correspondence in the examined emails should be accounted for in the balancing test of the legitimate interest or in the relevant DPIA. Considering the risk of breaching the right to private life, the keywords used for the investigation should be chosen carefully so the search is as little intrusive as possible. However, the member may claim the breach of its right to private life and prove that such a breach was more important than the result of the investigation. To diminish the possibility of such a claim, the consent of the relevant members should be obtained prior to the investigation (at the risk of subsequent challenge to the validity of such consent by the member).

Generally, yes, if the requirements under point 3.1. are complied with. Due to its restrictive practice, the SDPA could take a stricter stance as regards the appropriateness of searching members’ private data. Thus, companies should observe the requirements under point 3.1. to fully comply with the applicable data protection laws and regulations, given that they cannot rule out with certainty that personal data will be processed during the internal investigation.

Please see our answer under 3.1. above. An employer is not entitled to access the private data of an employee.

Generally no. See answer under 3.1. above.

In the scope of a recent decision of the Constitutional Court dated 10 May 2016, the Court decided that it is possible to review the private data present in the work e-mails of employees, if the relevant employee has signed the internal regulations of the company, which are considered to be a part of employment agreements. Such application means that the relevant employee has been sufficiently informed of the general principles of the related business. Therefore, if such an internal investigation conducted by the employer has (i) a legitimate aim and if the review is (ii) proportional with the aim of the investigation, then the personal information reviewed in the corporate e-mails during an internal investigation is considered to be legal. Thus, if the presence of personal correspondence and personal data has been openly prohibited via the above-mentioned internal regulations of the company, such personal data obtained as a result of the internal investigation will not be considered a breach of the right of privacy.

The surveillance of private emails is generally prohibited. However, if clarifying the suspicion is deemed highly relevant for the viability of the company and the keywords actually focus on this concrete suspicion (and are thus not too “broad”), the company can be permitted to process such data. In any case, such an assessment highly depends on the actual circumstances of the case.

The general conditions outlined in our answer under point 3.4. apply here as well. In particular, the employees should be informed before the private data search is conducted and should consent to the search in writing, as the BDPA may interpret that the right to privacy of the affected member overrules the rights and interests of the company to investigate a potential crime by searching private data. In addition, to mitigate concerns under data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that email addresses could also be considered personal data, the mere review of such email addresses is an act of data processing and generally requires the prior notification and consent of the members / data subjects (as well as compliance with other requirements under point 3.1.). To further mitigate the risk of accessing private data, the relevant employees should also be offered to disclose private email domains to be excluded from the private data search.

As in Austria.

The surveillance of private emails is generally prohibited. If clarifying the suspicion is deemed highly relevant for the viability of the company and the keywords actually focus on this concrete suspicion (and are thus not too “broad”), the company can be permitted to process such data. However, such an assessment highly depends on the actual circumstances of the case.

As outlined above, the surveillance of private emails is generally prohibited. If a keyword search confirms that certain private email contains business-related criminal evidence, to be on the safe side the Czech police should be contacted to follow-up on the investigation.

The surveillance of emails related to private life is prohibited. However, there might be a case where the surveillance is deemed crucial for the company’s interests. If such evidence is used before the authorities, the authorities may exclude it if they find that it has been illegitimately collected.

The general conditions outlined in our answers to 3.1. and 3.4. above apply here as well. The company must in principle obtain a warrant or the consent of the member to access the members’ private data. To mitigate concerns under the data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that the email address could also be considered personal data, the mere review of such an email address is an act of data processing and requires prior notification to the NMDPA and, ideally, the consent of the affected members / data subjects.

Processing of employee’s private data (personal data) without the employee’s consent is generally prohibited. (eg company’s legal obligation, company’s interests vs. employee’s fundamental interests, rights and liberties, etc).

The general conditions outlined under 3.1. above apply here, too. In particular, employees should be informed before the private data search is conducted and should consent to the search in writing. Furthermore, to mitigate concerns under data protection laws, private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that an email address could also be considered personal data, the mere review of such an email address is an act of data processing and requires prior notification and consent of the members / data subjects (as well as compliance with other requirements under point 3.1.). To further mitigate the risk of accessing private data, the relevant employees should also be offered to disclose private email domains to be excluded from the private data search.

Private data may not be searched or processed under Polish law. However, if private emails, private correspondence and the like also contain company related data, the searching and processing of such data may be permitted according to the prerequisites under point 3.1.

Searching and processing of private data may be permitted according to the prerequisites under point 3.1.

Data obtained as a result of monitoring employees may be processed for a maximum of three months from the date of their acquisition, unless they constitute or may constitute evidence in proceedings conducted under the law.

Only persons authorised to process private data will have access to materials from the emails. The above-mentioned persons will be obliged to keep these data and materials confidential.

The surveillance of private emails is generally prohibited. If the legitimate interest balancing test or relevant DPIA is successful as to justify the legitimate interest, the company may proceed with the search based on specific and objective keywords that should avoid results leading to potential breaches of private life. Considering the possibility of the member to use the email account for private correspondence, the opportunity of such a case should be decided on a case-by-case basis. In practice, companies usually ask their employees to exclude private emails from the scope of the search to diminish the risk of accessing private correspondence.

The general conditions outlined under point 3.4. above apply here as well. In particular, the employees should be informed before the private data search is conducted and should consent to the search in writing. Furthermore, to mitigate concerns under data protection laws, the private data should (as far as possible) be excluded from review by applying a keyword list targeted to the suspicion of criminal activity. However, as there is a risk that an email address could also be considered personal data, the mere review of such an email address is an act of data processing and requires prior notification and consent of the members / data subjects (as well as compliance with other requirements under point 3.1.). To further mitigate the risk of accessing private data, the relevant employees should also be offered to disclose private email domains to be excluded from the private data search. Our response to this question will be up-to-date until the implementation of the new Serbian Data Protection Act (which has been modelled after and largely complies with the GDPR) on 21 August 2019.

Monitoring of private emails is generally prohibited. We believe this also covers private data of members. Please see our answer to 3.1. above.

See answer under 3.1.

Please see our answer to question 3.4 above.

A company may request prior general approval within the employment contract or specific case-related consent. The more severe the intrusion into the privacy of the member during an internal investigation, the less likely “general consent” within the employment contract can be regarded as consent for the measure in question. If sensitive personal data will be processed during an internal investigation, the member should explicitly approve such measures.

Be advised that employee consent under labour law (e.g. within working rules) may not meet the requirements of valid consent under the data protection laws.

Due to the loopholes in data protection legislation and practice and the BDPA’s tendency to interpret the applicable rules restrictively, it is recommended that the members consent in writing to a specific internal investigation, i.e. an internal investigation caused by a specific suspicion of criminal activity. Although the “general” consent (e.g. given in an employment contract or an internal act of the company for the purpose of any past or future internal investigation) is not prohibited by the applicable laws and regulations, the BDPA may interpret the purpose of the general consent given for the aim of any internal investigation as not being sufficiently specific.

As in Austria.

A company may request such a prior approval within the employment contract, internal policies or with a specific request. However, the more severe the intrusion into the member’s privacy during an internal investigation, the less likely that a “general consent” within the employment contract and/or company’s internal policies (e.g. working regulations, IT security policy) can be regarded as consent for the measure in question. If highly personal data will be processed during an internal investigation, the member should explicitly approve such measures.

See our answer to question 3.1. A company may request such a prior approval within the employment contract or working rules and this is recommended. However, employees may challenge investigations carried out solely based on such consent, especially if the other precautions are not taken.

Upon prior notification of the employees (or the acceptance of a relevant internal policy), a company may look into the employees’ emails at any time but may not access ones related to the employees’ private life. The employees’ privacy in any case cannot be violated.

