Corporate Investigations in CEE & SEE
We are pleased to provide you with the updated 2024 version of our Wolf Theiss Corporate Investigation Guide. Members of our firmwide Investigations, Crisis Response and Compliance team from 13 jurisdictions have updated this essential guide on conducting corporate investigations in CEE/SEE, highlighting key takeaways specific to the region as well as the latest legal developments and trends.
As most countries in CEE/SEE have adopted corporate criminal liability legislation and the enforcement of local corporate criminal liability laws is on the rise, companies have an even greater incentive to follow up on any allegations or findings from internal reports by conducting a targeted corporate investigation. A strong push for companies to investigate misconduct internally was provided by the whistle-blowers protection laws. We have seen increased whistleblowing activity across the whole region. Whistle-blowers seem to feel more encouraged and indeed safer when it comes to reporting various types of misconduct. Companies are increasingly launching independent investigations into internal misconduct such as harassment, mobbing/bossing and similar misconduct. Bid rigging and corruption related investigations remain the most often conducted investigations by independent law firms . Environmental, social and governance rules (ESG) are another reason why companies are looking more diligently into certain allegations. Reputation plays a bigger and bigger role.
Regulators (both enforcement and competition authorities) all over the world and increasingly throughout CEE/SEE are requesting proof that compliance management systems are effective and include clear rules for carrying out corporate investigations. Regulators are also looking for proof that relevant actions are taken, along with their results, following said misconduct investigations. Furthermore, auditors are paying greater attention to auditing risks such as management integrity and are requiring proof, through independent corporate investigations that management can be trusted and is in fact managing crisis situations accordingly.
A large part of the corporate investigations we have been involved in over the last year have been prompted by the impact of foreign laws such as the US Foreign Corrupt Practices ACT (FCPA), the UK Bribery Act, the French Sapin II anticorruption legislation and the Nordic countries’ anticorruption laws. Nevertheless, we see more and more corporate investigations being initiated by local companies as a result of the above-mentioned local legislation requirements and increased local enforcement (by both competition and enforcement authorities).
Clients need to be aware of certain CEE/SEE-specific considerations such as reporting duties relating to certain types of misconduct like bribery or money laundering, which require clients to involve external lawyers in their investigations into misconduct, as only external lawyers would be exempt from those reporting duties.
2025: An outlook
As the war in Ukraine continues and additional sanctions are imposed with an increased focus on tackling sanction evasion schemes, the number of investigations relating to possible sanctions breaches will rise. What, if any, impact the upcoming US election will have on the future of US enforcement, which has been a driving force for many corporate investigations in our region, remains to be seen.
We expect to see the first cases stemming from investigations into greenwashing allegations, particularly following the adoption of the EU directive mandating corporate sustainability reporting (“CSRD”). Investors will request that reputational due diligence in M&A transactions be conducted more frequently, in order to be able to assess the impact of target companies on people and the environment. This includes the assessment of financial risks and opportunities arising from climate change and other sustainability issues.
We see rapid development of AI investigation tools, which will help both us and clients conduct investigations more effectively in the near future. At some point, those tools will also be sufficiently trained on CEE/SEE languages and will be a real game changer in the investigation arena (some of them already are).
Many of the topics discussed in this guide are in constant flux and we seek to address them as and when they come up on our and our clients’ radar. Our aim is not to exhaustively cover all relevant issues, but rather to provide readers with a guide on the issues they might consider highly relevant when conducting corporate investigations in our region.
ALBANIA
Key Takeaways
- Companies may be criminally liable for the misconduct or criminal offences of their employees and board members committed on its behalf or for its benefit.
- Investigating misconduct is included in management’s fiduciary duties.
- Processing of employees’ data during an investigation process must be fully compliant with internal regulations on data protection.
- Legal privilege is limited to the obligation of licensed attorneys to preserve in confidentiality information received from their clients.
- Self-reporting or cooperation with prosecuting authorities might be considered as mitigating circumstances.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Subject to Art 91 and Art 150 of Albanian Company Law, the shareholders’ meeting may decide to initiate a special investigation with respect to irregularities during the company’s formation, in relation to the conduct of ongoing business or on the grounds that there is serious suspicion of a breach of law or Statute. The special investigation must be conducted by an independent auditor, appointed by the shareholders. The investigation primarily aims to identify claims for compensation against members of the administrative organs and shareholders.
Initiation of special investigations and the nomination of a special auditor may also be requested by minority shareholders representing at least 5% of the votes, as well as by creditors of the company. The special investigation must be requested within three years of the date of the alleged irregularity. If the general meeting refuses to initiate a special investigation, the requesting shareholders or creditors may file with the court the request to initiate such an investigation.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
All legal entities are liable for criminal offences perpetrated while carrying out their activity. The criminal liability of a legal entity does not exclude the criminal liability of the natural person who contributed to the offence. In addition, a legal entity shall be liable for criminal offences carried out by its representatives or corporate bodies, in the name of or for the benefit of the legal entity.1 A company is liable to pay for any damages resulting from its unlawful acts.2
In case of any reasonable suspicion of a possible wrongdoing, the management is expected to take all appropriate steps to review (and rectify, if necessary) the situation. Unless an internal investigation is conducted, the directors risk being found in breach of their fiduciary duties and could, therefore, become liable for any prejudice (including damages) to the company that could have been prevented, had the wrongdoing been discovered in time. Criminal sanctions may be brought against both the legal entity and the individuals who committed the criminal offence, i.e. non-reporting of alleged corruption, etc.
There is no specific threshold to trigger criminal liability.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
All individuals and companies are bound by the legal obligation to immediately report (or prevent happening) any crime or criminal offence. Only the following categories may be exempted by such an obligation: close relatives and the persons who acquire knowledge about such a crime or criminal offence due to their profession are bound by a confidentiality obligation.3
In order to avoid any false reporting, diligence must be shown during the investigation process, evaluation of the credibility of the source, etc. and reporting would then be made once the suspicion is confirmed. Moreover, any proof or evidence that is found during the investigation process must be handed to the competent enforcement authorities. Only the author of the crime/criminal offence and the persons who acquire knowledge about such proof/evidence due to their duty or profession are exempted from such an obligation.4 Elimination, destruction, altering or falsification of proof/evidence is considered a crime.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Cooperation and voluntary self-disclosure should be considered at least as mitigating circumstances (i.e. leading to a lower sanction).
1 Art. 3 of Law No. 9754, of 14.6.2007 On Criminal Liability of the Legal Entities.
2 Art. 32 of Law No. 7850, of 29.7.1994 On the Civil Code as amended from time to time.
3 Art. 300 Criminal Code of the Republic of Albania
4 Art. 304 Criminal Code of the Republic of Albania
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
Any internal investigation must be conducted in compliance with the rules provided under an internal regulation on investigation procedure which the company must adopt as part of the compliance management system. It should specify the persons responsible for dealing with internal investigations (usually an independent compliance function) and how the structure of the internal investigation should be decided, including a process for independent reporting.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
“Legal privilege” under Albanian law is extended to communication between attorneys and their clients as well as the documentation/ information obtained by the attorney in the course of providing legal advice; i.e. not just during regulatory or criminal investigations, but during all administrative authority procedures as well as all court procedures launched by Albanian authorities or before Albanian courts.
Such legal privilege will prevent Albanian authorities from reviewing or using as evidence any communication containing legal advice, as well as the documentation/information obtained by the attorney in the course of providing legal advice. The attorney has a duty to protect the confidentiality of information received from the client and may not disclose any information to a third party without the client’s prior consent, except to the extent the attorney is required to do so by any applicable law, rules or court order. The attorney may not use such information or otherwise refer to it in any documents that might be created after the respective documents that contain such type of information are handed over to the client.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
The confidentiality obligation shall be extended to any information or documents received from the client during provision of legal services.
Does legal privilege apply to in-house lawyers?
Legal privilege may be applied if the in-house lawyer qualifies as an attorney (i.e. is registered with the Albanian Bar Association and the tax authorities) and not as an employee.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Legal privilege is reserved for attorneys (and attorneys’ personnel) and in our view it extends to third parties subcontracted by the attorney to represent the client. Other regulated professions such as auditors, notaries etc. are also bound by certain secrecy obligations, but these privileges fall rather within the client-provider relationship.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company should notify the employees about the processing and preservation of the data relevant for the matter investigated. Implementation of specific IT safeguarding measures in the process of collection and preservation of evidence would be recommended.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
In principle, personal data processing may take place only on grounds specified by Albanian Data Protection Law.
With regard to processing employee data, an employer may collect, process and transfer data concerning its employees only to the extent that the data relates to the employee’s suitability for employment or is necessary for the performance of the employment contract5, i.e. the data processing is necessary in the legitimate interests of the controller or any third parties (i.e. the necessity to perform contractual obligations), except where such interests are clearly in contradiction with the privacy right of the data subject.
The following elements need to be considered: the reason for collecting the information/ data; the limit to which data controllers are able to use the personal data collected, the individual consent given by the employee for the employer to access the employee’s email, and the security measures in place. Further to the consent of the employee, we recommend that the following is taken into consideration by the employer:
- The access and use of email correspondence should be strictly for legitimate purposes and only for the purposes for which the employee has given consent. The employee has the right to withdraw consent at any time. Such a withdrawal does not affect the validity of any actions carried out up to that point and which were within the scope of the consent previously given.
- The confidentiality of personal data must be ensured at all times; therefore, email communications must be accessed only by authorised personnel for legally authorised purposes.
- Any personal data collected during the access of the employee’s email should be protected against accidental or unlawful destruction, storage, processing, access or disclosure of data.
- There should be an internal policy in place regulating the use of IT equipment, such as sending emails for private purposes, and the consequences in the event of any breach thereof. Employees should be informed in writing and should sign their acknowledgment of the policy.
- The employer must inform the data subject of their rights; such as the right to withdraw consent at any time, the period for which the data will be stored, as well as the employee’s right to access/correct information.
The processing of sensitive data is lawful if there is a legitimate reason. However, the employee’s explicit written consent is required and the personal data may be processed only for the purpose for which the data subject has given consent. The consent must be absolutely clear and should cover the specific processing/transfer details: (i) the type of information (or even the specific information itself), (ii) the purpose of the processing/ transfer, (iii) the category of recipients, and (iv) any special aspects that may affect the individual, such as any disclosures that may be made during the retention period.
The Data Protection Law further establishes certain minimal and standard requirements for the protection of personal data. Under Data Protection Law the data collector is obliged to ensure that organizational and technical measures are in place to protect personal data from: (i) being illegally destroyed or accidentally lost, (ii) unauthorized access and persons, and (iii) illegal processing. The extent of the processing must be that strictly necessary to achieve the aim of the investigation, and there must be no less-invasive measures available. The information included in the investigation should be carefully selected prior to review and no private information should be accessed as part of the investigation. It is essential that the right key words are selected, and the reviewers are sufficiently trained.
The company must notify the employees that their data may be processed as part of any investigation as well as about the legal basis and purposes of the data processing and the corresponding rights of the employee.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Strict conditions apply to cross-border transfers of data collected during investigations to countries that do not provide sufficient levels of data protection (i.e. outside of the EU or EEA). In principle, personal data processing may take place only on the grounds specified by Albanian Data Protection Law.
Cross-border transfer of data collected during an investigation to a third country is subject to strict requirements. In particular, companies must ensure adequate protection of the data even after its transfer to a third country. Available and adequate means include binding corporate rules and standard data protection clauses adopted by the Commissioner Office.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, all the personal data gathered and processed during the internal investigation must be destroyed except for the final findings/conclusions which will be used internally i.e. during disciplinary proceedings. In case there are sufficient grounds to report the case to the prosecution office, the findings shall be reported along with the evidence or indications found.
5 Instruction no. 11, of 8. 9.2011 of the DCM
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
No, the employee is not explicitly bound by such an obligation. However, employees are bound by the legal obligation to inform the employer of all circumstances that affect or may affect the performance of their duties, as well as to refrain from taking any actions that may incur material damages or might be considered as detrimental to the employer.
If the employee decides to cooperate, the interviews should take place within the working hours of employees and should be strictly connected to their work.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Yes, there are specific regulations for employers operating whistleblowing systems. By law6 all public institutions and private companies operating in Albania, and which have more than 100 employees, have to set up a special unit to register and investigate alleged cases of corruption. Any allegations of corruption be reported to the High Inspectorate of Declaration and Audit of Assets (HIDAA) and/or the prosecution office.
A whistleblower may choose to remain anonymous and the employer must respect this (also in case of anonymous reports). Generally, whistleblowers are protected from retaliation and cannot be fired or demoted. They cannot be penalized in any other way either, such as blacklisting, reduction of pay, reassignment, salary decrease, loss of office or privileges or change in duties. Failure to comply with this obligation may lead to a fine of up to ALL 500,000 (approx. EUR 5,000). In addition, any failure by the employer to initiate an investigation after receiving an indication of corruption by an employee, may also lead to a fine of ALL 500,000 (approx. EUR 5,000 ).
Any act of retaliation against the whistleblower will be investigated by the competent authorities, i.e. HIDAA, or the prosecution office, and the whistleblower has the right to ask for compensation for any damages incurred as a result thereof.
6 Law No. 60/2016 On Whistleblowing
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes. All legal entities are liable for criminal offences perpetrated while carrying out their activity. The criminal liability of a legal entity does not exclude the criminal liability of the natural person who contributed to the offence.
In addition, a legal entity shall be liable for criminal offences carried out by its representatives or corporate bodies, in the name of or for the benefit of the legal entity.7 A company is liable to pay for any damages resulting from its unlawful acts.8
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes. Both the company and the individual may be prosecuted for the same misconduct; although they face different criminal sanctions.
