Employee privacy vs corporate investigation: the grey area

In February 2015 the Dutch Court of Appeal ruled that a private corporate investigations firm was liable after violating the privacy of one of the employees of the investigated company. Companies often hire these types of firms to investigate whether a company’s suspicion that an employee is guilty of gross misconduct is correct and whether there are grounds for (immediate) dismissal. When investigating an employee, however, his or her privacy can quickly become an issue.

Case
In this case, the employee in question (“Mr. X”) had worked for Education International (“EI”), a global federation of teacher unions, for over 17 years. For his work Mr. X had to travel frequently and therefore used a company laptop. During his many travels, Mr. X also used the laptop to contact his family in the Netherlands and he kept a diary, which he named “EI Yearbook”. The employee recorded his doubts about the day-to-day affairs of the business in this yearbook.In July 2007 EI held a convention in Berlin. Just before the kick-off of the convention, an email was sent to all participants of the convention from an anonymous email address, accusing EI’s General Secretary of embezzlement. After this incident, all employees were informed that a corporate investigations firm would be investigating the matter. Employees were given the instruction to hand in all their laptops for the purpose of the investigation. Privacy issues were expressed by staff. EI stated that “if relevant material is found by the scan on personal files the material will be examined. Otherwise personal files will not be examined.”

Among many other laptops, the corporate investigations firm copied and examined the contents of Mr. X’s laptop. Mr. X was questioned afterwards. The firm applied a privacy code of conduct and informed Mr. X that the processing of personal data would be done in accordance with the Personal Data Protection Act (DPA). Mr. X confronted the firm with remarks from colleagues that had already been interviewed, since those colleagues had been confronted with sections originating from Mr. X’s yearbook.Eventually, the investigation was concluded and the firm reported back to EI, stating that there was no match between the IP-address from where the anonymous email originated and Mr. X’s laptop. Nonetheless, EI was informed about the fact that several keywords from the email matched with Mr. X’s yearbook and that Mr. X did have concerns about the financial position of EI. A copy of Mr. X’s hard drive was handed over to EI.
Damage
Subsequently, EI demoted Mr. X, stating that the trust and confidence had been damaged. The demotion seemed fair to EI, due to Mr. X’s age and years of service and the fact that the consequences of a dismissal would not be in proportion to the damage caused to EI. Mr. X did not accept this. He had the investigation firm summoned to appear in court, claiming damages for the fact that the firm had acted unlawfully by handing over the yearbook to EI. The district court rules in Mr. X’s favour. The investigation appealed the judgment.
Company laptop containing private documents
The core of the dispute before the Court of Appeal is whether the investigation firm was allowed to involve Mr. X’s yearbook in its investigation and whether it was allowed to hand over the yearbook to his employer afterwards. The Court ruled that if it is a company laptop, this doesn’t automatically make its contents business related or company property. This will only be the case if a company policy explicitly restricts laptop use to non private matters. The fact that the name of the document (EI Yearbook) could be seen as a possible company related document, is irrelevant according to the Court.
Processing personal data
The DPA stipulates that personal data can only be processed if the person concerned has given his “unequivocal consent”. The Court determined that Mr. X has never given such consent. The Court rules that the mere fact that he didn’t protest or ask any questions about the processing, is no reason to think otherwise. The Court rejected the investigation firm’s statement that Mr. X gave tacit approval. If that were the case then the investigation firm would have at least had to have informed the employees that all files – including possible private documents – were going to be examined. The firm had not done this.The Court drew the conclusion that the investigation firm had not been allowed to hand over the yearbook to EI, since there was no justified interest for EI left after the firm concluded there was no match between the IP-addresses. EI’s interest in tracking down those opposing its business didn’t surpass the Mr. X’s personal interest and privacy. The fact that the investigation firm released Mr. X’s personal doubts was an act of negligence in view of the fact that the firm knew this would certainly affect the personal relationship between employer and employee. Handing over the yearbook damaged Mr. X’s reputation at EI and caused EI to demote him. The firm was therefore found liable for Mr. X’s damages.
In conclusion
This case is a good example of how complicated the balance between employee’s privacy and employer’s interests can be. When will one interest overrule the other? It truly can be a grey area. Should you have any questions about privacy-related matters or starting up corporate investigation, please do not hesitate to contact one of our employment law attorneys or the members of our International Desk. 
716 
Ik help u graag verder
Maruca Overdijk
Partner
Meest gelezen
  • ‘Kopietje paspoort’
  • ‘Oude’ pandeigenaren versus nieuw...
  • “Als lekkerste getest” niet...
  • “Detachering” leerling is verwijdering
  • (Te) creatief met dividend: omzetting in een lening

Wij gebruiken cookies om u de beste online ervaring te bieden. Door akkoord te gaan, accepteert u het gebruik van cookies in overeenstemming met ons cookiebeleid.

Privacy Settings saved!
Privacy-instellingen

Wanneer u een website bezoekt, kan het informatie in uw browser opslaan of ophalen, meestal in de vorm van cookies. Beheer hier uw persoonlijke Cookie Services.

Deze cookies zijn nodig om de website te laten functioneren en kunnen niet worden uitgeschakeld in onze systemen.

In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

Omwille van de prestaties gebruiken we Cloudflare als een CDN-netwerk. Hiermee wordt een cookie "__cfduid" opgeslagen om beveiligingsinstellingen per client toe te passen. Deze cookie is strikt noodzakelijk voor de beveiligingsfuncties van Cloudflare en kan niet worden uitgeschakeld.
  • __cfduid

Geen toestemming
Wel toestemming