Employees’ emails may only be searched if the employees were notified of this in advance. These provisions are usually stipulated in the employment contract, but the employer may notify the employees by means of the working rules (internal policies) provided that they were appropriately published in a customary and commonly known way.

Due to loopholes in the data protection legislation, it is recommended that (i) members’ consent to a search of their email accounts during an internal investigation be given at least in an employment agreement or an internal act (such as working rules) of the company for the purpose of any past or future internal investigation (“general consent“) and (ii) members be notified prior to the search of their email.

However, due to the NMDPA’s inconsistent practice, there is still a risk that the NMDPA may interpret the purpose of the general consent given for the purpose of any internal investigation as not being sufficiently specific and may ban the search of private data without the specific consent of the affected member.

Generally, consent granted by the employee upon employment (eg inserted as a clause in the employment agreement or as a separate document) with regard to the processing of the employee’s personal data (including e-mail content) is sufficient for the processing of the e-mail’s content during an internal investigation.
However, the sufficiency of such preliminary consent is to be assessed at any time as regards the Company’s vs. the employee’s interests.

Due to loopholes in the data protection legislation and practice as well as the tendency of the MNDPA to interpret the applicable rules restrictively, it is recommended that members consent in writing to a specific internal investigation, i.e. an internal investigation caused by a specific suspicion of criminal activity. Although the “general” consent (given in an employment agreement or an internal act of the company, such as the working rules, for the purpose of any past or future internal investigation) is not prohibited by the applicable laws and regulations, there is a risk that the MNDPA may interpret the purpose of the general consent given for any internal investigation as not being sufficiently specific.

The company may do so. Such general consent would not extend to private data.

An employee may waive the right to confidential private correspondence. For this purpose, he or she should submit an express declaration of consent to the employer in writing. The employer will then be entitled to monitor the employee’s private email.

A company may request the prior consent of its members to perform this kind of search by way of the employment agreement. However, as mentioned above, the validity of such consent is questionable, as it can be argued that it was not freely given, considering the subordination and the authority of the company, and not specific enough.
Even if such consent is given upon signing the employment agreement, considering the intrusive character of the investigation, specific consent should be obtained. Again, there is a risk of invalidity of such consent for the same reasons.

Due to loopholes in the data protection legislation and practice as well as the SDPA’s tendency to interpret the applicable rules restrictively, it is recommended that members consent in writing to a specific internal investigation, i.e. an internal investigation caused by a specific suspicion of criminal activity. Although the “general” consent (e.g. given in an employment contract or an internal act of the company, such as the working rules, for the purpose of any past or future internal investigation) is not prohibited by the applicable laws and regulations, there is a risk that the SDPA may interpret the purpose of the general consent given for the purpose of any internal investigation as not being sufficiently specific. Our response to this question will be up-to-date until the implementation of the new Serbian Data Protection Act (which has been modelled after and largely complies with the GDPR) on 21 August 2019.

Yes; however, an employee must be informed of each case of monitoring separately, unless the monitoring will be carried out on a permanent basis, when it is recommended to adopt internal guidelines in this respect and to inform employees of these guidelines (see our answer under 3.1.).

A company may request such a prior consent; however, the voluntary nature of any consent given by employees to the employer is generally questioned by the data protection authority. This applies if the consent is obtained along with the employment contract or in the working rules. Accordingly, procuring consent in a separate document is advised and the consent should be as specific as possible (e.g. should specify all contemplated activities). Such consent may be withdrawn at any time.

Yes, please see our answer to question 3.4 above. The presence of such consent obtained via the internal regulations as part of employment agreements or obtained before an internal investigation is highly recommended in order to prevent any kind of breach of law (especially breaches of the right of privacy).

4Interviews

Generally no. The works council may attend the interview only if the employee consults the works council and demands to participate in the interview.

Generally no.

Generally no. However, if there is a collective bargaining agreement that provides for extended rights for information and consultation, it should be reviewed whether the subject matter of the interview would fall within the scope of such rights.

Generally, yes. The collecting, processing or use of employee data or their disclosure to third parties will trigger the works council’s co-determination right under Croatian labour law. Consequently, if a company wishes to carry out the internal investigation, including interviews, it might be required to obtain the prior approval of the works council. Therefore, the company must be sure to involve the works council at an early stage and try to obtain its consent.

Generally, no approval of employee representative bodies is required by law for the interview. For the sake of completeness, the collective bargaining agreement (or other arrangement) may establish information/consultation/approval requirements.
Upon request of the employee, the respective member(s) of the employee representative body may be present at the interview.

Generally no. However, a separate agreement with the works council may provide for such approval.

Generally no.

Generally no.

Generally no.

 There is no such obligation resulting from the regulations binding in Poland. It might result from the company’s internal bylaws.

Generally, no. The internal regulations or collective bargaining agreement (if any) should be checked for specific rules. Member(s) may also seek the assistance of the trade union representative in such an interview.

See, however, in paragraph 3.1. above the need to consult with the employees’ representatives in relation to the conduct of investigations that qualify as monitoring activities conducted via electronic means of communication.

Generally no.

Generally, no approval of employee representative bodies is required by law for the interview. For the sake of completeness, the collective bargaining agreement (or other arrangement) may establish information/consultation/approval requirements.

Generally no. However, adoption of general acts of the employer referring to the interview (e.g. outlining the purpose, procedure) may in some instances trigger the requirement to obtain a prior opinion of the trade unions.

Generally no. However, a board of directors resolution could be adopted just to be on the safe side and to prevent future objections.

The admissibility of an interview – specifically whether the interviewed person is obliged to answer the questions – again depends on the balancing of interests between the affected person and the company. On the one hand, the person has an interest in avoiding self-incrimination, which has to be regarded by the company as well. On the other hand the company wants to clarify the suspicion which can be crucial for the viability of the company. Therefore, the company may in fact be required to inform the interviewee about the interview and the suspicion to assess whether the interviewed person’s interests prevail over those of the company to conduct the interview. Such an information obligation could also arise out of the employer’s general duty of care.

Under the applicable data protection laws and regulations, a member must be informed by the interviewer about: (i) the purpose of the interview; (ii) the interviewer’s identity, body and/or third party which will have access to the data; (iii) the consequences if the member refuses to consent to an interview; (iv) the legal basis or willingness to provide information and processing; (v) the situations in which the member has the right to refuse the interview; and (vi) whether the personal data collected during the interview can be accessed and corrected.

As in Austria. In addition, if the interview is recorded in any way, the interviewed member must be informed beforehand. Also, no discriminatory actions can be undertaken against the member.

The admissibility of an interview – specifically whether the interviewed person is obliged to answer the questions – again depends on the balancing of interests between the affected person and the company. On the one hand, every person has an interest in avoiding self-incrimination, which must be regarded by a company as well. On the other hand, a company wants to clarify any suspicion which could be crucial for its viability. Therefore, a company may in fact be required to inform the interviewee about the interview and the suspicion to assess whether the interviewed person’s interests prevail over those of the company to conduct the interview. Such an information obligation could also arise out of the employer’s general duty of care.

In principle there is no statutory obligation that the employer should provide specific information before commencing the interview under labour or criminal laws. However, we believe that from a moral and ethical standpoint it would be desirable to inform employees of the potential criminal law implications.
Generally, the admissibility of an interview – specifically whether the interviewed person must answer the inquiries – depends on the balancing of interests between the affected person and the company. On the one hand, the person is interested in avoiding self-incrimination (which the company must respect); on the other hand, the company wants to clarify a suspicion which can be crucial for its viability. Therefore, the company may also be required to inform the interviewed person about the topic of the interview and the suspicion to assess whether the interviewed person’s interests prevail over the interests of the company in conducting the interview.