Can corporate criminal liability be avoided or mitigated?
Yes. All legal entities are liable for criminal offences perpetrated while carrying out their activity. The criminal liability of a legal entity does not exclude the criminal liability of the natural person who contributed to the offence.
In addition, a legal entity shall be liable for criminal offences carried out by its representatives or corporate bodies, in the name of or for the benefit of the legal entity.9 A company is liable to pay for any damages resulting from its unlawful acts.10
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
There are full or partial leniency programmes for those legal entities that cooperate or provide important information for the identification and prevention of prohibited agreements, or the identification of the responsible persons or for those that disclose or provide important information in cases of active or passive bribery. The same would be applicable for tax offences. Mitigating circumstances that might lead to a lower sanction for the legal entity would be also when the legal entity has fully disclosed and made available their incomes for the purpose of confiscation or if the legal entity shows that it has duly implemented effective measures to prevent the criminal activity.
7 Art. 3 of Law No. 9754, of 14.6.2007 On Criminal Liability of the Legal Entities.
8 Art. 32 of Law No. 7850, of 29.7.1994 On the Civil Code as amended from time to time.
9 Art. 32 of Law No. 7850, of 29.7.1994 On the Civil Code as amended from time to time.
10 Art. 32 of Law No. 7850, of 29.7.1994 On the Civil Code as amended from time to time.
8. Upcoming Developments
Generally, since companies became liable for criminal prosecution thirteen years ago, prosecution of companies remains of low profile and prosecuting authorities have mainly focused their attention on tax infringements. This may however change in consideration of the ongoing reform affecting prosecutions authorities and courts in Albania. However, it appears that substantial change will require years to become perceptible and produce the desired effects.
Related experts
AUSTRIA
Key Takeaways
- Under the Corporate Criminal Liability Act, national or foreign companies can be held criminally liable for the misconduct of their decision-makers and employees.
- The obligation to investigate misconduct results from the statutory duty of care of board members and forms part of a sound compliance management system.
- Statutory provisions on legal privilege do not extend to in-house lawyers. Self-reporting and cooperating with prosecuting authorities can, under certain circumstances, be beneficial to the company.
- Due to the increasing importance of ESG aspects and stricter provisions in this regard (including reporting and due diligence obligations), it is to be expected that misconduct and thus also internal investigations in this area will continue to increase in the future.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
There is no general statutory obligation under Austrian law according to which the company must conduct internal investigations when misconduct is detected (see exemptions in the next paragraph and under section 6). However, it is advisable to conduct internal investigations in order to (i) avert potential damages to the company, (ii) cooperate with official authorities as soon as (criminal) investigations are conducted and (iii) have the opportunity to demonstrate cooperation and remorse after a crime has been committed. The conduct of the company after the commission of a crime must be duly considered by the authorities in various ways (e.g. the public prosecutor can, under certain circumstances, refrain from initiating criminal proceedings against the company, taking into account the company’s behaviour after the crime).
In which situations will a decision to internally investigate be necessary to prevent the risk of civil or criminal liability of board members?
From a strategic point of view, it is advisable that as soon as the management board or the supervisory board members become aware of or suspect any wrongdoing within their scope of responsibility that might constitute criminal liability (either for individuals or the company) or cause severe damage to the company, they initiate internal investigations as a mitigation measure. Under certain circumstances the omission of mitigation measures might even lead to the civil or criminal liability of the respective board members themselves. The respective duty to act results from due diligence obligations under the relevant civil and commercial law provisions for companies.1
In addition, the management board can be obliged, according to their general duty of care,2 to pursue claims of the company against other or former board members or employees for which the prior performance of an internal investigation is often necessary. Furthermore, the supervisory board can be obliged to conduct such investigations regarding potential wrongdoings of members of the management board. If the management or supervisory board violate their duty of care by failing to pursue such claims, they can be liable for the company’s damage caused by such omission. In accordance with general standards of liability, even a board member’s slightly negligent violation of his/her duty of care is sufficient.
In summary, if a board member becomes aware of a criminal act or other severe violations of law being committed by a decision-maker or an employee and knowingly omits to act in his/her duty of care for the company to prevent the crime or mitigate possible damage, the board member can be held liable himself/herself. Therefore, the initiation of internal investigations is advisable and might even be obligatory under certain circumstances.
Furthermore, Austrian statutory law provides for certain cases in which internal investigations shall be performed. For instance, a shareholder minority of at least 10% can file a court application for the appointment of a special investigator (Sonderprüfer), if a prior shareholder resolution aiming at conducting such investigations could not be passed in a prior shareholder meeting with the required majority.3 The subject of such investigations can be inter alia every action performed by the managing directors within the last two years in respect of a joint stock corporation (AG). In respect of a limited liability company (GmbH), such an investigation is generally limited to circumstances relevant to the latest financial statements.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
In general, only public authorities are obliged to notify criminal authorities of any committed criminal offence of which they become aware.4 Only in extraordinary cases are reporting duties of other persons triggered, for example:
- In the case of specific transactions, Austrian attorneys are obliged to report cases of money laundering5 or terrorist financing6 to the Federal Criminal Police Office (Bundeskriminalamt).
- If internal investigations, which include a special audit of the company’s financial
statements, are conducted on an investment firm or an investment services firm
and the auditor determines severe violations of statutory laws or the articles of
association, the auditor is obliged to submit a respective report to the Austrian
Financial Market Authority.7
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
The Austrian Criminal Procedure Code (Strafprozessordnung, StPO) provides for a leniency programme (Kronzeugenregelung).8 The leniency programme applies inter alia to offences that fall under the jurisdiction of the Public Prosecutor’s Office for Economic Crimes and Corruption (Wirtschafts- und Korruptionsstaatsanwaltschaft, WKStA)9 (e.g. fraud and other white collar crimes causing damage exceeding EUR 5 Mio, crimes of corruption, anti-competitive collusion in tendering processes,10 money laundering,11 etc.). The Public Prosecutor may proceed with measures of diversion (rescission from prosecution) if the suspect contributes to solving the crime. In order for the Public Prosecutor to refrain from further prosecution, the suspect must inter alia remorsefully confess to the crime and voluntarily self-disclose information to the authorities that goes beyond his/her own contribution to the crime. Furthermore, the information disclosed must lead to the solving of a crime mentioned by law (e.g. corruption) or lead to the investigation of a person that was the lead individual of a crime or the lead individual of a criminal organisation. If these requirements for the contribution of the suspect are met, the Public Prosecutor must stop the proceedings against the suspect. In proceedings against companies, the provisions on the leniency programme apply mutatis mutandis.12
Furthermore, in relation to financial crimes committed under the Austrian Financial Criminal Code (Finanzstrafgesetz, FinStrG) (e.g. tax evasion13 or tax fraud14) the FinStrG provides for the possibility of voluntary self-disclosure (Selbstanzeige), which prevents the perpetrator from criminal liability if the preconditions of this provision are met.15
For certain offences against the property of another,16 the law stipulates active repentance (Tätige Reue) under the following preconditions:17
- the person fully rectifies any damage caused by the offence or
- enters into a contractual obligation to fully compensate the victim; and
- before the authorities become aware of the person’s culpability, even at the urging
of the victim but without being forced to do so.
The person is also not liable if he/she fully rectifies any damage caused after reporting to the authorities (voluntary self-disclosure) and providing the relevant compensation to the authorities.18
The Austrian Criminal Code also determines special mitigation factors (Milderungsgründe) that the judge must consider in his/her verdict.19 These include instances in which the person:
- deliberately refrained from causing major harm although the person had the
opportunity to do so, or if the person or another person rectified the harm;20 - genuinely endeavoured to rectify any harm caused or sought to avoid further adverse
consequences;21 - remorsefully confessed to the offence or through the person´s testimony made a
significant contribution to ascertaining the truth.22
In summary, cooperation and self-disclosure will be duly considered by the Austrian enforcement, prosecution and judicial authorities. Furthermore, internal investigations can be a helpful procedure to create a basis for demonstrating contrition and subsequent leniency.
1 I.e. Art. 84 para 1 of the Austrian Act on Joint Stock Corporations (AktG) or Art. 25 para 1 of the Austrian Act on Limited Liability Companies (GmbHG).
2 Art. 84 para 1 AktG; Art. 25 para 1 GmbHG.
3 Art. 130 AktG and Art. 45 GmbHG.
4 Art. 78 para 1 of the Austrian Criminal Procedure Code (StPO).
5 Art. 165 StGB.
6 Art. 278d StGB.
7 Art. 93 para 1 of the Austrian Securities Supervision Act (WAG).
8 Art. 209a StPO (and Art. 209b StPO in case of antitrust violations).
9 Art. 20a, 20b StPO.
10 Art. 168b StGB (Wettbewerbsbeschränkende Absprachen in Vergabeverfahren).
11 Art. 165 StGB.
12 Art. 209a para 7 StPO.
13 Art. 33 of the Austrian Financial Criminal Code (FinStrG).
14 Art. 39 FinStrG.
15 Art. 29 FinStrG.
16 E.g. fraud pursuant to Art. 146 StGB, embezzlement pursuant to Art. 133 StGB or breach of trust pursuant to Art. 153 StGB.
17 Art. 167 para 2 StGB.
18 Art. 167 para 3 StGB.
19 Art. 34 StGB.
20 Art. 34 No 14 StGB.
21 Art. 34 No 15 StGB.
22 Art. 34 No 17 StGB.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company should have internal regulations in place that govern the process of dealing with (the suspicion of) misconduct including internal investigation procedures as part of the compliance management system. It should specify the persons responsible for dealing with internal investigations (usually an independent compliance function) and how the structure of the internal investigation should be decided, including a process for independent reporting.
Conducting internal investigations through an external actor can be of benefit if the misconduct has not been discovered outside of the company. In such case, any information that is obtained by an attorney who is conducting the investigation is subject to legal privilege. External performance of internal investigations may strengthen the argument that the company is willing to independently investigate all misconduct in order to properly address potential problems.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
In general, an Austrian attorney is bound by professional secrecy obligations in all matters which have been confided to him/her and all facts which have otherwise become known to him/her in their capacity as an attorney. Such professional secrecy is safeguarded by various statutory provisions.23
Differences in the scope of legal privilege depend on the type of proceedings.
In criminal proceedings, an attorney-at-law is entitled to refuse to give evidence (Aussageverweigerung). This right may not be circumvented by the confiscation of any documents or data medium or by the examination of the attorney’s employees or sub- contractors. A verdict based on such evidence is null and void.24
Furthermore, civil procedure law provides for the right to refuse to give evidence in civil proceedings.25 However, any evidence gained by violating this right can be used in these proceedings without any further consequences.
The attorney’s privilege may be pierced by certain reporting obligations to the Federal Criminal Police Office (Bundeskriminalamt) regarding potential cases of money laundering or terrorist financing.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
In criminal proceedings, legal privilege extends to documents and information in the possession of the suspect or the attorney, which were produced for advising or defending the client (e.g. transcripts of interviews of employees, memos, internal investigation reports etc.).
Does legal privilege apply to in-house lawyers?
No. Generally, in-house lawyers do not fall within the scope of legal privilege.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Within the scope of the above-mentioned privilege are also patent lawyers, notaries and auditors as well as their employees and subcontractors. Legal privilege, as applicable for attorneys in criminal proceedings, extends to subcontractors if they are commissioned by the attorney (e.g. legal experts, forensic experts, etc).
23 E.g. Art. 321 para 1 no. 4 of the Austrian Act of Civil Procedure (“ZPO”); Art. 157 para 1 no. 2 StPO; Art. 171 para 2 of the Austrian Federal Fiscal Code (BAO).
24 Art. 157 para 2 StPO.
25 Art. 321 para 1 no. 4 ZPO.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company must determine what data is needed for the internal investigation and where they are located. Relevant questions are, for example: what means of communication are used (emails, apps, phones)? What devices do employees use to communicate? Is there any cloud or local share-drive? Is the cooperation of a local IT expert needed? Is there any information solely in the form of a hard copy document?
It is then essential to determine whether and to what extent the company can legally access and review the data. Particularly problematic are situations where the private use of the company’s infrastructure is allowed or tolerated. In such case, it will be necessary to distinguish between private data and business-related data. Thus, to facilitate possible future internal investigation it is recommended to have comprehensive and clear internal directives providing the complete rules on communication, archiving and the use of company devices by employees (in particular whether private use is allowed or not) on the one hand, and explicit information on how the company can review and collect these data on the other hand.
The company should also issue a preservation notice to employees to ensure that potential evidence (and all data relevant for the matter investigated) is preserved and not destroyed. The employees in question should sign or give a confirmation that they are complying with the preservation notice, and this should be kept on the record.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Under data protection law, the copying, storage, filtering, review and analysis of emails and files of suspected employees located on the employer’s IT infrastructure for inspection purposes or in the case of reasonable suspicion of criminal actions may be justified based on the employer’s legitimate interest to investigate and/or prosecute the possible crimes.26
The review must be performed in such a way that these interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (e.g. using filtering techniques to only search for the relevant parts, etc.). In general, only the review of business-related emails and files is justified without obtaining the employee’s consent. The review of private personal data usually requires the employee’s consent from a data protection law perspective. Employee consent is however seen critically by courts and authorities as the criteria of “freely given” might be questionable.
However, under specific circumstances the processing of private emails containing relevant information may be legitimate if it inter alia complies with the principle of proportionality and limitation of the privacy intrusion according to the scope of the investigation (as mentioned above).
