The Difficult Balance between Internal Compliance Investigations and Privacy

This post is also available in: it fr es

Corporate investigations are crucial for the proactive identification of potential wrongdoings; whenever an appropriate compliance program has been established, ‘red flags’ must be thoroughly investigated.

An unexpected sales increase in certain regions or on certain sales teams, particularly high fees paid to an agent or dubious gift and hospitality practices, are just a few examples of endless potential conflicts of interest a modern organization (because businesses are not the only ones concerned)  might face.

In order to tackle such potential issues, including showing a genuine commitment to compliance (e.g. to the US Sarbanes-Oxley Act or other applicable laws), internal investigations are essential.

However, in order to be lawful in the European Economic Area (EEA), an organization must respect local laws, therefore a foreign law authorizing a transfer of data to the organization’s HQ does not constitute valid legal ground.

The most straightforward approach would be establishing a self-sufficient investigation team in the EEA as this would be completely compliant with applicable laws on international data transfer. Should this not to be possible, other solutions can be evaluated, although they may be more expensive and time consuming than the solution proposed above.

Binding Corporate Rules (BCRs), which are formally acknowledged in art. 43 of the General Data Protection Regulations (GDPR), may represent a possible procedure. BCRs are a set of internal legally binding rules dealing with cross-border data transfer. Once a thorough Data Protection Impact Assessment has been completed (art. 33 GDPR), BCRs need to be approved by a Data Protection Authority (DPA), usually the one where the European branch is located or where decisions on data transfer are actually made.

Given their legally binding nature and the fact they provide adequate protection for data subjects under articles 25 and 26 of EU Directive 95/46, BCRs are enforceable by many of those – specifically, those under investigation – who have an actual interest in bringing the matter before national courts or DPAs.

being compliant with applicable data protection laws is one the most important challenges in cross border investigations
Privacy written on a vintage typewriter

Despite the guarantees mentioned above, the practice of establishing BCRs is not yet widespread; consequently, it is advisable to consult local employment law experts before undertaking such investigations.

In many countries, in fact, labour laws cannot be derogated.

Check the local law is the best possible advice.


Published by

Michele La Neve

White Collar Crime Attorney at Whitecotton Law Dedicated to Helping Clients Overcome Unforeseen Business Risks.

Leave a Reply