Hungarian law in general respects the concepts of both presumption of innocence and the prohibition of self-incrimination. Therefore, the company acts properly if it respects the said concepts and informs the interviewed person that their testimony might be used before the authorities. The authorities might exclude evidence if they find that it has been illegitimately collected.

Unless the member is already aware of it, the company must provide the member with the following information prior to the interview: (i) the identity of the data controller; (ii) the purpose of processing; (iii) the recipients or categories of recipients of personal data; (iv) whether answering the questions is compulsory; (v) the possible consequences of not answering questions; and (vi) the right to access personal data and the right to correct it.

The Moldovan Labour Code is not specific in this respect, ie it does not provide for the Company’s (employer’s) obligation to provide to the employee any preliminary information. It is, however, indicated that the employee has to be granted the possibility to provide any proofs and justifications. In other words, we cannot exclude an interpretation, pursuant to which such employee’s right to provide any proofs and justifications is violated if no information was provided to him/her in connection with the internal investigation.

The member must be informed by the interviewer about: (i) the interviewer’s identity, or the name and address of the company, or the identity of the other person who is responsible for data processing in accordance with the law; (ii) the purpose and the legal grounds for collecting and further processing the data (e.g. if known at the time that it could be used in criminal proceedings against another person); (iii) the user of the data and the legal grounds for giving the data for use; (iv) whether giving the personal data is mandatory or voluntary and the possible consequences of refusal to give it; and (v) the right to access the data and the right to request amendment of inaccurate data.

There are no particular obligations in this respect resulting from the regulations binding in Poland.

Generally, no (if the investigation is not structured as a disciplinary investigation under labour law). The company must observe all rights of the member. In this respect, the company should inform him about the subject of the interview and the possible consequences of the investigation.

Under the applicable data protection laws and regulations, a member must be informed by the interviewer about: (i) his/her identity, or name and address or company, or the identity of the other person who is responsible for data processing in accordance with the law; (ii) the purpose of collecting and further processing the data; (iii) the use of the data; (iv) the identity of persons or categories of persons using the data; (v) the legal basis or willingness to provide information and processing; (vi) the right to revoke consent to the processing, as well as the legal consequences thereof; (vii) the rights of the person in case of unauthorised processing; and (viii) other circumstances the withholding of which from a data subject or third party would be contrary to conscientious treatment. Our response to this question will be up-to-date until the implementation of the new Serbian Data Protection Act (which has been modelled after and largely complies with the GDPR) on 21 August 2019.

Generally no, but it is advisable to inform the employee about the purpose of the interview as well as their rights and the potential consequences.

An information obligation may arise to the interviewee from the employer’s general duty of care towards the employee (and, as a precaution, from the general prohibition of mobbing/harassment at the workplace). In particular, the employee should be made aware of the purpose of the interview and that the interview notes may be used in subsequent criminal proceedings.

The company does not have to provide the interviewed person with any specific information, if (as explained under point 3.4 above) the interviewed person has been informed, via internal regulations as a part of employment agreements, (i) about the general scope and (ii) the possibility of the interview notes being used in criminal proceedings. If such information has not been provided in internal regulations, it is advisable to inform and obtain the written consent of the interviewed person prior to the interview, in order to use such interview notes as criminal evidence.

Generally no. However, it may be recommendable to assess data protection implications before the interview to ensure that the collected information can be subsequently processed in line with applicable laws.

Generally no.

Generally no.

Generally no. However, an employer, the DPO or any other person to whom the employee’s personal data are revealed in the course of his/her duties must permanently keep the confidentiality of that data. It is therefore of crucial importance that the company’s personnel, DPO and anyone else who has access to personal data about employees during an internal investigation be placed under a strict duty of professional secrecy and sign a declaration of confidentiality.

Generally, no. It is recommended, however, that any discussions with the employee that may impact the employer be carried out in the presence of at least two of the employer’s representatives who will subsequently draw up and sign minutes of the meeting.

Generally no. Practically, however, drawing up minutes of the interview is desirable.

Generally no.

Generally no (except those indicated in 4.1. above).

Generally no.

Only persons authorised by the company to process the member’s personal data should participate in the interview. There are no other particular obligations in this respect resulting from the regulations binding in Poland.

Generally, no, save if the interview is conducted in the context of a disciplinary investigation, where some labour law specific requirements must be observed, such as observing the member’s right to be assisted by a lawyer.

Generally no.

Generally no; however, it is recommended that any discussions with the employee that may impact the employer be carried out in the presence of at least two of the employer’s representatives, who will subsequently draw up and sign minutes of the meeting.

Generally no.

Generally no.

5Sharing of information gathered by internal investigations within the company network

Based on its legitimate interest, a company may share information within its national network as long as there are no prevailing interests of the data subjects. If information sharing is prohibited, it must be strictly limited to the extent necessary for the pursued purpose and must comply with the data protection principles (such as data minimisation and purpose limitation). This means that access to such data must be restricted on a need-to-know basis. Depending on the sensitivity of the shared data, e.g. if the gathered information reveals the identity of the data subject who was allegedly involved in the criminal activity, the requirements will be more or less strict. In any case, if and to what extent such information may be shared must be assessed in each individual case.

A company may generally share the information within its national network as long as the concerned member gave his/her consent to the company’s national network using the data. Furthermore, the collected company-related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access.

As in Austria.

A company may generally share the information within its national network as long as there are no prevailing interests of the affected persons contradicting such a transfer and access by unauthorised persons to the data is prevented (e.g. leak of sensitive personal data of members to unauthorised persons). As a rule, personal data may be transferred to third persons only if necessary for the sake of compliance with rights and obligations stemming from the employment relationship, while such a transfer must be envisaged by the internal employment regulation.

There is a strict limitation if the information relates directly to the employee. In such a case, the employer may only provide information relating to evaluation of the employee’s work, the employee’s qualifications and abilities, and matters relating to work performance. Other information may be provided only with the employee’s consent.

Generally, a company is free to share the information within its national network, as long as no prevailing interests of the affected persons contradict such sharing (e.g. violation of personality rights).

A company may generally share the information within its national network as long as the member concerned is informed that the national network of the company will use the data. In addition, the collected company-related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access, especially when sharing special categories of personal data through electronic telecommunications networks.

General conditions:
(i) consent is granted (eg upon the conclusion of the employment agreement) by the employee in connection with the processing of the e-mail information;
(ii) protection of the employee’s collected personal data is ensured.

A company may generally share the information within its national network as long as the member concerned is informed that the company’s national network will use the data (this notification must be made before giving the consent for processing).

It is possible that the company shares the information within its national network. The information should be shared based on the written agreement setting the scope of information transferred and the purpose of its processing. The recipient of the information must observe technical and organisational requirements as specified in the applicable regulations.

The company may generally share the information gathered in an internal investigation within its national network (employees at the national level who need the information strictly for the purpose of such an investigation), with the rights of the members observed at all times during such transfer of data (the fundamental rights of the affected person, as well as the rights provided by the data protection authority).

If data is shared to other companies within the network, and if such companies act as data controllers in relation to the received personal data, they must observe the general requirements of the applicable privacy legislation in terms of data processing (including, without limitation, the obligation to inform members in relation to the processing of data that they conduct following receipt of the information).

A company may generally share the information within its national network as long as the member concerned (i) is informed that the company’s national network will use the data and (ii) gave his/her consent to such sharing. Furthermore, the collected company-related data should be adequately protected from abuse, destruction, loss, alteration or unauthorised access.