Furthermore, the respective employees shall be informed about e.g. the inspection of their mailbox and files, the purpose of and legal grounds for the data processing, the recipients, and the employees’ data subject rights. The information must be provided to the employee within specific timeframes (at the latest within 1 month of having obtained the data). It is still debated whether this information provided to the employee about the inspection might be deferred to a slightly later point in time in order to not jeopardise the investigation.
If third parties who act as data processors for the company (e.g. providing forensic services) are engaged, the conclusion of a written data processing agreement is necessary.27
Finally, it must be reviewed internally whether the processing in this context (considering the nature, scope and purposes of the processing) is likely to result in a high risk to the rights and freedoms of natural persons. If this is the case, prior to the processing, a privacy impact assessment (impact of the envisaged processing operations on the protection of personal data) must be carried out.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
In the case of an envisaged transfer of data to countries outside of the EU/EEA, for which an adequate level of data protection has not been determined (e.g. USA), additional guarantees are required, e.g. the conclusion of the EU Standard Contractual Clauses and possible additional measures.28
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be erased, with only the most important findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings.
26 Art. 6 para 1 lit f GDPR.
27 Art. 28 GDPR.
28 Art. 44 et seqq. GDPR.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Employees are generally bound by their employer’s instructions, which can include the participation in interviews organised and conducted by an attorney. Members of the management board of a limited liability company can be specifically instructed by the company’s shareholders, by way of a shareholder resolution, to participate in such interviews. Furthermore, a board member’s general duty of care can lead to the obligation of board members to participate in such interviews.
Do employees have the right to receive minutes from the interview?
In general, no. However, under certain circumstances producing minutes that are provided to the employee could be benefit in order to create an objective undisputable result of the outcome of an interview.
Do employees have the right to be informed of the outcome of the investigation?
No.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Yes, the Austrian Whistleblower Act (“HinweisgeberInnenschutzgesetz – HSchG”), which entered into effect on 25 February 2023 transposing the EU Whistleblowing Directive (2019/1937/EU) into Austrian law.
On the one hand, the Austrian HSchG requires companies with at least 50 employees to implement internal whistleblowing channels, which the employees can use to report (alleged) violations of law in particular in the following areas:
- Public procurement
- Financial services, financial products, financial markets, anti-money laundry and anti-terrorism financing
- Product safety and conformity
- Traffic safety
- Environmental protection
- Radiation protection and nuclear safety
- Food and feed safety, animal health and -welfare
- Public health
- Consumer protection
- Protection of privacy as well as data protection and safety of network and information systems
- Corruption crimes
On the other hand, there are specific regulations that trigger the application of the HSchG regardless of the number of employees (in particular in the financial sector).
After receiving a report, the company must get back to the whistleblower within three months stating the measures taken or envisaged to be taken in response to the whistleblower’s report or the reasons why no action will be taken.
Companies must inter alia ensure that the whistleblower’s identity is kept confidential at all times, subject to exceptions when disclosure of the identity is necessary according to law in administrative, judicial proceedings or investigative proceedings under the Code of Criminal Procedure, and is proportionate. Furthermore, the HschG prohibits all sorts of retaliation measures against whistleblowers, e.g suspension, dismissal or comparable measures regarding the employment contract; demotion or withholding of promotion etc.
Additionally, special provisions for specific sector companies exist, such as for credit institutions, investment firms or investment services firms, which require them to implement appropriate procedures for their employees allowing them to confidentially report internal breaches of certain laws, regulations or rulings and to further conduct investigations based on such reports.29
29 Art. 99g para 1 of the Austrian Banking Act, Art. 95 of the Austrian Stock Exchange Act.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Under the Austrian Corporate Criminal Liability Act (Verbandsverantwortlichkeitsgesetz, VbVG), companies can be criminally liable for the criminal acts committed by individuals: a decision-maker (Entscheidungsträger) or an employee, if the criminal act has been committed either (i) for the advantage of the company or (ii) in breach of the company’s duties.30
The duties of a company31 are stipulated throughout the legal system, predominantly in civil and administrative law provisions. Therefore, a compliance system might not only be necessary to prevent/mitigate corporate criminal liability, but the lack of a compliance system might even lead to criminal liability of a company in the first place.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes, both individuals and companies can be criminally liable for the same misconduct. A company can only be liable for the criminal acts of an individual.32 However, the corporate liability for a criminal act and the individual liability of a person for the same act do not exclude each other.33
Can corporate criminal liability be avoided or mitigated?
According to Art. 18 VbVG, the prosecutor can decide to not (further) prosecute a company under certain circumstances. Such decision depends on the seriousness of the offence the weight of the breach of duty, consequences of the criminal conduct, the possible amount of a fine and the conduct of the entity after the offence.
In relation to the last criterion (i.e. conduct of the entity after the offence the prosecutor may take into account inter alia the company’s cooperation with regard to the investigation of the offence. Conducting thorough internal investigations to dissolve criminal behaviour within the company may therefore result in the avoidance of the initiation of criminal proceedings in the first place. Furthermore, reference is made to the leniency programme (cf above).
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
Cf the chapter concerning the leniency programme above.
30 Art. 3 para 1 of the Austrian Corporate Criminal Liability Act (VbVG).
31 Art. 3 para 1 No. 2 VbVG.
32 Art. 1 VbVG.
33 Art. 3 para 4 VbVG.
8. Upcoming Developments
Since the Corporate Criminal Liability Act became effective on 1 January 2006, the prosecution and indictment of companies has grown. When in the years from 2006 until 2010 the cases of prosecution including companies pursuant to the VbVG more than tripled (from approximately 50 per year to more than 160), the significance has grown even more in the past ten years. From 2013 to 2019 the cases regarding proceedings pursuant to the VbVG settled by the prosecutor grew from approximately 200 to 300 per year. In addition, between 2013 and 2019, between 20 and 25 cases were brought to court each year. Based on our experience, the prosecutors tend to assess and apply the VbVG on an increasing basis.
In line with the “European Green Deal”34 , environmental, social and governance (ESG) issues are being focused on by European legislators.35 The steady shift from “soft law” Corporate Social Responsibility (CSR) to “hard law” Corporate Social Liability increases both the liability risk for companies and the duty of care for board members.
A recent example is the EU Directive on the protection of the environment through criminal law, which was published on 30 April 2024. To combat environmental offenses more effectively, the Directive introduces new environment-related criminal offenses and stipulates severe penalties, including maximum fines for legal entities of not less than 5% of the worldwide turnover or EUR 40 million. Member states must transpose the Directive by May 2026.
Due to the increasing importance of ESG aspects and stricter regulations in this area, it is to be expected that misconduct and thus also internal investigations in this area will continue to increase in the future.
34 The European Green Deal is a package of policy initiatives, which aims to set the EU on the path to a green transition, with the ultimate goal of reaching climate neutrality by 2050.
35 As part of the European Green Deal, the Corporate Sustainability Reporting Directive (CSRD) entered into force on 5 January 2023. The Corporate Sustainability Due Diligence Directive (CSDDD), which requires companies to conduct due diligence on – and take responsibility for – human rights abuses and environmental harm throughout their supply chain, entered into force on 25 July 2024.
Related experts
BOSNIA & HERZEGOVINA
Bosnia and Herzegovina (BiH) is a country consisting of two separate entities, i.e. the Federation of Bosnia and Herzegovina (FBiH) and the Republic of Srpska (RS), and one special autonomous district under the direct sovereignty of the state, i.e. the Brčko District of Bosnia and Herzegovina (BD). In addition, FBiH is divided into 10 cantons.
In each of these parts essentially different legal regimes apply; however, certain legal matters are regulated by laws enacted at the state level and as such are applicable in all parts of the country. Furthermore, in many cases the relevant legislation of the entities regulating a particular matter is harmonized, but differences may occur in terms of the application and interpretation by different entities’ courts.
Certain topics in this overview are regulated at the entity/district level and others are regulated at the state level. If not specifically indicated, the regulation of certain matters is harmonised, and where applicable, a separate overview of the regimes applicable in BiH is provided.
Key Takeaways
- Companies may be criminally liable for the misconduct of their employees and board members
- Investigating misconduct is included in management’s fiduciary duties and is a sign of a sound compliance management system
- The investigation of misconduct itself is a cornerstone of a proper corporate investigation
- The concept of legal privilege is limited to the obligation of registered attorneys to preserve the confidentiality of information received from their clients
- Self-Reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Any such obligation is not explicitly stipulated by law; however, management members are obliged to carry out their business conscientiously, with the due care expected of a prudent businessman and in the reasonable belief of acting in the best interests of the company. Shareholders and other competent bodies (if any) in the company are entitled and encouraged to investigate any failure of management to act in accordance with their duties and obligations or if they act in a way that is contrary to the applicable law and internal regulations.
Furthermore, employers are obliged to conduct disciplinary proceedings following any violation of employment obligations by the company’s employees, whereas the disciplinary procedure often also involves an internal investigation.
In that regard, diligent investigation of any (potential) misbehaviour is a fundamental part of any effective compliance management system if the company wants to be released from its civil and/or criminal liability.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
The criminal sentence for a company may be mitigated if the managerial or supervisory body voluntarily reports a perpetrator after he/she commits a criminal offence. This means that the board members must not only set appropriate procedures to prevent misconduct, but also investigate any misbehaviour detected, which often includes an internal investigation.
Failing to conduct an internal investigation may breach the fiduciary duties of the board members, which would make him/her liable for any damage to the company (e.g. penal or administrative fines, damages to third persons, loss of further profits, etc.) which might have been prevented.
An internal investigation should be conducted to determine the employee’s liability for violation of duties of their workplace, as well as if any board member should violate its obligations; causes damages to the company by failing to act with due care expected of a prudent businessman and in the reasonable belief of acting in the best interests of the company, etc.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
Individuals and companies should generally report (i) a crime or its perpetrator or (ii) the preparation of an intended crime; after becoming aware of it report it further to applicable Criminal Codes in BiH. In certain legally prescribed cases, failure to act in the above- mentioned manner(s) is also considered a criminal offence.
This often means that the company should be able to investigate the matter to the extent necessary to report the crime(s), but that it should report it immediately once the suspicion is confirmed. Though at the same time by reporting the crime, the company could be exposing itself to criminal prosecution for it. It could be argued that individuals who represent the company (i.e., members of its executive body) should not be forced to report or testify against the company as this would represent a circumvention of its right to not self-incriminate.
However, further to applicable Criminal Codes officials (authorised employees of public service in competent authorities) or other responsible persons (authorised persons in other legal entities (e.g. managing directors)) have a special responsibility to report any discovery in the course of their duties of a committed crime for which a punishment of five years imprisonment or more may be imposed; i.e. possibly sentenced to the same extent as the perpetrator of the crime itself.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Generally, cooperation and voluntary self-disclosure will be taken into consideration by the law enforcement authorities, especially when deciding on sanctions. However, there is no automatic benefit for self-disclosure or cooperation, and companies are not incentivized by the law to decide to self-report and cooperate with prosecuting authorities, nor can they be certain of any benefits should they decide to cooperate, share information or report misconduct.
Criminal sentences for a company whose managerial or supervisory body voluntarily reports a perpetrator after he/she commits a criminal offence can be mitigated, whereby in some cases the company may also be exonerated.
Under the applicable Criminal Codes, a perpetrator who attempts to commit a criminal offence, but voluntarily forsakes the completion of a punishable attempt, may be exonerated. However, he/she shall still be punished for any actions which constitute a separate criminal offence (e.g. in case of forgery of documents through which the perpetrator tried to commit fraud or embezzlement (but voluntarily forsook its completion), the court and relevant authority will still consider his/her liability for the actual forgery itself).
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company should have an internal regulation in place that governs the process of dealing with (or even the suspicion of) misconduct, including internal investigation procedures as part of the compliance management system. It should specify the persons responsible for dealing with internal investigations (which is usually an independent compliance function) and how the structure of the internal investigation should be decided, including a process for independent reporting.
Whenever there is a risk that a reporting duty has arisen, or will arise during the investigation, or if there is a risk of a police dawn raid, an attorney should be engaged as an external counsel to lead and conduct the investigation to minimize the risk of exposure to the reporting duty, and to maintain legal privilege over investigation products.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
Under the relevant FBiH and RS laws, including the Law on Advocacy and Code of Ethics for Attorneys, legal privilege is reserved only for attorneys, i.e. lawyers registered before the competent bar association. Any such information an attorney obtains during a mandate from the client or otherwise, including all documentation, written submissions, as well as audio or video records, constitutes a legal privilege. Even if an attorney does not accept a mandate, such an obligation exists in relation to information which was provided to the attorney by the potential client.
Legal privilege extends to all attorneys in a joint lawyers’ office, and to a law firm and all its employees, and is not time-limited. Even after the authorization to represent a client in a certain matter is revoked, or the relevant proceeding is finalized, the obligation still exists because of information becoming known to the attorney in the course of the relevant mandate and/or proceedings.
Under FBiH law, an attorney may disclose facts and circumstances which represent a legal privilege only in certain types of court proceedings (i) upon the written approval of the person who disclosed such information to the attorney; or (ii) if the disclosure of the information is indispensable in criminal proceedings or disciplinary proceedings in order for the attorney to prove his/her innocence. On the other hand, under RS law, the disclosure of such information is possible if it is relevant to the client’s defence or necessary to justify a decision on denial of defence in a certain matter.
In addition, in both cases, the obligation of attorneys (to the client) to preserve the confidentiality of all information received when providing legal services is protected by the state in various procedural situations, e.g. an attorney can refuse to testify if this would lead to a breach of the confidentiality obligation.