Companies must comply with data protection rules in this respect, mainly to obtain the prior consent of the data subject to such a transfer, should it not qualify as personal data processing based on protection or rights and obligations of the employer. Certain personal data (such as birth registration number) cannot be transferred at all.

Generally, a company may share the information within its national company network. Insofar as such information includes personal data, the company should either fully anonymise all personal data or verify that an adequate legal basis for the transmission of such data under data protection laws is established (e.g. the company holds legitimate interests for the transmission, which override the interests/rights of the data subjects in question).

A company may generally share information gathered by an internal investigation within its national company network; however, if the gathered information includes private data of employees, then such information relating to private life cannot be shared within the national company network, unless such sharing has been explicitly permitted by the relevant employee. Notwithstanding, personal data may be processed without obtaining the explicit consent of the data subject if: (i) it is expressly permitted by any law; (ii) it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent; (iii) it is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract; (iv) it is necessary for compliance with a legal obligation which the controller is subject to; (v) the relevant information is revealed to the public by the data subject himself/herself; (vi) it is necessary for the institution, usage or protection of a right; (vii) it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed. Furthermore, personal data not relating to the health and sexual life of the data subject may be processed without the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorised institutions and organisations.

See our answer to 5.1. The company should generally consider the local laws to assess the possible consequences of such a transfer and if the transfer to a foreign entity would be lawful. If the foreign entity is outside the EU, the company must ensure compliance with the principles for transfers of personal data to third countries as set out in the GDPR.

The cross-border transfer of personal data is generally allowed, under certain conditions. Article 18 of the Bosnian Personal Data Protection Act provides that personal data may be transferred to a third country if that country applies an adequate level of personal data protection.

The BPDA has issued an opinion in which it states that countries that are parties to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data have an adequate level of personal data protection. Thus, no approval is required from the BPDA for the cross-border transfer of personal data into countries that are parties to the Convention; otherwise, the BDPA’s approval would be required.

As in Austria.

See our answer to 5.1.

See our answer to question 5.1.

Generally, the same applies as in the case of question 5.1.

Generally, data gathered by internal investigation may be transferred from North Macedonia to an EU or EEA Member State. The NMDPA should be informed prior to the intended data processing, including the data transfer.

Information gathered by internal investigation may be transferred from North Macedonia to a non-EU country if (i) the non-EU country provides an adequate level of data protection upon the NMDPA’s assessment of the adequacy level – “Adequacy Decision“); (ii) without the Adequacy Decision if the specific conditions set up in the data protection legislation are fulfilled, and (iii) in case the non-EU country does not provide at least the same level of data protection as in North Macedonia, then the transfer would be subject to provision of proper guarantees for the protection of the personal data, rights and freedoms of the data subject. In all these cases, however, the transfer is subject to the NMDPA’s approval.

General conditions:
(i) consent is granted (eg upon the conclusion of the employment agreement) by the employee in connection with the processing of the e-mail information;
(ii) protection of the employee’s collected personal data is ensured;
(iii) transborder transfer of personal data was authorised by the Personal Data Authority.

Data may be transferred from Montenegro abroad with the consent of the MNDPA, and to another country without the MNDPA’s approval only in exceptional cases prescribed by law.

Please see our answer to 5.1.

Data controllers who are part of a company’s network should consider cooperation in the field of administering personal data. The specificity of such a relationship lies primarily in the fact that the administrators jointly set goals and methods of processing, and jointly implement the obligations arising from the regulations and undertake the processing procedure. Therefore, there is no sharing of data between these entities, because they process the data jointly, within the set goals.

Joint controllers shall, by means of joint arrangements, clearly define their respective responsibilities regarding the performance of their obligations under the GDPR.

The essential content of the arrangements is made available to the employees.

The employee, however, may exercise his or her rights resulting from the GDPR to each of the administrators, irrespective of the arrangements between them.

The information gathered in an investigation procedure generally may be shared with foreign entities within an international network, basically according to the same conditions as in point 5.1. above. If the receiving companies act as data controllers in relation to the received personal data, they must observe the general requirements of the applicable privacy legislation in terms of data processing (including, without limitation, the obligation to inform members in relation to the data processing that they conduct following receipt of the information).

Transfers made outside the EEA are subject to formalities under the applicable privacy legislation, including, without limitation, transfer to jurisdictions for which the European Commission has issued an adequacy decision, or transfers based on standard contractual clauses or binding corporate rules.

Data may be transferred from the Republic of Serbia to a state signatory to the Council of Europe’s Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data.
Data may be transferred from the Republic of Serbia to a state that is not a party to the Convention if a level of data protection in that state is in accordance with the Convention. The SDPA’s approval of the data transfer to a state that is not a party to the Convention is required.

Our response to this question will be up-to-date until the implementation of the new Serbian Data Protection Act (which has been modelled after and largely complies with the GDPR) on 21 August 2019.

Please see our answer to 5.1. In the case of cross-border transfer of personal data, the employer must comply with the rules for such transfers depending on the country to which the data will be transferred.

See our answer to 5.1. Additional requirements apply if information gathered is transferred outside the EU/EEA.

A company may generally share information gathered by an internal investigation within its national company network; however, if the gathered information includes private data of employees, within the meaning of Article 9 of the Law on the Protection of Personal Data, personal data shall not be transferred abroad without the explicit consent of the data subject. For exemptions of this regulation, please see point 5.1. above.

6Corporate criminal responsibility

Yes.

Yes.

No. Only natural persons can bear criminal liability. Companies can only bear administrative liability (i.e. sanction or remedy measures).

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes, for selected offences enumerated in the Slovak Act on Criminal Liability of Legal Entities (Act No. 91/2015 Coll., as amended).

Yes.

No, however; security measures, such as seizure of property and cancellation of operating permit, can be taken against legal entities.

Yes.

Yes.

Yes. Leniency can apply in competition or for certain crimes in criminal proceedings.

Yes.

Yes.*

*For the purpose of this questionnaire, we distinguish between the Leniency Programme of the Czech Competition Authority and other types of leniency programmes. For details, please refer to the answer to question 6.3 below.

In case of companies, no; in case of natural persons, yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes.

Yes, but not necessarily dependent on cooperation but rather on restoration of damage caused (see 6.3. for details). In general, the cooperation with authorities may also serve as a tool to moderate sanctions to be imposed on a company (see 6.3. below).

Yes.

Yes, but mostly for competition-related disputes.

The Austrian leniency programme basically requires a voluntarily significant contribution to clarify the facts of a case by a perpetrator in due time. The application of the leniency programme further depends on the perpetrator’s level of participation with respect to the crime and whether the offered information is new for the authorities. In any case the application highly depends on the circumstances of the individual case.

Under the applicable laws, cooperation with public authorities is (i) a mitigating factor that a judge can take into account when determining the fine, and (ii) a condition for relief from criminal liability. Thus, if (i) a managing or supervisory body of the company voluntarily reports a criminal act, the company’s punishment may be mitigated, and (ii) if the managing or supervisory body of the company decides to return the unlawful gain / remove the damage / provide a justified report on the liability of another legal entity, the company may be exonerated.

The Bulgarian leniency programme basically applies to competition cases and to a limited number of crimes. For competition cases, the company’s voluntary cooperation may give it an advantage. In criminal proceedings, however, since companies do not bear criminal liability, the company’s cooperation basically favours only its employees.
Regarding competition cases, the principle is that one company is given the opportunity to be granted immunity from sanction for its participation in a secret cartel and this is the first undertaking which confesses to the competition authority involvement in a secret cartel and provides the required information and evidence. So far no company in Bulgaria has applied for leniency for participation in a cartel.
Leniency is also provided in the Criminal Code, where for some crimes full release of liability is provided. For instance, a person who has bribed another person/company will be released from liability if the briber has immediately and at their own initiative informed the authorities about the bribe. Also, a person involved in an organised criminal group who voluntarily gives himself up and discloses everything he knows about the group before a crime is committed by this person or group is released from liability.
In other criminal proceedings, cooperation with the authority would be considered a mitigating factor.

A company that notifies the authorities about a felony of its member – before its revelation or before the company finds out that the authorities have already uncovered the felony – may be exempted from punishment. Ultimately whether such a company is exempted or a more lenient punishment (than prescribed by law) is applied depends on the circumstances of the case.

Generally, the leniency programme of the Czech Competition Authority requires a voluntary significant contribution by the breaching company to the clarification of the facts of the case. Depending on the extent and timing of the information provided, the leniency programme allows the Czech Competition Authority to grant the voluntarily cooperating company either (i) full immunity from the imposition of an administrative fine, or (ii) the possibility to reduce the administrative fine. Based on a successful leniency programme application, Czech Act No. 40/2009 Coll., Criminal Code, allows for exculpation from a criminal offence consisting in the conclusion of a prohibited price-fixing agreement, division of a market or another agreement distorting competition. Such exculpation is, however, only available to natural persons.
The Criminal Code and Act No. 141/1961 Coll., Code of Criminal Procedure, both recognise the concept of a cooperating accused person (in Czech: spolupracující obviněný). Generally, in criminal proceedings the public prosecutor may designate the accused person as a cooperating person if the accused person contributes significantly to clarifying the facts of the case, confesses to having committed a crime and agrees to be designated as a cooperating accused person. Such cooperation may be deemed an extenuating cause and result in lower penalties being imposed. In each case, this concept applies only to the investigation of crimes committed by members of an organised group, in conjunction with an organised group or in favour of an organised criminal group.* The public prosecutor may only designate natural persons as cooperating persons.
In addition, Act No. 418/2011 Coll., on Criminal Liability of Legal Entities, recognises the concept of “effective regret” (in Czech: účinná lítost). This means that the criminal liability of a legal entity ceases to exist if the legal entity voluntarily refrains from further infringement, and (i) eliminates the danger, prevents the harmful effects of the offence or remedies the harmful consequences of the offence; or (ii) notified the prosecutor or police authority about the offence at a time when the danger could have been eliminated or the harmful consequences of the offence could have been prevented.
Finally, the Act on Criminal Liability of Legal Entities provides for the possibility of a legal entity to exculpate itself from criminal liability if it proves that it has made every effort that may be reasonably expected to prevent the commission of a criminal offence by a person associated with the legal entity. It is not yet clear what “every effort that may be reasonably expected” means. Currently, it is fair to conclude that the legal entity must implement a compliance programme and actively ensure that its employees and management adhere to it.

*An organised criminal group means an association of no less than three criminally liable persons with an internal organisation structure comprising division of functions and tasks focused on systematic intentional criminal activity.

Leniency may only apply to natural persons in certain circumstances. It basically requires a voluntarily significant contribution to clarify the facts of a case in due time (most probably right before it has been committed) and requires that the perpetrator applying for leniency takes every possible step to avoid or at least minimise the damage.

Under Hungarian law, the decision to offer a reduced punishment or even immunity in exchange for certain cooperation is at the sole discretion of public prosecutors. In other words, although the prosecutors’ aim is to detect criminal acts to the extent possible (which could be favourably influenced by voluntary cooperation), there is no procedural basis under which immunity may be expected.

Under the Criminal Liability Act, cooperation with public authorities is a mitigating factor that a judge can take into account when determining the fine. Thus, a legal entity can be acquitted from a fine if:

(i) a responsible person within the legal entity, the governing, managing or supervising body, voluntarily reports the offender after the crime has been committed; or

(ii) if the legal entity returns the benefit or removes the harmful consequences of the crime, or compensates the harmful consequences of the crime in any other manner. If these conditions are fulfilled, but the court does not consider that the legal entity should be acquitted from a fine, the court can instead reduce the fine on the legal entity.

The application of leniency depends on the specific circumstances of the case.
Generally, the cooperation of the perpetrator with the investigating authorities is to be regarded as a mitigating circumstance (ie may lead to a lesser sentence).
Under certain conditions (eg self-incrimination (Ro. autodenunt), first time offence, active cooperation, offence qualified as minor crime or as a crime of average gravity, repaired damage), such cooperation may incur exemption of liability.

Under the Montenegrin Liability of Legal Entities Act, cooperation with public authorities is (i) a mitigating factor that a judge can take into account when determining the sanctions, (ii) a condition for the relief from criminal liability, and (iii) a condition for dismissing the criminal charges against the company.

The applicable regulations on criminal proceedings and criminal liability of legal entities regulate the conditions for decreasing the monetary penalty. Namely, the amount of the monetary penalty to be imposed in criminal proceedings may be decreased when: (i) the law envisages lower sanctions; (ii) the law envisages that the legal entity may be relieved from sanctions, but such relief did not take place; and (iii) the court determines that there are certain mitigating circumstances and that even the lower sanction will serve its purpose. The entity may be relieved from punishment if: (i) it discovers and reports the offence before it was aware that criminal proceedings were initiated; (ii) if it had taken all the necessary measures to prevent and discover the commission of an offence; (iii) if it returned the material gain acquired by committing the crime, and provided data necessary for the liability of another entity/person. Also, if preconditions are fulfilled, the entity could be relieved from criminal liability if it agrees to act as a cooperating witness in criminal proceedings.

The Draft Collective Liability Law provides for a leniency programme for companies.

According to the new provisions, a collective entity is not liable if it has notified the body appointed to prosecute the crime (punishable by imprisonment for up to five years), revealing the relevant circumstances of the act, in particular persons or other collective entities involved in its commissioning (plea-bargaining).

In other cases, the prosecutor may apply for plea-bargaining, unless the circumstances of the act do not raise doubts and the collective entity cooperates with the prosecutor (discloses information, circumstances, provides data and information) and has agreed to compensate for the loss resulting from the crime.

The Fiscal Criminal Code also provides for a leniency programme in case of some fiscal crimes which encompasses voluntary disclosure in relation to tax crimes and plea-bargaining.

The leniency functions within the “crown witness” scheme and applies to individuals only. If it were to have an extenuating effect it would need to be pursued by the perpetrators. There are two crown witness schemes: the “little” one and the “regular” one.
In general, in the framework of the “little” crown witness scheme the court is obliged to apply an extraordinary mitigation of the penalty, or may even grant a suspended sentence, with respect to an offender who acted in concert with others in committing an offence, then reveals information to the prosecutors about other offenders involved in committing the offence, or the essential circumstances thereof.
Perpetrators of criminal or fiscal offences committed in the framework of an organised crime group or selected other crimes (e.g. corruption) may be granted the status of a “regular” crown witness by the court based on a motion filed by the prosecutor. In this context the crown witness is obliged to testify in exchange for discharge of punishment. The decision to grant the status of crown witness is at the discretion of the court and is not obligatory.

In a series of special laws (e.g. organised crime, corruption crimes, etc.), the perpetrator is either completely exempted from criminal liability (e.g. offering a bribe, peddling in influence, establishment of an organised crime group), if they report having committed the offence before its discovery by the investigation authorities or benefit from a decrease by half of the limits of the applied penalty (e.g. corruption and assimilated offences), if they report the offence during the criminal investigation and facilitate prosecution of the person(s) involved in committing the crime.