However, if any attorney-client communications, documents or other forms of information media are seized, intercepted or obtained from the company directly or through third parties, they are not covered by attorney client privilege.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
No, the confidentiality obligation is tied to the person of the attorney (and his or her employees and subcontractors), rather than to the information or document itself. Therefore, any information or document that is protected when in the possession of the attorney is not protected when it is in the hands of the client or an unrelated third person. Prosecuting authorities often use this to order the company to hand over all documents they have received from the attorney, including reports from the internal investigation and protocols from interviews. Best practice is to structure the investigation with the attorney who is leading the investigation and who subcontracts other third parties who participate in the investigation, should such a participation be necessary.
It is essential that the investigation and its reporting lines/forms are structured so as to minimize the risk that the investigation report is taken by the authorities e.g. during the dawn raid, and then used as evidence in a court proceeding.
Does legal privilege apply to in-house lawyers?
No. In-house lawyers do not enjoy the protection of legal privilege.
These may be obliged to protect a business secret; however, information regarding a breach of law or other legislation cannot be determined as a business secret.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Legal privilege is extended only in cases stipulated by the applicable Code of Ethics for Attorneys, as indicated above, and it is not extended to service providers. It could be argued that service providers are entitled to the privilege that falls within the client- provider relationship, whereas the special protection of premises (as is the case with legal privilege) does not apply to them. Therefore, all relevant documents should be kept on the premises of the attorney.
There are other types of privileges, but these also fall within the client-provider relationship and do not apply in corporate investigations (e.g. tax advisors’ privilege does not prevent tax advisors, upon a written request from the court, from providing any information they have about a company if necessary in an investigation or criminal procedures).
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company must determine what data is needed for the internal investigation and where they are. What means of communication are used (emails, apps, phones)? What devices do employees use to communicate? Is there any cloud or local share-drive? Is the cooperation of a local IT expert needed? Is there any paper-only information? It is then essential to determine whether and to what extent the company can legally access and review the data. It is not unusual for employees to use apps that are encrypted or do not save content, and it is then extremely difficult to distinguish between the personal content of their communication from work content. A comprehensive and clear internal directive providing the complete rules on communication, archiving and the use of company devices by employees on the one hand, and explicit information on how the company can review and collect these data on the other, is a cornerstone of any proper internal investigation.
The company should also issue a preservation notice to employees to ensure that potential evidence (and all data relevant to the matter investigated) is preserved and not destroyed. The employees in question should sign for or give confirmation that they are complying with the preservation notice, and this should be kept on record.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
GDPR is not directly applicable in BiH, with the exception of Article 3 para 2, based on which GDPR could also apply to non-EU companies if certain requirements set out in GDPR are met. It is due to be implemented into BiH legislation via amendments to the BiH Personal Data Protection Law, but it is not certain when such amendments will be adopted and come into force. Although the BiH Agency for Personal Data Protection welcomes the applicability of GDPR and its provisions, until the date on which such amendments are adopted, all personal data processing of companies in BiH must be formally carried out in compliance with the currently-applicable BiH Personal Data Protection Law. The BiH Personal Data Protection Law does not specifically regulate investigations involving employee e-mails or other records potentially containing private information. Thus, the general rules apply to such matters.
In general, the processing of personal data is considered legal if performed on a valid legal basis, which includes consent, legitimate interest of the controller, public interest requirements, etc. Due to the specific imbalance of power in an employment relationship (especially in terms of obligation to obtain freely-given consent), it may be argued that performing an internal investigation based solely on consent, without another more reliable legal basis, might be problematic.
In that regard, internal investigations must be conducted in such a way that the risks of breaching privacy laws are minimised. This must be assessed on a case-by-case basis since, generally, the greater the harm faced by the employer (e.g. a large-scale corruption scheme), the more intrusive investigative instruments might be considered proportionate.
Thus, when performing corporate investigations, the legitimate interests of the controller should also be considered. In such cases, the investigation and supervision needs to be conducted only when necessary, to the extent and in a way strictly stipulated by the controller’s internal actions, as well as in a way that protects the controller’s legitimate interests but does not compromise or jeopardize the private and personal life of the data subject, i.e. the employee, which shall be assessed taking into account the circumstances of each particular case. The controller is obliged to carefully review the relevant data during the investigation, but in a way that does not involve any private information about the employee, i.e. to delicately balance its own interests against the interests or fundamental rights of the employees (e.g. the right to a private life and secrecy of communication).
One-off targeted searches of emails/documents using selected key words should not be considered disproportionate if the employer is aiming to protect itself, its property and its reputation by helping to determine if employees might be in breach of their responsibilities. However, only work-related data is allowed to be processed. No private personal data can be subject to review and any processing of private personal data must be immediately stopped.
On the other hand, as part of the obligation towards transparency, the controller should ensure that the respective employees (or potentially other relevant persons, as the case may be) are duly informed about the processing as part of the investigation. Any such informing should be conducted in writing and should include, among other things, the legal basis and purposes of the data processing and the corresponding rights of the employee. If employees had never been informed that their data might be processed for the purposes of harm prevention, for instance, the company would be in breach of this obligation.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Cross-border transfer of data from BiH is, in general, allowed if the third-country or the international organization to which the personal data is being transferred implements adequate safeguards for personal data as set out in the BiH Personal Data Protection Law. The transfer of personal data to another country that does not provide adequate safeguards as stipulated by the BiH Personal Data Protection Law, may exceptionally be allowed in specific cases stipulated by the law; for example, if the transfer is necessary in the public interest, the disclosure of personal data is necessary to fulfil the contract between the data subject and the controller or the fulfilment of pre-contractual obligations undertaken at the request of the person whose data are being processed, etc. In any case, if there are no valid grounds for transferring personal data to a third country, the controller may request approval from the BiH Agency for Personal Data Protection.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be erased, with only the most important findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings. Employees whose data were processed must be informed of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Any employee instructed by the employer to cooperate during internal investigations could be obliged to do so in accordance with the general obligations arising out of their employment duties. To ensure their legality, interviews should take place within the working hours of employees and should be strictly connected to their work. Refusal to cooperate may be considered a breach of their employment duties, if anticipated as such in an employment agreement or the company’s internal acts.
Employees under the suspicion of committing a breach of work duties shall be allowed by the employer to present his/her defence in case of a disciplinary procedure. However, if absent, the employee will miss the opportunity to defend himself/herself before the employer’s representatives. Therefore, such an employee does not have an obligation but rather a right to participate in any interviews organised by the employer, especially during a disciplinary procedure, but he/she may decide not to exercise such a right.
Do employees have the right to receive minutes from the interview?
Not specifically regulated. However, as minutes usually do not constitute a decision by which it is decided regarding employee’s rights and obligations, it could be argued that employees in principle should not receive minutes from the interview.
Do employees have the right to be informed of the outcome of the investigation?
No, employees do not have to be informed of the outcome of interviews or the investigation, unless they are the subject of such an investigation for breaching work duties and found liable as an outcome of the investigation.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
The following laws primarily regulate whistleblowing in BiH:
- BiH Law on Protection of Persons Reporting Corruption in BiH Institutions;
- RS Law on Protection of Persons Reporting Corruption;
- BD Law on Protection of Persons Reporting Corruption.
There are no specific whistleblowing laws adopted in FBiH; however, the draft of the FBiH Law on Protection of Persons Reporting Corruption in FBiH has been prepared by the Government of FBiH in March 2018 but has not yet been adopted.
The BiH Law on Protection of Whistleblowers regulates the protection of whistleblowers in BiH government institutions and companies established by such institutions. It regulates the status of whistleblowers, corruption reporting procedures, obligations of the institutions in relation to reporting of corruption, protection of whistleblowers, and sanctions for breaching the statutory provisions. However, the application of this law is limited, as stated above, and is in general not applicable to companies (unless they are established by BiH institutions). Under the BiH Law on Protection of Whistleblowers, the reporting of corruption may be conducted internally and externally, whereby internal reporting should be regulated by the internal bylaws of the relevant BiH institution or company established by a BiH institution, which are published on the premises and on the website of the institution. A whistleblower may opt to report corruption externally if: (i) the duration of the internal procedure exceeds 15 days; (ii) the whistleblower considers that the internal procedure was not properly conducted; or (iii) the whistleblower believes that the person authorized for collecting reports on corruption, or the head of the institution, may be directly or indirectly involved in the corruption.
The RS Law on Protection of Whistleblowers, inter alia, stipulates that all persons can report (in good faith) any kind of corruption in the public or private sector, of which he/she has direct knowledge. In that regard, the RS Law on Protection of Whistleblowers is also applicable to privately-owned companies. The law further provides for (i) the obligation to act upon a report of corruption as a general principle – stipulating that the responsible person is obliged to undertake measures for detection, prevention, suppression and punishment of all kinds of corruption as well as measures for the protection of whistleblowers; and (ii) the urgency principle (ekonomičnost) – stipulating that the procedure for the protection of whistleblowers is urgent and should be conducted without delay, in the shortest period necessary to determine all relevant facts. The RS Law on Protection of Whistleblowers provides that a whistleblower may initiate an internal protection procedure if they suffer any harmful effects from reporting corruption. Responsible persons are obliged to decide on such request within 30 days of the day the request is submitted. The law also provides the following obligations of the responsible person to:
- enable the reporting of corruption;
- receive the report on corruption;
- return the report to the whistleblower for amendments if the report does not contain all statutory elements;
- ensure data protection and the anonymity of the whistleblower;
- act upon the report, i.e. work on the detection, prevention, suppression and punishment of corruption, within seven days of the date of receipt of the report;
- without delay undertake activities to eliminate harmful effects to the whistleblower and ensure the protection and rights of the whistleblower;
- undertake measures for the determination of the disciplinary and material liability of persons involved in the corruption,
- notify the whistleblower of the measures and activities undertaken on the basis of his/her report within 15 days of the day of submitting a request for delivery of the subject notification;
- deliver the decision or the notification of the outcome of the procedure to the whistleblower within eight days of the day of conclusion of the procedure;
- forward the report without delay to the competent authorities if there are grounds for criminal liability;
- deliver the report to the RS Ministry of Justice in accordance with the law.
Any person who manages 15 or more employees shall adopt a whistleblowing policy (uputstvo), which shall include regulations on the procedure itself, on the whistleblowers’ rights, obligations of the responsible person and especially the protection of the whistleblower’s anonymity.
The BD Law on Protection of Whistleblowers is harmonized with the BiH Law, but in comparison to the BiH Law on Protection of Whistleblowers, the BD Law is applicable to both public institutions and privately owned companies.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes, a company shall be responsible for any criminal offence committed in the name of, on account of or in favour of the company, (i) when the criminal offence occurs on the conclusion, order or approval of the managerial or supervisory bodies of the company; or (ii) when the managerial or supervisory body has influenced the perpetrator or enabled him/her to commit the criminal offence; or (iii) when the company has been disposing of the illicitly-acquired monetary gain or has been using the items originating from the criminal offence; or (iv) when the managerial or supervisory body failed to act with due care in supervising the legality of its employees’ work.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Both the perpetrator and the company can be prosecuted independently. The liability of a company shall not exclude the liability of individuals, i.e. the responsible persons who committed the criminal offence.
Can corporate criminal liability be avoided or mitigated?
There are no applicable regulations that stipulate the possibility for a company to release itself from criminal liability.
A criminal sentence for a company may be mitigated if the managerial or supervisory body voluntarily reports a perpetrator after he/she commits a criminal offence; whereas the company may be exonerated from criminal sentence if (i) its managerial or supervisory body returns the wrongfully acquired monetary gain; or (ii) remedies any adverse consequences of the wrongdoing, or (iii) provides information on other companies’ liability.
For criminal offences committed out of negligence, a company may be liable if managerial or supervisory bodies of a legal person fail to carry out due supervision over the legality of employees’ work, in which case the criminal sentence for company may be mitigated.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
There is no practice of out-of-court settlements, particularly if compared to the US settlement practice. Some instruments exist, but only a fraction of cases are resolved out of court. The out-of-court settlement system has essentially been constructed for prosecuting individuals and does not allow for prosecution to be settled without the admission of guilt.
A guilt and sanctions agreement made between the perpetrator and the public prosecutor is the only out-of-court settlement that has been used in practice. The offender must admit to his or her guilt and agree to sanctions that will then have to be confirmed by a court.
8. Upcoming Developments
Current court practice in terms of prosecuting companies is scarce and mostly based on imposing monetary fines, rarely on seizure of property; or termination of the company. The practice of out-of-court settlements for companies in BiH is existent to none, especially as prosecuting authorities are hesitant to initiate highly complex corporate cases. This especially taking into account that current legislation makes cooperation almost impossible between prosecuting authorities and companies that would wish to cooperate, and with the practical non-existence of settlements.
It should be noted that BiH was identified as a potential candidate for EU membership in June 2003, with new developments in October 2022 when the European Commission recommended that candidate status should be granted to BiH upon fulfilment of a number of steps, that is fulfilment of 14 key priorities proposed by the EU in 2019. In any case, one of the key priorities that BiH still needs to fulfil is stepping up the process of alignment with EU acquis and implementation and enforcement of relevant legislation. It can be expected that in the future we will witness the harmonisation of BiH legislation with the EU acquis, whereas it remains to be seen in which direction such harmonisation will head, and if and how companies will benefit from it.
BULGARIA
Key Takeaways
- There is no corporate criminal liability in Bulgaria, but companies may incur administrative liability (i.e. pecuniary sanctions) for the misconduct of their employees, managers, directors and board members
- Investigating misconduct is included in management’s duties towards the company and is a sign of a sound compliance management system
- The newly adopted Bulgarian Whistleblowing Act creates entirely new obligations for companies to establish internal reporting channels and investigate whistleblowers’ reports.
- The effect of legal privilege is limited to the correspondence between the client and the lawyer
- Suspicion of bribery may trigger the duty to report information to the authorities
- Self-Reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Under Bulgarian law there is no explicit obligation for companies to investigate internally detected misconduct.
However, some companies have dedicated internal security structures tasked with such prerogatives, and internal investigations are used as a compliance tool and a tool to limit potential liability of the company (civil and administrative) and of its managers/ directors (civil, criminal and administrative).
New legislation on whistleblowing protection (see related chapter below), which requires companies, to a certain extent, to investigate matters reported by whistleblowers was adopted in 2022. However, this concerns criminal matters, as they are to be reported to public authorities.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
As to civil liability, the Bulgarian Commercial Act provides that the manager/director of a company may be liable for damages, both for active actions and for omission of oversight. Therefore, an internal investigation may be required in case of reasonable suspicions of a possible wrongdoing in the company, as it could prevent further damages to the company (i.e. represent a mitigation measure) and potential liability for the manager/director. Also, if a manager/director has or receives information of a possible wrongdoing and does not take appropriate mitigation measures (such as an internal investigation), his or her actions could be considered as negligence and may be sufficient grounds for the company to claim civil liability.
Certain types of misconduct may give rise to criminal prosecution against the manager/director of a company and may trigger fines and/or custody. For example, in case of negligence in the exercise of management or supervisory activity, entering into disadvantageous transactions, bribery, bankruptcy, money laundering, tax fraud etc. If a corporate director has a suspicion of criminal wrongdoing but takes no action to stop it, he or she may be held liable for “non- hindering criminal wrongdoing”. More complex constructions of co-liability in the form of aiding and abetting also cannot be excluded. In this respect, internal investigations may mitigate the potential liability of the managers/directors to some extent.
Managers/directors may also bear criminal liability if they have not conducted their business with the “care of a good trader” and for that reason the company enters insolvency causing harm to creditors. This obligation includes also the obligation to control and manage the employees in the company and to be aware of their actions.
Further, as per the recently adopted whistleblowing legislation (please see below), the company may be subject to financial sanctions if case it does not investigate an alleged breach reported by a whistle-blower.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
There are no general obligations for companies to report the outcome of internal investigations or information obtained during the investigation. Such obligation would be triggered only if there is sufficient evidence that a crime has been committed.
All individuals, and according to legal doctrine all companies have a legal obligation to immediately report most of the crimes listed in the Bulgarian Criminal Code. In such a case, the obligation to report applies both to the company and to the individuals which have knowledge of the crime – investigators, managers/directors, employees, etc. This general obligation, however, is rarely sanctioned in practice.
A more subtle aspect is that the knowledge for a potential crime, arising out of an internal investigation, if not reported, could potentially result in suspicions for concealment or complicity with the crime. In practice few such examples have been identified, but in the context of complex business-related crimes, involving multiple individuals, such risk should be considered in each specific case.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Under Bulgarian criminal law, in case of cooperation and voluntary self-disclosure, the punishment of the liable person shall be reduced. Although there are no specific provisions under criminal law providing the possible reductions, in practice prosecutors and courts tend to weigh them significantly in the course of the proceedings. This principle is applicable also in respect of administrative breaches (i.e. not criminal) in case of cooperation by the company. However, there are no guidelines or determining methodology that could be relied upon.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
As a matter of practicality, it is recommended that the company have an internal regulation in place that governs the process of dealing with (suspicion of) misconduct including internal investigation procedures as part of the compliance management system. It should specify the persons responsible for dealing with internal investigations (usually an independent compliance function) and how the structure of the internal investigation should be decided, including a process for independent reporting. These internal regulations shall be in line with the recently adopted whistleblowing legislation (see below), particularly with regard to the obligations of ensuring the confidentiality of the whistle-blowers’ identity.
Whenever there is a risk that a reporting duty may arise during the investigation, or if there is a risk of a police dawn raid, an attorney registered in Bulgaria should be engaged as an external counsel to lead and conduct the investigation to minimize the risk of exposure to the reporting duty, and to maintain legal privilege over investigation products.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
The concept of legal or attorney-client privilege does not exist in the same way as in the US. Legal privilege provided under the Bulgarian Bar’s Act applies to attorney-at-law, attorney- at-law from the European Union, junior attorney-at-law or attorney-at-law assistant within the meaning of the Bar Act, who has been admitted to the Bar Association.
Irrespective of any investigation, dispute, litigation, inspection etc, lawyers also covered when they are providing advice not related or arising out of investigations or litigations. This has been consistently applied by civil and criminal courts. However, some administrative authorities (such as the Bulgarian Competition Protection Commission) are more reluctant to apply this provision during their investigations.
Under the legal privilege, any papers, files, electronic documents, and computer equipment held by an attorney-at-law may not be subject to violation, inspection, copying, verification or seizure. Similarly, correspondence between an attorney-at-law and a client may not be subject to inspection, verification or seizure and may not be used as evidence. Meetings and calls between an attorney-at-law and his or her client may not be intercepted and recorded. Any recordings, where available, shall not be used as means of evidence and shall be subject to immediate destruction.
Attorneys-at-law cannot be questioned on their procedural capacity, about meetings, calls and correspondence with clients or other attorneys-at-law as well as with regard to any facts and circumstances of which they become aware in relation to their capacity. When a client is held in custody or deprived of liberty, his or her attorney-at-law has the right to meet him or her privately and their conversation during meetings may not be intercepted or recorded, although meetings may be subject to observation. Moreover, during meetings the attorneys-at-law have the right to hand over and receive written material in relation to the case. According to the Bar Act the contents of such documents may not be subject to inspection; which leads to the conclusion that legal privilege extends to documents created by attorneys after they are handed over to the client, but only in this hypothesis.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
No, in principle the confidentiality obligation is tied to the person of the attorney, rather than to the information or document itself. Therefore, any information or document that is protected when in the possession of the attorney is not protected when it is in the hands of the client or an unrelated third person.
The legal privilege would extend to the correspondence, including electronic correspondence, between the Client and the lawyer. The question of whether “correspondence” implies all documents exchanged (e.g. such an internal investigation reports) and other lawyer’s products, if included in the correspondence, is yet untested. However, documents which are a product of the lawyer’s work and have been sent to the client should fall within the term “correspondence” and thus be included in the scope of legal privilege.
Does legal privilege apply to in-house lawyers?
No. In general, in-house counsel have the status of regular employees and don’t enjoy legal privilege.
It is possible for an attorney to work as an in-house lawyer (i.e. to work for only one client), but he/she must have been admitted to the Bar Association for the legal privilege provisions to apply to him or her. In-house lawyers which are not admitted to the Bar are not covered by the provisions in respect of legal privilege.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Legal privilege does not apply to other persons or entities. Even if works are subcontracted to them by lawyers, legal privilege cannot be extended.
4. Collecting and Processing Data and Data privacy protection
How should the company ensure that evidence is properly collected?
The company must determine what data are needed for the internal investigation and where they are.
What means of communication are used (emails, apps, phones)?
It is then essential to determine whether and to what extent the company can legally access and review the data. It is not unusual for employees to use apps that are encrypted or do not save content, and it is then very difficult to distinguish between the personal content of their communication from work content. A comprehensive and clear internal regulations providing the complete rules on communication, archiving and the use of company devices by employees on the one hand (in particular whether their private use is permitted), and explicit information on how the company can review and collect these data on the other, is a cornerstone of any proper internal investigation.
Prior to commencing any investigation activities, the company should also issue a preservation notice to employees to ensure that potential evidence (and all data relevant for the matter investigated) is preserved and not destroyed. The employees in question should sign or give confirmation that they are complying with the preservation notice, and this should be kept on record.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information? Is the consent of the custodian necessary before data collection begins?
Personal data processing in Bulgaria is subject to the GDPR. The law implementing the GDPR in Bulgaria explicitly regulates certain matters relating to the processing of personal data in the context of employment relationships. Among others, employers should adopt rules and procedures where systems are in place to report breaches and restrict use of internal company resources (e.g. emails, laptops, etc.). These rules must be communicated to the employees.
Employees have clear and specific rights to privacy in the workplace, recognized under Bulgarian law, but these rights are balanced with certain entitlements of the employer in the course of its business operations. Without the explicit consent of the employee the employer only has the right to monitor or review the professional correspondence, messages, etc. Of the employee. The employer has no right to check the personal e-mails of the employee. Any private correspondence is protected under the Bulgarian Constitution and any access or disclosure without the explicit consent of the employee, could be subject to criminal liability. As an exception to this rule, the protection of private correspondence may be waived only by court order for the purposes of detection and prevention of serious crimes.
The employer should make clear in the internal company rules whether employees are entitled to use the company’s e-mail for personal use.
- if yes, the employer needs the explicit consent of the employee for access, processing and disclosure of their correspondence (as the employer would not be able to differentiate between professional and personal correspondence before accessing the e-mail);
- if no, i.e. if all use for personal purposes is strictly forbidden and only professional correspondence is allowed, then the employer has the right to monitor and process such correspondence without the consent of the employee, if employees have been informed that personal use is prohibited and that they will be monitored, and as long as the extent of the monitoring is proportionate.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
In case of an envisaged transfer of data to countries outside the EU/EEA, for which an adequate level of data protection has not been determined (e.g. the United States until July 2023), additional guarantees are required, e.g. the conclusion of the EU Standard Contractual Clauses.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be erased, with only the most important findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings. Employees whose data were processed must be informed in advance of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
An employee has an obligation to actively participate at the interviews organised by the counsel of the employer if this obligation exists in his or her employment agreement as part of the job description or if it is included as part of the internal rules or the interior labour regulations adopted in the enterprise. Otherwise, the employee is required to participate in such interviews only in case of a lawful instruction issued by the employer.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Yes -Bulgaria adopted in 2023 national legislation, implementing the EU Whistleblowing Directive (Directive (EU) 2019/1937). The Protection of Persons Who Report or Publicly Disclose Information on Breaches Act (the “Bulgarian Whistleblowing Act” entered into force on 04 May 2023.
Before the adoption of the Bulgarian Whistleblowing Act, Bulgaria did not had specific whistleblowing legislation, but only some isolated specific sector provisions – e.g. the Bulgarian Labour Code provides that submitting a report to the Financial Supervision Commission for breaches by an employer of certain financial services laws, the social security code and others, shall not constitute a breach of work discipline in the form of abuse of the confidence and damage of the reputation of the business, nor a disclosure of confidential information, unless the employee deliberately communicates false information, the Bulgarian Anticorruption Act (Counter-Corruption and Unlawfully Acquired Assets Forfeiture Act) provides that any citizen who has any evidence of corruption or conflict of interest regarding defined public officer may report this to the Anticorruption Commission. The Commission has an obligation to undertake specific measures to keep the identity of the citizen confidential, including measures to prevent any psychological or physical pressure over him or her. Specific measures to preserve a witness are also provided in criminal proceedings but not in civil or commercial proceedings.
The newly adopted Bulgarian Whistleblowing Act is the first dedicated whistleblowing protection instrument in Bulgaria. By implementing the EU rules, it introduced entirely new concepts and procedures in Bulgarian law and is expected to have a considerable impact on most businesses and the public sector. Companies only have a few months to prepare and to implement the new requirements. This means many companies will have to address multiple new challenges considering the novelty of these new requirements and their potential inexperience with adopting such internal procedures. A particularity of the Bulgarian Act is that it has a wider scope of application, providing the benefits under it to signals in relation to, among others, general criminal law breaches and breaches of employment legislation. In this respect, international companies may have to adapt their existing whistleblowing channels and policies to the local requirements in order to achieve compliance.
In line with EU law, companies with more than 50 employees, as well as companies working in some specific sectors without regard to their number of employees, are obliged to establish internal whistleblowing reporting channels. These reporting channels not only shall guarantee due review of the whistleblower’s reports and guarantee their confidentiality, but also companies will be required to share some limited information about each signal with the local competent regulators – the Personal Data Protection Commission. Whistleblower reports, if they met certain criteria, will trigger an obligation for businesses to investigate the alleged breaches.
7. Criminal proceedings against the company
Is there corporate criminal liability in the country?
There is no corporate criminal liability in Bulgaria. Only natural persons may be held criminally liable. Companies may be subject to administrative sanctions for some types of breaches, but not criminal liability.
Currently, the Bulgarian Ministry of Justice is preparing draft legislation to address recommendations by the OECD and the EC on this topic. Corporate criminal liability could potentially be implemented in the near future.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
No, only individuals may be prosecuted.
Can corporate criminal liability be avoided or mitigated?
N/A.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
The settlement of criminal proceedings under Bulgarian law is significantly different, compared to the US settlement practice.
In the course of criminal proceedings against individuals, voluntarily settlements may be achieved either at the investigation stage (i.e. prior to the initiation of the court case), or during the initial phase of the court procedure. In both cases, the law does not allow for prosecution to be settled without the admission of guilt. The offender must admit to his or her guilt and agree to sanctions that will then have to be confirmed by a court.
Leniency programs do not exist under Bulgarian Criminal law, but only in the context of competition proceedings.
8. Upcoming Developments
Notwithstanding that criminal liability for companies does not exist under Bulgarian law, corporate investigations remain an essential tool for companies to ensure prompt compliance and to mitigate potential damages. Respectively, managers/directors may benefit from internal investigations to promptly react and limit potential criminal liability.
A major development is expected in relation to the implementation of the OECD recommendations concerning the OECD Anti-Bribery Convention application in Bulgaria. The Ministry of Justice has put in place a working group, aiming toward, among other things, the extension of corporate liability, redefinition of certain corruption crimes and the introduction of new, more efficient enforcement tools.