Under the Corporate Criminal Liability Act, cooperation with public authorities is (i) a mitigating factor that a judge can take into account when determining the fine, (ii) a condition for relief from criminal liability, and (iii) a condition for dismissing criminal charges against the company. The Act provides that the court may exonerate a legal entity from punishment if it (i) detects and reports a criminal act to the authorities before it has learned about the instigation of criminal proceedings, and (ii) eliminates the detrimental consequences and returns unlawfully gained proceeds voluntarily and without delay. Also, in cases of reporting crimes punishable by imprisonment of three years, any criminal charges against the company might be dismissed, based on one or more of the following circumstances: (i) the company reports a crime before it found out that the prosecution bodies (police, prosecutor) have discovered a crime; (ii) the company prevents any damage / compensates damages / removes any detrimental consequences of a crime; (iii) the company voluntarily returns any benefits gained by the crime; and (iv) the company has no property / is subject to ongoing bankruptcy proceedings.
In addition, the court would perceive the detecting and reporting of a criminal offence and measures taken against the responsible person in the legal entity as mitigating factors when calculating the fine.

The Slovak Act on Criminal Liability of Legal Entities (Act No. 91/2015 Coll., as amended) recognises the concept of so-called “effective regret” (účinná ľútosť). This provides that the legal entity ceases to be criminally liable

  • if the natural person that committed (carried out) the crime ceases to be criminally liable pursuant to the relevant provisions of the Slovak Criminal Code (Act No. 300/2005 Coll., as amended) on effective regret of natural persons; or
  • the legal entity has voluntarily refrained from further actions leading to a completion of the crime and it prevented or restored the harmful impacts of the crime; or
  • the legal entity has voluntarily refrained from further actions leading to a completion of the crime and it notified the competent authorities at a time where the harmful impact of the crime could have been prevented or the danger threatened from the crime could have been removed.

Effective regret is not available for crimes of corruption or crimes harming the financial interests of the European Union.

As regards no. (i) above, another form of effective regret is if the offender allowed the legal entity to fulfil the conditions for benefiting from a lenience programme under laws protecting competition (applies to certain crimes only).

When determining a sentence, the court shall also consider the legal person’s actions after committing the criminal offence, especially its efforts to eliminate the harmful consequences of the offence or to voluntarily compensate the damage caused.

If the offender is a natural person, the authorities may decide to apply leniency to a cooperating offender in the form of conditional stay of criminal proceedings (with a probationary period of up to 10 years), in the form of a settlement with the victim or an agreement on sentence made between the offender and the prosecutor. In addition, certain acts by an offender (such as acceptance of guilt and providing evidence) can moderate sanctions for a natural person.

Finally, a legal entity can generally avoid criminally liability if it proves that the crime was not committed because it neglected its supervision or control powers or that the relevance of such neglect was minimal. This can be achieved by having good compliance programmes in place, by regularly training employees and by being able to prove that other measures were implemented to prevent crimes. It is important to note, however, that this exception is not available if the crime was committed by the director or a person exercising supervising authority / powers in the company.

The Slovenian leniency programme basically requires the reporting of the identity of the suspected offender to the authorities. Depending on the circumstances of the case, cooperation with the authorities or removal of harmful consequences of the criminal offence may result in a reduction, or cancellation, of the sanction.

Under Turkish Criminal Law, pursuant to the concept of “effective remorse”, real person perpetrators who inform the authorities of a crime at a defined period (defined separately for certain types of crime) and under certain conditions can benefit from leniency. Leniency is also applied in competition-related disputes within the scope of the Law on Protection of Competition. In any case the application highly depends on the circumstances of the individual case.

7Others

Generally no. However, the information leading to an internal investigation itself (e.g. reliable testimony of a member) could already qualify as insider information within the meaning of Regulation (EU) No. 596/2014 (“market abuse regulation“), which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no.

As in Austria.

Generally no. However, the information leading to an internal investigation itself (i.e. reliable testimony of a member) could already qualify as insider information, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the law.

Generally, no.
However, the information leading to and/or arising from an internal investigation itself could qualify as insider information within the meaning of Regulation (EU) No 596/2014 (“market abuse regulation”), which could lead to disclosure obligations (unless postponement of disclosure is permitted in accordance with the market abuse regulation).

Generally no.

However, there are exceptional activities which may entail procedures provided for under Regulation 596/2014 and the Hungarian Act on Investment Firms stemming from Directive 2014/65/EU.

Generally no. This issue has not yet been regulated in Macedonia.

Generally no. However, reporting obligations may arise, eg as result of external audits or in case of capital market abuse (in accordance with the capital market legislation).

Generally, no, although this might depend on the outcome of the investigation. This issue has not yet been regulated in Montenegro, as EU Regulation No. 596/2014 has not yet been implemented into the national legislation.

No. An internal investigation as such does not constitute ad hoc, periodical or insider information as specified in Regulation (EU) No. 596/2014.

No, unless the internal investigation is qualified, in the opinion of the company subject to it, insider information Regulation (EU) No 596/2014 (“market abuse regulation”) or other price sensitive information which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation. An internal investigation could indirectly trigger the occurrence of insider information. For example, following an internal investigation, the listed company may decide to revoke its CEO because of the findings. In this case, the dismissal of the CEO is an important aspect constituting insider information that would need to be notified to the competent supervisory authorities and to the stock exchange. Basically, the internal investigation itself does not constitute insider information, but its result or certain actions taken based on its result might be considered as such.

Generally, no, although this might depend on the outcome of the investigation. This issue has not yet been regulated in Serbia, while EU Regulation No 596/2014 has not yet been implemented into the national legislation.

Generally no, unless internal investigations lead to a potential breach of the market abuse regulation, which could trigger disclosure obligations.

Generally no. However, the information leading to an internal investigation itself (i.e. the reliable testimony of a member) could already qualify as insider information within the meaning of Regulation (EU) No 596/2014 (“market abuse regulation“), which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no.

Generally no. However, information gathered by an internal investigation could qualify as insider information within the meaning of the market abuse regulation, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no. However, information gathered by an internal investigation may qualify as insider information within the meaning of the Securities Act of the Republic of Srpska or Capital Markets Act of the Federation of Bosnia and Herzegovina, which could lead to disclosure obligations.

As in Austria.

Generally no. However, information gathered by an internal investigation could qualify as insider information, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the law.

Generally, no.
However, the information leading to and/or arising from an internal investigation could qualify as insider information within the meaning of the market abuse regulation which could lead to disclosure obligations (unless postponement of disclosure is permitted in accordance with the market abuse regulation).
Furthermore, the information on the internal investigation and/or its (potential) implications may need to be reflected – to a certain extent – in the regular reports executed by an investment instrument issuer domiciled in the Czech Republic or opting for the Czech Republic as its reference country.

Generally no.

Generally no.

Generally no.

Generally no. However, information gathered by an internal investigation could qualify as insider information within the meaning of the Capital Markets Act, which could lead to disclosure obligations.

No. Conducting an internal investigation does not qualify as information to be reported in an ad hoc report.

No, unless the internal investigation is qualified, in the opinion of the company subject to it, insider information Regulation (EU) No 596/2014 (“market abuse regulation”) or other price sensitive information which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation. An internal investigation could indirectly trigger the occurrence of insider information. For example, following an internal investigation, the listed company may decide to revoke its CEO because of the findings. In this case, the dismissal of the CEO is an important aspect constituting insider information that would need to be disclosed via an ad hoc report on the stock exchange. Basically, the internal investigation itself does not constitute insider information, but its result or certain actions taken based on its result might be considered as such.