With the adoption of the whistleblower legislation, a gradual increase in situations prompting or requiring internal investigations in Bulgarian companies is expected.
Related experts
CROATIA
Key Takeaways
- Criminal liability for misconduct of employees and board members could be extended to companies.
- Management’s fiduciary duties are to implement a compliance management system and if required to conduct internal investigations.
- Processing employees’ data requires prior authorisation and is crucial for a lawful and proper internal investigation.
- Legal privilege is limited to attorneys but can be effectively utilised for a broad range of service providers in internal investigations.
- Self-reporting and cooperation with prosecuting authorities may be beneficial for the company.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
There is no express obligation imposed on companies to investigate detected misconduct. However, diligently investigating misconduct as part of a compliance management system could help the company to be released from its criminal liability, if detected and reported.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
With regard to civil liability, corporate directors have an obligation to ensure that the corporation behaves in compliance with all relevant regulations as a part of corporate director’s general fiduciary duty. Whenever a corporate director has a reasonable suspicion of possible wrongdoing in the corporation, he or she must initiate appropriate steps to confirm (or dissipate) it, and to prevent further damage and wrongdoing with the appropriate actions. An internal investigation will often be such an appropriate step. In such cases, failure to conduct an internal investigation would represent a breach of the corporate director’s fiduciary duties and he or she could thus be liable for any prejudice to the corporation (e.g. penal or administrative fines, damages to be paid to third persons, loss of further profits etc.) that could have been prevented, had the wrongdoing been discovered in time.
Furthermore, under the Whistleblowing Act, the board has a strict obligation to set up a system for reporting wrongdoings. The board’s failure to do so, let alone any board’s interference with an internal investigation, may lead to a fine up to EUR 7,000 for the company and EUR 4,000 for the directors.
On the other hand, with regard to the criminal liability of directors, failure to investigate any potential wrongdoing should not automatically result in criminal liability. This particularly relates to offenses that could not be affected or prevented by the management board’s action. However, should the omission to investigate a wrongdoing be intentional and potentially aimed towards assisting the perpetrator, board members could be found criminally liable in certain circumstances. More generally, if a director has a firm suspicion of a serious criminal wrongdoing (e.g. corruption, money laundering, serious fraud) and does nothing about it, he or she may themselves be held liable for “non-hindering criminal wrongdoing”.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
There is a general obligation under the Criminal Procedure Act to report a crime. The obligation is also imposed on companies. Only attorneys, who learn about this information when providing legal services (i.e. conducting investigations), are exempted from this reporting duty.
However, companies should not be scrutinized by the reporting duty, as the right not to self-incriminate should apply to companies as well. Furthermore, individuals who can represent the company (i.e., corporate directors) should not be forced to report or testify against the company, as this would represent evasion of the right to not self-incriminate. Nevertheless, company employees who would be obliged to report crimes or have been conducting the investigation most likely would not be covered by the said right and might be obliged to report the crime.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Cooperation and voluntary self-disclosure should always be considered at least as a mitigating circumstance (i.e. leading to a smaller sanction). In some cases, voluntary self-disclosure, particularly when followed by efforts to rectify or mitigate the consequences of the criminal offense,may lead to a substantial reduction or even immunity from sanctions. Companies that disclose the criminal offense before the criminal offense is identified by the authority may be granted immunity from the fine.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
Internal rules that govern the process of dealing with wrongdoing and the subsequent internal investigation are highly recommended. The rules should envisage the persons in charge of the internal investigation and the framework of their work, spanning from the suspicion of wrongdoing to independent reporting. Furthermore, the rules should foresee an early involvement of attorneys (especially if there is a possibility that a reporting obligation may arise) and potential service providers, such as forensic or accounting professionals. In practice, the attorney usually subcontracts forensic or accounting professionals so that the risk of exposure is minimized, and legal privilege is maintained inside the company.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
“Legal privilege” under Croatian law is interpreted as the attorneys’ obligation (to the client) to preserve the confidentiality of all information received when providing legal services. This principle is respected by the State in various procedural situations. For instance, if an attorney is interviewed by an authority or invited to testify, the testimony can be refused if it would lead to a breach of the confidentiality obligation.
The same principle is applied to the obligation of delivering documents or their seizure. To ensure this, a special proceeding is implemented when attorneys’ premises are searched: a Bar representative must be present, and documents can only be seized if this representative attests that they are not covered by legal privilege. “Legal privilege” covers any information/data received when providing a legal service, regardless of whether this is received from the client or from third persons. A stronger privilege covers legal services provided within the frame of defense in criminal proceedings: in those cases, even any communication between the attorney and the client is protected.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
The privilege is associated with the attorney, who is registered with the Bar, as an individual (including attorney’s employees and subcontractors) and not to the information or document itself. Therefore, the information or document which is protected by legal privilege when kept by the attorney is not protected by the privilege if found in the hands of the client or an unrelated third person.
Does legal privilege apply to in-house lawyers?
In-house lawyers do not enjoy any privilege under Croatian law. Legal privilege applies to professional attorneys and therefore cannot be applied to in-house lawyers or counsels.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Although other types of privileges exist (e.g. tax advisors’ privilege), they do not have the same reach and effect as the attorneys’ privilege. All such privileges fall within the client-provider relationship when providing regulated services. However, corporate investigations cannot be fully subsumed by any other type of regulated services other than legal services. As noted above, “legal privilege” covers not only the attorney personally but also any other person used by the attorney for providing various types of services during the investigation. This means that if other service providers (such as forensic or accountancy experts) are subcontracted by the attorney in direct connection with a specific legal service, they should be covered by legal privilege to the same extent as the attorney. However, the special protection of premises does not apply to them. In practice, all relevant documents are usually kept in the attorney’s premises.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company should establish which data is required for the internal investigation, and once the data is recognized it must be located. The location of the needed data may be on printed paper or stored on various communication tools (business emails, apps, phones), devices employees use, cloud or local share-drives (which may all require IT-related knowledge). Employees may use encrypted apps and it is very difficult to distinguish between the personal data from their work content. For a lawful and proper internal investigation, companies’ rules should include a comprehensive and clear directive that regulates the employees’ communication, archiving thereof and the use of company devices (in particular whether private use is allowed or not), and conditions under which the company can review and collect these data if required. In addition, a preservation notice should be signed (or confirmed) by the employees, which would ensure that potential evidence is preserved and not destroyed if required.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Any personal data processing may only take place on one of the lawful grounds specified by the GDPR. In particular, processing of employees’ personal data within an internal investigation may only be based on the legitimate interests of the controller. However, the controller must perform a delicate balancing of legitimate interests against the interests or fundamental rights of the employees (e.g. the right to private life and secrecy of communication). This balancing exercise should be well-documented. Furthermore, the extent of the processing must be strictly necessary to achieve the aim of the investigation and there should be no less invasive measures available. Data included in the investigation should be carefully selected prior to their review and no private information should be accessed within the investigation. The set-up of the correct key words and adequate training of the reviewers is essential here.
The respective employees also have to be informed that their personal data may be processed within the investigation. The privacy notice must include, among others, the legal basis for the data processing, its purpose and the employees’ corresponding rights.
Reliance on employees’ consent during an investigation might be problematic. The GDPR requires that consent is freely given. According to the EU Data Protection Working Party, employees are almost never in a position to freely give consent, given their dependent position.
If third parties who act as data processors for the company (e.g. providing forensic services) are engaged, the conclusion of a written data processing agreement is necessary.
Finally, it must be reviewed internally whether the processing in this context (considering the nature, scope and purposes of the processing) is likely to result in a high risk to the rights and freedoms of natural persons. If this is the case, prior to the processing, a privacy impact assessment (impact of the envisaged processing operations on the protection of personal data) must be carried out. For example, processing of employees’ personal data by using applications or tracking systems is subject to such assessment and under the watch of the Croatian data protection regulator (AZOP).
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Cross-border transfer of data collected during an investigation outside the EU/EEA is subject to strict requirements. In particular, companies must ensure that the data will be adequately protected even after their transfer to a third country. Available instruments and guarantees include, among other things, binding corporate rules and EU Standard Contractual Clauses adopted by the Commission.
What should the company do once the internal investigation is finished?
Under the GDPR all the internal investigation collected data must be erased when the internal investigation is finished. Only the most important findings can be stored for eventual internal, court or administrative proceedings. Employees whose data were processed must be informed of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organized by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
An employee should participate and cooperate in interviews; however, their participation is voluntary as they cannot be forced to agree to the interview. This obligation can be inferred from the general obligation of all employees to perform their tasks according to the instruction of the employer given in line with the nature and type of work, and in particular their obligation to prevent damage to the employer. In case of managing employees, participation and cooperation can also be derived from their obligation to “ensure compliance with legal and internal regulations.”
Do employees have the right to receive minutes from the interview?
There is no obligation to provide employees with the minutes from the interview.
Do employees have the right to be informed of the outcome of the investigation?
In general, there is no obligation to inform employees of the outcome of interviews or the investigation. However, if the investigation was initiated based on a whistleblower report, the whistleblower needs to be informed about the investigation outcome.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing or to have a system in place for reacting to whistleblowing?
The latest Whistleblowing Act came into force on 23 April 2022. The Act regulates that corporations and employers (with a certain number of employees) have an obligation to establish a procedure for reporting potential wrongdoing and to appoint an internal officer responsible for receiving such reports. If confronted with information from a whistleblower, the responsible officer has an obligation to initiate appropriate analysis – and eventually investigation – of the situation as part of their duties.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes, there is a strict corporate criminal liability in Croatia. Companies may be held criminally liable for actions or failures in supervision or control by the company’s officers entrusted with business responsibilities at any level within the corporate structure. As a part of mitigating circumstances, a company may avoid criminal liability if it has implemented and applied adequate procedures for the early detection and reporting of such a crime committed by persons whose actions are attributed to the company.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes. Both the company and the individual perpetrator may be prosecuted for the same misconduct.
Can corporate criminal liability be avoided or mitigated?
In accordance with the Act on Criminal Liability of Legal Entities, companies which disclose the criminal offense but before the criminal offense is identified by the public, may be granted immunity from the fine. Furthermore, possible liability could be mitigated if adequate measures that could have prevented a crime from being committed (in practice referred to as the ‘compliance management system’) were in place.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
There is no available case law on of out-of-court settlements regarding companies’ criminal liability. In general, the out-of-court settlement has been designed for natural persons and it must include the admission of guilt. Some leniency policies exist that are not directly connected to criminal liability but rather orientated to certain other offences, such as competition offences.
The instrument of the out of court settlement would be an agreement on guilt and sanctions made between the perpetrator and the public prosecutor. However, it is not widely used. Besides the criminal fine, there are other sanctions that may be imposed by the court, like measures banning the company of certain commercial activities, participating in public tenders or from receiving subsidies.
8. Upcoming Developments
There is a major increase of activities taken by the Croatian authorities in the past few years relating to the investigations of the corporate criminal liability. A number of criminal procedures were initiated regarding the internal corporate wrongdoings (such as false accounting representation) or regarding the bribe allegations (usually in public tenders for the purpose of various privileges through the abuse of official position and power). Such cases usually come with an extreme reputational risk for the companies as the cases often have political implications and therefore are widely covered in media. The establishment of internal corporate investigation policies and procedures have never been in the focus of the companies on the Croatian market, but a change in the approach is imminent as it becomes more and more obvious that the compliance and good internal practices will become one of the most important future aspects in terms of liability and reputation.
CZECH REPUBLIC
- Companies face criminal liability for the criminal misconduct of individuals holding a particular position at the company, of those exercising decisive control over the company, of their employees and, generally, of anyone acting in the interests of the company or in the course of the company’s business.
- The fiduciary duties of management include ensuring that appropriate misconduct prevention procedures are implemented. In this respect, measures must be implemented to prevent, detect and react to misconduct. Management must also be able to prove that the company has a compliance culture in place.
- Companies can release themselves from criminal liability if they can prove that they have set up an effective compliance management system that had prevent the respective crime from being committed (compliance management system.
- The processing of employee data must be regulated by internal directives before the start of data processing and if necessary, legitimate interest assessments and balancing tests need to be conducted.
- Companies with more than 50 employees must implement a whistleblowing management system, designate an impartial person to receive reports and diligently investigate all reports while adhering to the confidentiality of the whistleblower.
- The obligation to report a suspicion to authorities can be triggered by listed crimes, including bribery. Non-reporting is a crime and only Czech Attorneys-at-Law working on the internal investigation are exempt from the reporting duty.
- Voluntarily self-reporting or cooperating with prosecuting authorities does not have any automatic benefit for the company in terms of reducing criminal sanctions. Same is true for administrative proceedings.
- The confidentiality duty of Czech Attorneys-at-Law – the Czech “version” of legal privilege – protects information and documents only when they are situated with the Czech Attorney-at-Law working on the respective matter. In-house counsels are not protected by legal privilege. A higher degree of information and document protection is granted for communication between defence counsels and their clients during criminal proceedings.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Diligently investigating misconduct or suspicion of misconduct is a fundamental part of any effective compliance management system where the company is striving to avoid criminal or administrative liability. Even if the investigation reveals that there was no misconduct, the company will have to prove and keep a track record that it takes compliance seriously and regularly investigates potential misconduct. This is an important aspect for all public authorities who assess the company’s compliance management system in terms of the company’s usual approach to dealing with suspicion of misconduct. If the company can do so, it can achieve significant reduction of an administrative or criminal sanction, or avoid the sanction altogether (see below). On the other hand, if the company cannot evidence that it takes and has taken compliance and suspicion of misconduct seriously, this can worsen its procedural position.
Since 2016, companies have been able to avoid criminal liability if they can demonstrate that they had adequate measures in place capable of preventing a crime that has occurred (“compliance defence”). This is also the case in administrative proceedings. A company will not be liable for an administrative offence if it proves that it took all efforts that could have been required from it to prevent the offence. On the other hand, a legal person cannot be absolved from liability if it did not exercise mandatory or necessary control over its employees. But even in such cases, the administrative bodies can still take into account the company’s approach to compliance and, for instance, significantly reduce any fine for anticompetitive conduct (by up to 60 % in recent cases) with the recognition of mitigating factors such as the company having internally investigated the conduct reported to the administrative body and adopted an effective compliance management system.
It is important to note that the fiduciary duties of board members include ensuring and monitoring that the company acts in compliance with all relevant regulations and that appropriate prevention, detection and remediation measures are being taken if non-compliance behaviour is reported or identified. Because they must exercise their duties with ordinary care, board members must not only ensure and oversee the implementation of appropriate procedures to prevent misconduct, but also ensure and oversee the investigation of any misconduct detected. If a board member suspects an instance of misconduct (or should have suspected it if they had performed their duties diligently) and does not ensure that this suspicion is investigated and that any misconduct discovered is properly handled, then they risk being held liable for an intentional “breach of fiduciary duties”. Moreover, if the suspicion of misconduct involves criminal wrongdoing, then they may be held liable for failing to hinder the criminal wrongdoing and even for aiding and abetting the crime.
A breach of fiduciary duties could lead the board members to become liable for any damage to the company that could have been prevented (e.g. penal, administrative or reputational consequences, damage to third parties, loss of further profits, etc.).
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
All individuals and companies have a legal obligation to immediately report (or prevent altogether) a catalogue of crimes listed in the Czech Criminal Code to the enforcement authorities. Non-reporting is a crime. Aside from the most serious crimes, this reporting duty also applies to crimes which it is in the public interest to tackle, such as crimes relating to dual-use goods or bribery. The only individuals exempt from this obligation are Attorneys-at-law listed in the registry of attorneys maintained by the Czech Bar Association (“Czech Attorney-at-Law”), and, in some cases, the EU Attorneys-at-Law (for details, see Chapter 3 on legal privilege).
Any person who credibly acquires knowledge that such a crime has been committed or is being committed and fails to report or stop it without delay is committing a separate crime. This knowledge must be acquired in a credible manner (according to the credibility of the source), circumstances and conditions, and the form and content of the information. This often means that the company can investigate the matter to the extent necessary, but if the crime committed is a listed offence, the company should report it immediately once the suspicion is confirmed.
Special considerations need to be made if, by reporting the crime, the company could be exposing itself to criminal prosecution for that same crime. Except for Czech Attorneys-at-Law and in some cases EU Attorneys-at-Law providing legal advice to a company, the company’s derived “right not to self-incriminate” does not apply to individuals investigating the misconduct, including company employees. These individuals are personally required to report crimes even where such reporting could incriminate the company. Companies should therefore consider this carefully when planning the structure of their internal investigations to avoid situations where the employees investigating the misconduct would be exposed to the reporting duty and had to report the misconduct to authorities.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Public prosecutors and the courts can choose to release the company from criminal liability if the company has implemented adequate measures that were able to prevent the crime from being committed (compliance management system). Starting the investigation and willingness to cooperate with the prosecuting authorities or even disclosing the misconduct that could incriminate the company can arguably be a sign that such a system is in place. Judges can also consider self-disclosure and cooperation with the court as mitigating circumstances during court proceedings.
However, the law provides no automatic benefit for self-disclosure or cooperation, nor does it incentivise companies to self-report and cooperate with prosecuting authorities. In this sense, companies cannot be certain that they will obtain any benefit should they decide to cooperate, share information or report misconduct.
Another thing to consider is communication with the prosecuting authorities. In the United States, for instance, communication between a company (or its attorney) and the prosecution is common and predictable. In the Czech Republic, this has never been regular practice. Indeed, only a few years ago, communication (outside the court room) between a Czech Attorney-at-Law and the prosecution was inconceivable. Although this is now slowly shifting, Czech prosecuting authorities are generally skeptical and distrustful of this approach unless the Czech Attorney-at-Law already has a good relationship with them. For example, in our practice, we have managed to prove ourselves credible to public prosecutors through our consistent, honest and professional approach. Consequently, we have managed to conclude several settlements in large cases which might otherwise have had a tremendous reputational impact on our clients if they had gone through several years of public trials.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company should have a thorough internal regulation in place that governs the process of dealing with (the suspicion of) misconduct, including internal investigation procedures forming part of the compliance management system. It should specify the individuals responsible for dealing with internal investigations (ideally an independent compliance function) and outline how the structure of the internal investigation should be decided, including a process for independent reporting.
To minimise the risk of exposure to the reporting duty, the involvement of attorneys who benefit from the “Czech concept of legal privilege” (i.e. Czech Attorney-at-Law, or in some cases EU Attorneys-at-Law – see chapter 3 for detail) should be considered in the internal investigation, and whether the EU Attorney-at-Law benefits from the legal privilege should be determined beforehand. This helps maintain legal privilege concerning the outcomes of the investigation and protects companies and their businesses if there is a risk of a dawn raid. In the Czech Republic, bribery and bid rigging are still quite prevalent practices within certain sectors (especially those regulated and subsidized) and such situations can arise surprisingly often. To keep the risk of exposure low and to maintain legal privilege, Czech Attorneys-at-Law directly subcontract other service providers, such as forensic or accounting professionals, so that they report directly to the Czech Attorney-at-Law.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
The concept of legal or attorney–client privilege does not exist in the same way as in the United States or in other countries that use the Anglo-American legal system. In the Czech Republic, only legally defined types of attorneys are subject to a confidentiality obligation in keeping with the constitutional rights to a fair trial of their clients. These attorneys must keep confidential all information which they have acquired in connection with their legal services to their clients (for ease of understanding, we will refer to this confidentiality obligation as “legal privilege”).
Under the law, legal privilege covers Czech Attorneys-at-Law and EU Attorneys-at-Law. Czech Attorneys-at-Law are attorneys who are listed in the registry of attorneys maintained by the Czech Bar Association. Anyone listed in this registry can invoke legal privilege. In terms of EU Attorneys-at-Law, the law is less clear-cut. EU Attorneys-t-Law are nationals of a Member State of the European Union, a Contracting State to the Agreement on the European Economic Area or the Swiss Confederation, or nationals of another State, who are permanently established in one of these states and who have been authorised to provide legal services in this home state under the professional designation. The Czech Ministry of Justice publishes the only recognized professional designations for such attorneys in the Collection of Laws.
Furthermore, there are two kinds of EU Attorney-at-Law. The “Visiting EU Attorney-at-Law” and the “Established EU Attorney-at-Law”. Established EU Attorneys-at-Law provide services on a permanent basis in the Czech Republic and are listed in the registry of European attorneys maintained by the Czech Bar Association. Established EU Attorneys-at-Law have full legal privilege. However, these are rare. Most of the attorneys we work with in the context of internal investigations are Visiting EU Attorneys-at-Law – they provide legal services in the Czech Republic on an occasional basis. Visiting EU Attorneys-at-Law enjoy legal privilege only to a modified extent. When the legal services they provide constitutes representation in proceedings before the courts or other authorities, including criminal defence, the have full legal privilege (there is no definition or case law indicating which services are included and which are not). For any other services, they have legal privilege to the same extent as they have in their home state. Other foreign attorneys, lawyers or in-house counsel cannot invoke any attorney-related privilege.
Legal privilege covers not only information known by the Czech Attorneys-at-Law, but also information in material formats (paper documents, data files or data disks) which they have received in relation to their legal services. All material information is protected if it is located on the premises of the Czech Attorney-at-Law (interpreted by the courts as all places where they work, including his or her home or car, and in the law firm’s data clouds).
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
Not currently. The confidentiality obligation is attached to the Czech Attorneys-at-Law (and their employees and subcontractors) than to the information or document itself. Therefore, any information or document that is protected while in the possession of the Czech Attorney-at-Law is not protected when it is in the hands of the client or a third party not subcontracted by the attorney.
Prosecuting authorities often use this to order a company, or its subcontractor, to hand over all documents they have received from the Czech Attorney-at-Law, including reports from internal investigations and interview transcripts. Therefore, the best practice is to structure the investigation together with the Czech Attorneys-at-Law leading the investigation, who will subcontract other third parties to participate in the investigation if such participation is necessary, and limit the documentation handed over by the attorney to the client.
In this regard, a new bill is currently being drafted which aims to extend attorney-related confidentiality to information (document or data) produced by the Czech Attorney-at-Law and handed over to the client.
It is also essential to structure investigations and their reporting lines in a way that minimises the risk of the investigation report being obtained by the authorities (e.g. during a dawn raid) and used as evidence in court proceedings. In the most sensitive cases, the Czech Attorney-at-Law will report only verbally and in person to a limited number of persons.
Does legal privilege apply to in-house lawyers?
No. In-house counsel are not regarded as Czech Attorneys-at-Law under Czech law. They have the status of regular employees and do not enjoy legal privilege.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
No. Only if they are subcontracted by a Czech Attorney-at-Law in direct connection with the provision of the legal services. In such cases, they can invoke legal privilege to the same extent as a Czech Attorney-at-Law. However, the special protection of attorneys’ premises does not apply to them. Therefore, all relevant documents should be kept on the premises of a Czech Attorney-at-Law.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company must determine which data are needed for its internal investigation and where they are located. Other decisions should include: Which means of communication are used (email, apps, phones, ephemeral messages)? Which devices do employees use to communicate? Is there any cloud or local share-drive? Is the cooperation of a local IT expert needed? Is there any information that is only in hard copies (i.e. paper documents)? It is then essential to determine whether and to what extent the company can legally access and review the data. It is not unusual for employees to use apps that are encrypted or do not save content, and it is then very difficult to distinguish which of their communication is personal and which is work-related. A comprehensive and clear internal directive providing the complete rules on communication, storage and the use of company devices by employees on the one hand, and explicit information on how the company can review and collect these data on the other, is a cornerstone of any proper compliance management system and internal investigation. This becomes especially important in cross-border investigations. Companies should also issue a preservation notice to employees to ensure that potential evidence (and all data relevant for the matter investigated) is preserved and not destroyed. The employees in question should sign or give confirmation that they are complying with the preservation notice, and this should be kept on record.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Employee privacy is protected by both, Czech labour law and data protection law, as well as by EU law (in particular the GDPR). The risk that an internal investigations could breach privacy laws must be assessed on a case-by-case basis. Generally, the greater the harm the company-employer faces (e.g. a large-scale corruption scheme organised by its employees), the more intrusive investigative methods can be considered proportional.
One-off targeted searches of emails/documents using carefully selected key words are unlikely to be considered disproportionate if the employer is aiming to protect itself, its property, and its reputation by helping to determine if employees may be in breach of their responsibilities. However, only work-related data may be processed. No private personal data can be subject to review, and any processing of private personal data must be stopped immediately once it is discovered.
The more the world moves into the virtual realm and the greater the variety of applications, clouds and other tools employees use for their work grows, the more intricate it proving to adhere to data privacy laws. It is growing increasingly difficult to investigate non-compliance as employees are gradually using a wider variety of applications, online tools and ephemeral messaging.
The processing of employee data can only take place on one of the lawful grounds specified by the GDPR. In internal investigations, the most frequently used legal ground is the legitimate interest of the employer to conduct the internal investigation to protect its interests. However, the employer must delicately balance its own interests against the interests or fundamental rights of employees (e.g. the right to a private life and the privacy of communication) as part of a legitimate interest assessment (“LIA”). This balancing exercise should be properly documented in the form of a balancing test. Every balancing test should include at least information regarding the purpose of the data processing, the necessity of the data processing, potential consequences of the data processing (impact on data subjects), protective measures adopted and the outcome of the assessment.
A privacy impact assessment (PIA) is explicitly required under the GDPR if the type of processing is likely to pose a high risk to the privacy of natural persons (such as employees). A PIA must be performed, in particular, if the processing involves sensitive information or the merging or combining of data gathered by various processes, or if the processing occurs systematically over a prolonged time-period and may cause decisions about data subjects which have a significant effect on their lives (such as legal decisions). An evaluation must always be made as to whether it is necessary to conduct a PIA for the purposes of each internal investigation.
The extent of the processing must be as strictly necessary to achieve the aim of the investigation, and there must not be less invasive measures available. The information included in the investigation should be carefully selected prior to review and no private information should be accessed as part of the investigation. It is essential that the right key words are selected and that the reviewers are sufficiently trained.
Employees should be informed in an internal directive that their data may be processed as part of any investigation. This must include, among other things, the legal basis and purposes of the data processing and the corresponding rights of the employee. If employees were never informed that their data might be processed for the purposes of preventing harm, for instance, the company will be in breach of this obligation. It is not recommendable to require employees to consent to the processing of their data during an investigation itself, as the consent must be freely given and can be withdrawn at any time.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Strict conditions apply to cross-border transfers of data collected during investigations to locations outside the EU. In particular, companies must ensure that the data will be adequately protected even after their transfer to a third country. Available instruments include binding corporate rules and standard data protection clauses adopted by the European Commission. On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework concerning the transfer of personal data to the United States. The Data Privacy Framework is an EU-US data transfer framework established in 2022. Personal data may be transferred from the EU to any US-based companies participating in the Framework free of further restrictions or authorisations. Companies may rely on the new adequacy decision when transmitting data to US companies once the US companies have enrolled in the Framework, without having to put in place additional safeguards (as was previously required by the Court of Justice of the EU). As with the previous EU-US Privacy Shield, the list of participating companies is maintained and made publicly available by the US Department of Commerce.