Generally no. However, information gathered by an internal investigation may qualify as insider information within the meaning of the Capital Markets Act, which could lead to disclosure obligations.

Generally no, unless internal investigations lead to a potential breach of the market abuse regulation, which could trigger disclosure obligations.

Generally no. However, information gathered by an internal investigation could qualify as insider information within the meaning of the market abuse regulation, which could lead to disclosure obligations, unless postponement of disclosure is permitted in accordance with the market abuse regulation.

Generally no.

Such a reporting obligation could arise out of the general fiduciary duty according to company law.

This issue is not explicitly regulated, although the obligation could exist under the rule of the duties of a director under the applicable Companies Acts.

Generally no, unless an internal document signed between the parent company and the subsidiary so provides.

It depends on the internal policies. Generally, the management board is not obliged to report to its parent company about internal investigations on its own, but, depending on the gravity of the internal investigation, such an obligation might arise out of the management board’s obligation to inform the shareholders about the status of the company and its prospects.

Generally, no.
Such a reporting obligation of the subsidiary towards its parent company may be established under general corporate rules and principles (general limitations apply; further limitations may apply for a joint stock company).

Generally no; however, such a duty usually stems from the company’s constitutional instrument.

Generally, no. This issue is not explicitly regulated in North Macedonia, although the obligation could exist under the rule of the duties of a director under the Companies Act.

No direct legal obligation.
However, such an obligation may arise from the general obligation of the company’s corporate bodies to present reports with regard to the activity of the company. In addition, the statutes of the company and/or its internal documents (regulations) may provide for such an obligation to report about the internal investigation to its parent company.

This issue is not explicitly regulated, although it could emerge out of the legal obligations of the company’s directors under the Montenegrin Companies’ Act.

There are no particular obligations in that respect resulting from the regulations binding in Poland.

There is no legal requirement for the management of the subsidiary to report about the internal investigation to its parent company.

This issue is not explicitly regulated, although the obligation could exist under the rule of the duties of a director under the Companies Act.

Generally no.

Such reporting obligations could arise from the general fiduciary duties of the management towards the shareholders. The specifics depend on the corporate form: generally speaking, limited shareholders in a limited liability company (d.o.o.) have relatively broad information rights, while the information rights of stock company (d.d.) shareholders are, by comparison, rather limited.

Such a reporting obligation of the subsidiary towards its parent company could arise out of the “group company” obligations according to Turkish Commercial Code.

8Employment law measures

If the suspicion is reasonable (and due to a possible subsequent legal dispute also provable), generally yes. Immediate termination without notice always presupposes that the employer cannot objectively be expected to continue the employment, even for the notice period. The most important reasons for immediate termination of white-collar employees without notice include:
– if the employee is disloyal to the employer or is unable to perform the promised or appropriate (reasonable) service;
– any breach of the prohibition on competition;
– if the employee disobeys orders or attempts to induce others to disobey.

No. Under the Labour Act of Republika Srpska, an employer can terminate an employment agreement without notice if the employee is convicted of a work-related criminal offence. On the other hand, labour legislation in the Federation of Bosnia and Herzegovina is silent with respect to this issue and we can therefore generally conclude that the suspicion of a criminal activity does not represent lawful grounds for termination of the employment agreement.

No, the suspicion of criminal activity alone is not a ground for termination.
However, if the suspicion is reasonable, the company can find other legal reasons to dismiss the employee without notice due to their objective inability to perform their duties. Among the reasons for immediate termination without notice are “abuse of the employer’s confidence” (grounds for disciplinary dismissal) or “systematic breaches of work discipline” (grounds for disciplinary dismissal).
In any case, the dismissal has to be carefully considered and made depending on the particular case.

Yes, because the scope of civil liability is wider than criminal liability. An employer may terminate an employment agreement in case of a particularly serious breach of an employment obligation or some other particularly important fact. Such a breach or fact may at the same time raise suspicion of a criminal activity.

While it is not necessary for criminal activity to be proved in the potential criminal proceedings, an employer must prove the legal basis for an extraordinary termination in a potential employment dispute.

Yes, under certain circumstances. The termination of employment without notice is an exceptional measure and may be executed (without a final decision of the court in criminal proceedings finding the employee guilty) only if the employee breached the duties relating to the performed work in an especially gross manner. The employer must be able to prove such a breach and its gravity. The gravity of a breach is considered with respect to several criteria as set by the case law (among others, the personality of the employee, the employee’s position, the time and situation, intention, etc). Generally, immediate termination is justified if the breach is of such intensity that the employer cannot objectively be expected to continue the employment. Such a situation usually occurs in case of the employee’s intentional interference with the employer’s property (e.g. theft). Even if the statutory conditions for immediate termination are met, in some cases the employer may not serve immediate termination (e.g. pregnant employee).

Generally yes, if the conduct is linked to the employment relationship.
The grounds for termination stem from two cases: the employee a) commits a grave violation of any substantive obligations arising from the employment relationship wilfully or by gross negligence, or b) otherwise engages in conduct that would render the employment relationship impossible. If there are reasonable grounds to believe that an employee has committed a crime that also qualifies either of the reasons listed under a) or b), then the employee’s employment can be terminated with immediate effect.

No. The employer may terminate the employment contract of the employee without a notice period in cases of (i) violation of work order and discipline, or (ii) non-fulfilment of the work obligations stipulated by the laws, collective agreement, rules for work order and discipline, and the employment contract.

No, the mere suspicion of criminal activity is not enough to terminate the employment agreement with the employee.

No.

In case of suspicion, the employer cannot terminate the employment agreement, but can only suspend an employee from work as long as the criminal procedure for a work-related or corruption-related criminal offence was commenced against the employee.

The employer may terminate the employment agreement without prior written notice pursuant to the provisions of the Montenegrin General Collective Agreement (“GCA“) only after the court reaches a final and binding decision in the criminal proceedings initiated against the employee for criminal offences committed at work and/or in relation to the performance of work obligations.

Finally, pursuant to the Montenegrin Labour Act, the employment will automatically terminate if: (i) if under the final court or other state authority’s decision, the employee has been forbidden to perform certain work activities; (ii) the employee has to be absent for more than six months due to the imprisonment sanctions; and (iii) the employee has to be absent for more than six months due to any educational or protective measure.

No. An employer may terminate an employment agreement without notice in case an offence is committed that excludes the relevant employee from continuing to occupy the post. However, the employer’s reasonable suspicion that the employee committed the offence is not sufficient. The fact of committing an offence must be unmistakable or must result from a valid court judgment.

No, the employer does not have the right to immediately terminate the individual employment agreement in such a case.

A dismissal decision may be issued following completion of a disciplinary investigation procedure, provided that the employee has committed repeated or gross misconducts. In such a case, the employee is not entitled to any notice period; however, the disciplinary investigation is a timely procedure itself that implies inter alia the summoning of the employee reasonably in advance so that they can prepare a defence.

Under Romanian labour law, no disciplinary sanction (including disciplinary dismissal, but excluding written warning) may be applied prior to conducting a disciplinary investigation procedure. In the absence of such a prior disciplinary procedure, the employer could face the risk of annulment of the dismissal decision in court.

No. Under the Labour Act, an employer can terminate an employment agreement only if the employee is convicted of a work-related criminal offence by a final and binding court judgment. Termination of the agreement under the suspicion of criminal activity was removed from the Labour Act after the Constitutional Court declared the provision unconstitutional.

Generally no. Immediate termination without notice is possible only if an employee (i) has been lawfully convicted of an intentional crime, or (ii) has seriously violated work discipline. Slovak law is restrictive on this issue and the mere suspicion of criminal activity would generally not qualify as a serious violation of work discipline. To immediately terminate employment due to a serious violation of work discipline, the employer must be able to prove such a violation and its gravity. The gravity of a violation is considered with respect to several criteria as set by the case law (among others, the personality of the employee, the employee’s position, the time and situation, intention, etc). Generally, immediate termination is justified if the violation is of such intensity that the employer cannot objectively be expected to continue the employment. Such a situation usually occurs in case of the employee’s intentional interference with the employer’s property (e.g. theft). Even if the statutory conditions for immediate termination are met, in some cases the employer may not serve the immediate termination (e.g. pregnant employee).

If the suspicion is reasonable (and provable in a potential court dispute), generally yes. A violation that (i) has all the elements of a criminal act and which (ii) renders further cooperation with the respective employee immediately impossible (i.e. even within the applicable termination period) constitutes a reason for an extraordinary termination of employment (i.e. termination without a notice period).

Within the meaning of Article 15 of the Labour Law, the employer may terminate an employment contract, executed for a definite or indefinite period, before its expiry and without having to comply with the prescribed notice periods under the law, if the employee commits a dishonest act against the employer, such as a breach of trust, theft or disclosure of the employer’s trade secrets. In order to make such a termination, the presence of “suspicion of criminal activity” alone is generally not adequate to terminate an employment agreement and the employee may file a reemployment lawsuit against the employer. However in the scope of the leading cases of the Turkish Supreme Courts, the employer may terminate the agreement stating that its “suspicion of criminal activity” broke the trust relationship between the employee and the employer that is required for the continuity of the agreement, and therefore the employment agreement had to be terminated.

Generally yes. While there are no specific requirements or formalities, a suspension is admissible if there is a concrete suspicion regarding grounds for immediate dismissal which need to be clarified. It is advisable to suspend the employee in writing.

In principle, no, and in particular not (only) because an internal investigation is being conducted against him/her. In Republika Srpska, an employee may be suspended if (i) he/she is caught in an activity that could reasonably be considered as a criminal offence, or (ii) if he/she violates work discipline or a work obligation so as to endanger property of a significant value. An employee can be suspended up to three months, unless criminal proceedings are initiated, in which case the suspension can be in place until the proceedings are finalised. Applicable laws in the Federation of Bosnia and Herzegovina do not provide for a suspension option.

Generally no, the internal investigation alone is not grounds for suspension. Under Bulgarian employment law, an employee could be suspended only if he/she appears at work in a state which prevents him/her from performing his/her labour duties or consumes alcoholic beverages or other strong intoxicating substances during working time. In such a case, the order for the suspension should be delivered to the employee. Other, less restrictive rules could apply if the suspension is agreed under a management agreement (entered into with managing directors / board members).

An employee may be suspended only if (i) the employer at the same time extraordinarily terminates the employment (i.e. without notice), (ii) the works council opposes the termination, (iii) the employee seeks court protection against the termination, and (iv) the employer agrees to pay the employee monthly salary compensation (amounting to the employee’s average salary in the last three months) until the completion of the dispute.

If the works council’s opposition to the termination is clearly unfounded, the employer may ask the court to suspend the employee without the right to receive salary compensation.

Czech law does not explicitly regulate the suspension of employees during an internal investigation. In practice, to avoid the employee’s presence at the workplace, employers can (i) order the employee to go on holiday (the disadvantage is that a unilateral order of holiday by the employer is admissible only two weeks in advance and is therefore relevant only if the employee agrees with the holiday or for prolonged investigations) or (ii) use the institute of so-called “other obstacles to work” on the employer’s part. These other obstacles to work are based on the statement of the employer that it currently does not have any suitable work for the employee. This institute is being used more and more often, as it allows the employer to react immediately. No specific requirements and formalities are needed, but in practice, the employee is presented with a written order by the employer to stay at home. During the period of this absence, the employee is entitled to remuneration corresponding to his or her average earnings (average earnings are usually higher than regular wages, as they also include paid bonuses).

Yes, if so required to investigate the circumstances of an employee’s breach of obligations, the employee may be suspended. The suspension may not exceed 30 days. The employee is entitled to receive an absence fee during such suspension.

In principle, no, and especially not only because an internal investigation is being conducted against the employee.

In principle, no, and especially not only because an internal investigation is being conducted against the employee.

In Montenegro, an employee may be suspended if:

  • the employee is caught in performance of an act considered a violation of his/her work duties punishable by termination of the employment agreement;
  • the employee is detained (suspension starts on the first day of detention and lasts during the detention period);
  • criminal proceedings have been initiated against the employee for a criminal offence committed in the course of work or in connection with the work; and
  • criminal proceedings for corruption have been initiated against the employee.

Finally, an employee may be suspended if disciplinary proceedings have been initiated against him/her, as long as there are sufficient reasons for such a suspension, as described above.

There is no explicit provision allowing it, but suspending an employee is rather practicable. Considering this legal ambiguity, it is in any case recommended to obtain the employee’s prior consent.

Generally, no. An employer can unilaterally suspend the employment agreement in very limited situations, such as when the employee is prosecuted for criminal acts that are incompatible with their job or if the employee is put under judicial control which prevents the employee from performing work. Also, the employment agreement is suspended by law if the employee is in pre-trial detention.

In principle, no, and especially not only because an internal investigation is being conducted against the employee. In Serbia, an employee may be suspended if:

  • a criminal proceeding is initiated against him/her for a crime committed at work or a work-related crime. In practice, the courts deem criminal proceedings as being initiated if there is, e.g. a decision on initiation of (official) investigation, if an indictment is issued (in cases without investigation) or a private criminal lawsuit is filed;
  • the employee violates work discipline or breaches work duty so as to endanger property of a significant value determined in the general internal act or employment agreement; and
  • if the employee’s breach of work duty / violation of work discipline / behaviour is such that he/she cannot continue working before the deadline of at least eight days (in which the employee should respond to the termination warning) expires. Hence, this situation is linked to the (already initiated) termination procedure.

Slovak law does not explicitly regulate the suspension of employees during an internal investigation. In practice, to avoid the employee’s presence at the workplace, employers can (i) order the employee to go on holiday (the disadvantage is that it has to be consulted with the employee and the employee’s legitimate interests have to be taken into account, while the taking of holiday must be in line with the holiday plan approved by the union) or (ii) use the institute of so-called “other obstacles to work” on the employer’s part. These other obstacles to work are based on the employer’s statement that it currently does not have any suitable work for the employee. This institute is being used more and more often, as it allows the employer to react immediately. No specific requirements and formalities are needed, but in practice, the employee is presented with a written order by the employer to stay at home. During this absence, the employee is entitled to remuneration corresponding to their average earnings (which are usually higher than regular wages, as they also include paid bonuses). Naturally, practical implications (e.g. the employee’s availability for further investigations) should be considered.

Yes, but only when such a possibility is provided in the law, collective agreement and/or the employee’s employment agreement.

The Employment Relationship Act specifies the cases in which employees can be suspended. These are, inter alia, imprisonment or sanctions for a misdemeanour, for all of which the employee is unable to work for six months or less, detention and other cases, provided for by the law (or collective agreement or employment agreement).

During such suspension, all the contractual and other rights and obligations arising from an employment agreement (which are directly related to the performance of work) will be suspended. However, the employer cannot terminate the agreement unless there are reasons for an extraordinary termination or if the procedure for the termination of the employee has already been started prior to the suspension.

The employee has the right and duty to return to work no later than five days after the reasons for the suspension cease to exist.

Christoph Haid

Christoph Haid

Austria

c.haid@schoenherr.eu

Klara Kiehl

Klara Kiehl

Austria

k.kiehl@schoenherr.eu