Lastly, where data are transferred within group companies, the relevant intra-group policies should also be in place.
What should the company do once the internal investigation is finished with the collected data?
Once the internal investigation has finished, the data gathered and processed during the internal investigation must be erased, except the most important findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings. Employees whose data have been processed must be informed of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Employees instructed by the employer to cooperate during internal investigations must do so in accordance with their general obligations arising from their employment duties (general obligation to prevent damage to their employer and loyalty obligation). To ensure legality, interviews should take place within the working hours of employees and should be strictly connected to their work. Refusal to cooperate may be considered a breach of their employment duties.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No. However, there might be obligations to notify the whistleblowers about how the whistleblowing report was processed and its results. (see below).
6. Whistleblowing
The Whistleblower Protection Act has been in effect since 1 August 2023. The act implements the European Directive but goes further than EU legislation.
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Companies with more than 50 employees must implement a whistleblowing management system for reports relating to (potential) breaches in listed areas. This system must allow for reports to be submitted in writing or orally. It need not establish further details in this regard and an electronic/virtual whistleblowing system should generally be sufficient. However, a physical meeting must be arranged upon the request of the whistleblower. Currently, the act does not require anonymous reports to be processed in the whistleblowing management system, but we recommend that these be assessed as part of the compliance management system anyway.
One of the key obligations of the company is to designate a person to exercise the function of an impartial person responsible for reviewing whistleblowing reports. Only the designated person(s) has full capacity in relation to receiving, assessing and investigating reports. The designated person must be a natural person with a clean criminal and administrative record in terms of the offences set out in the act.
All reports must be confidential, protected, and diligently and impartially analysed. The whistleblower must be notified that the report is being processed and must be informed of its outcome.
The company can either maintain its own whistleblowing management system or outsource it to a third party or its parent company. However, there are certain practical limitations, which should the company decide to outsource or use its parent-company whistleblowing management system. In all cases, the company will still be fully responsible for meeting the obligation set out by the act.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes. A company is liable for a crime if the crime was committed by any of a broad range of personnel listed in the Corporate Criminal Liability Act (e.g. managers, employees, board members, shadow directors, etc.) and if the crime was committed in the company’s interest or during the course of the company’s commercial operations. Strict corporate criminal liability exists, which means that a company’s criminal liability depends solely on the actions and intentions of the perpetrator, all the while remaining independent from and concurrent with the criminal liability of the perpetrator. This means that the company can still be prosecuted even if the perpetrator is never identified.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Both the perpetrator and the company can be prosecuted independently, and the company may be prosecuted (albeit rarely) even if the perpetrator is acquitted. Criminal liability of the company passes to any successor or successors.
Can corporate criminal liability be avoided or mitigated?
In accordance with the Corporate Criminal Liability Act, a company can release itself of criminal liability if it proves that it has implemented adequate measures that could have prevented a crime from being committed (in practice referred to as the compliance management system). In September 2018, the Prosecutor General’s Office issued non-binding internal guidelines for public prosecutors, which explain in detail how companies’ compliance management systems should be evaluated during criminal proceedings. They reference other international resources such as the DOJ’s guidelines on Evaluation of Corporate Compliance Programs, the UK Anti-Bribery Guidelines and compliance standards ISO37001 and ISO19600. Although conceived for internal reference by public prosecutors, they are used by both public prosecutors and the courts, and are also referred to by practitioners (simply because no other guidelines exist). They are regularly amended.
In particular, each compliance management system should be evaluated with respect to the proportionality principle evaluated in proportion to the organisational size, regulatory density, nature and international aspect of business activities, as well as the risk profile and market environment of a given legal person. Most importantly, the system should have viable core elements: it should be preventive (able to dissuade and impede misconduct), it should be capable of detecting any such misconduct and it should be reactive to misconduct (disciplinary consequences or legal action) or it must learn from the misconduct. Finally, the system must be capable of being continuously improved.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
There is limited practice of out-of-court settlements in the Czech Republic. Some instruments do exist, but only a fraction of cases are resolved out of court. The out-of-court settlement system has essentially been constructed to prosecute individuals and does not allow for prosecutions to be settled without the admission of guilt. Some leniency policies exist, but these are primarily limited to tax and antitrust offences.
As things stand, a Guilt and Sanctions Agreement made between the offender and the public prosecutor is the only out-of-court resolution which has frequently been used in practice. Indeed, this medium is currently gaining traction, primarily because it is much less time-consuming and removes the uncertainty of court proceedings. Still, it should be considered that this instrument has so far been used in just 1.5 % of cases. The offender must admit that the facts as presented by the prosecution are correct and agree to sanctions. Technically, the defendant does not “plead guilty” – the Criminal Procedure Code intentionally avoids this wording. Instead, since the aim of a plea bargain is to speed up criminal proceedings, the defendant and the prosecution agree on a set of facts (which either of them could or would otherwise dispute before the court), and the process of proving guilt is omitted. The agreement must then be confirmed by a court.
The biggest downside to this instrument is that, procedurally, the court approves the agreement by issuing a sentencing judgement (even though the offender does not plead guilty in the agreement). This means that the company still faces the consequences of a criminal conviction, which not only entails reputational damage but might also preclude it from participating in public tenders unless the criminal record is expunged. For example, the law on public procurement states that “A supplier is not eligible if it has been convicted of a criminal offence listed in Annex 3 [includes both Bribery and Bid Rigging]”. However, if the company is able to negotiate only to be sentenced with a monetary fine, it can avoid such consequences and be treated as if it had not been convicted and thereby, in our view, not limited from participating in public tenders.
Companies can be sanctioned with a fine ranging between EUR 1,000 and EUR 57 million. Initially, the fines have been surprisingly low – in the order of thousands or tens of thousands of euros – but the public prosecution has been striving to change the system for calculating them and to increase them in the coming years to more accurately account for companies’ turnover, and are also pushing for higher sanctions in the criminal proceedings.
Other common sanctions faced by companies include bans on commercial activity, bans on participating or working in public tenders and bans on subsidies. The companies can, after half the term of their penalty has passed, ask the court to be paroled and for the rest of their sanction to be dropped on condition that the company proves that it has implemented effective measures and a compliance management system capable of preventing criminal activity.
8. Upcoming Developments
One of the topics of most interest in forthcoming years will be ESG. Due to the increasing number of ESG regulations (including reporting and due diligence obligations) on the one hand, and the increasing levels of misconduct related to ESG on the other, such as greenwashing, misrepresentation and fraud, it can be expected that both criminal and internal investigations in this area will continue to increase in the future, thus increasing risks for companies and making it harder to meet the required level of duty of care for board members. In relation to the environment and ESG, the EU Directive on the protection of the environment through criminal law introduces new environment-related criminal offences and stipulates severe penalties, including maximum fines for legal entities of not less than 5 % of the worldwide turnover (Member states must transpose the Directive by May 2026).
Steady improvements in the proficiency and technological development of the prosecuting authorities have led to an increase in highly complex cases. This, unfortunately, is at odds firstly with the current legislation that makes cooperation between prosecuting authorities and companies wishing to cooperate almost impossible and, secondly, with the fact that, in practice, settlements do not exist. As a result, companies rarely cooperate with prosecuting authorities and self-reporting is uncommon because the only way to resolve the matter out of court is to admit guilt. This is currently a subject of debate with the OECD and the International Bar Association, who are both attempting to convince national legislators to establish a predictable system and procedure for out-of-court settlements for companies, which currently have few incentives (if any) to cooperate and self-report.
Additionally, the Prosecutor General’s Office is working on modifications to the way in which companies are prosecuted and sanctioned. Besides an improved and reworked system of non-trial resolutions, one of the possible new instruments could be monitoring: 3-year-long monitoring of the prosecuted company by an attorney, who should oversee the introduction and adherence to a compliance management system with the aim of changing and improving the company’s corporate culture. The Public Prosecutor’s Office is currently working on the draft bill which will significantly modify the prosecution of companies. However, this bill is still in the early stage and will not come into effect for at least another year.
Related experts
HUNGARY
Key Takeaways
- Companies may be criminally liable for the misconduct of their employees and board members.
- Investigating misconduct is included in management’s fiduciary duties. Internal policies regulating the processing of employees’ data and the investigation of misconduct are cornerstones of a proper investigation.
- The concept of legal privilege is limited to the obligation of registered attorneys to preserve the confidentiality of information received from their clients.
- Self-reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Hungarian law does not explicitly lay down any such obligation. From the general fiduciary duty owed by the company’s management to ensure compliant operations and business conduct from which the company it derives, however, that any suspected misbehaviour should be diligently investigated even if such misbehaviour does not directly relate to any criminal offence.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
Corporate statutory representatives (directors) owe a general fiduciary duty to ensure that they as well as the company managed by them follow all relevant laws as well as the company’s articles of association or any resolutions of the company’s supreme decision-making body. Accordingly, in case of any reasonable suspicion of any possible wrongdoing, management is legally expected to take all appropriate steps to review (and legitimately rectify, if necessary) the situation. Unless an internal investigation is conducted, the directors risk being found in breach of their fiduciary duties and could therefore become liable for any prejudice (including damages) to the company that could have been prevented, had the wrongdoing been discovered in time.
The general threshold to trigger any criminal liability under the Hungarian Criminal Code is set at damage caused in excess of HUF 50,000 (approx. EUR 125). But obviously there are situations when criminal liability can be triggered without any monetary damage arising. Furthermore, if a corporate director has a firm suspicion of a still ongoing criminal wrongdoing (e.g., corruption, money laundering, antitrust behaviour in public procurement or concession, etc.), he or she may per se be held liable for “non-hindering criminal wrongdoing”.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
Under the Hungarian Criminal Code, in case of certain serious crimes (e.g. offences against the state or corruption involving officials) there is a reporting obligation (or obligation to stop them from even happening) by individuals having credible knowledge about the case, the failure to comply with which could constitute a criminal offence in itself. Hungarian legislation does not contain explicit rules on the reporting person, however, or about any straightforward exemptions.
The Hungarian Criminal Procedural Act confirms, nevertheless, that no one may be compelled to make a self-incriminating testimony or to produce self-incriminating evidence. In general, it can be established that the companies are not obliged to self-report.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Voluntary self-disclosure and then engaging of good faith cooperation will customarily be considered by the acting judge as mitigating circumstance (i.e. leading to a lower sanction) during court proceedings. In some instances (e.g. antitrust behaviour in public procurement or concession) such cooperation can lead to a substantial reduction of or even immunity from criminal sanctions. Any such self-disclosure and subsequent cooperative conduct by the company cannot, however, lead automatically to preferential treatment of or other benefits from the procedural or substantive law perspective becoming available to the company in Hungary.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company should have an internal regulation in place that governs the process of dealing with (or even suspicion of) misconduct including internal investigation procedures as part of the compliance management system. It should specify the persons responsible for dealing with internal investigations and how the structure of the internal investigation should be decided, including a process for independent reporting.
Whenever there is a risk that a reporting duty has arisen, or will arise during the investigation, or if there is a risk of a police dawn raid, an attorney should be engaged as an external counsel to lead and conduct the investigation as well as to minimize the risk of exposure to the reporting duty, and to maintain legal privilege over investigation products. Involving any external investigator should be considered on a case-by-case basis. If any further advice is needed from specific service providers and professionals such as forensic or accounting professionals, they should be subcontracted directly by the attorney and report directly to him or her. In such cases to conclude a confidentiality agreement is highly recommended.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
“Legal privilege” under Hungarian law is awarded to the communication created between an attorney and their clients in the course of, in the interest of or within the framework of defence during any proceedings, i.e. not just during regulatory or criminal investigations, but all administrative authority procedures as well as all court procedures launched by Hungarian authorities or before Hungarian courts, such as, in particular, competition, data protection and tax related proceedings, and regulatory proceedings relating to the financial services, energy, food, gambling, insurance, pharmaceuticals and other sectors. Such “legal privilege” will then prevent Hungarian authorities from reviewing or using as evidence any communication containing legal advice relating to defence in regulatory proceedings, so long as it is apparent from the communication and related documents that those were created by or related to exchange with external counsel.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
According to Hungarian law, all documents created by attorneys also have a legal privilege after those have been handed over to the clients. This means that Hungarian authorities shall not be allowed to use those documents as evidence in proceedings, that contains legal advice irrespective of whether they are available from the clients. They are only allowed to inspect only to the extent necessary to determine whether the lawyer has unreasonably refused access on the grounds of legal privilege. Legal advice in Hungary is defined broadly, so it is not limited to the advice itself, but to all information that the client and the attorney communicates between themselves (including documents both from attorney and client).
Therefore it remains very important to structure an investigation, including the imbedded reporting channels, in a way that is sufficient to exclude the risk of any access by the investigatory authorities.
Does legal privilege apply to in-house lawyers?
Pursuant to a recent change in law, “legal privilege” applies to communication between the company and its in-house counsel to the extent that such an in-house counsel concerned is registered with the Hungarian Bar Association to perform attorney-activities. Does legal privilege apply to other types of service providers? Can legal privilege be extended to them if they are subcontracted by attorneys? “Legal privilege” in Hungary is exclusively reserved for attorneys (including in-house counsel in certain instances, as discussed above). Although other regulated professions in Hungary (such as auditors, notaries, forensic or accountancy experts etc.) are also bound by certain professional secrecy obligations, their client-provider relationship will not benefit from the legal privilege provisions in Hungary. So long as their work products are bundled together and channelled through the external lawyer, however, the client will be able to benefit from the same legal privilege exemption.
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
“Legal privilege” under Hungarian law is awarded to the communication created between an attorney and their clients in the course of, in the interest of or within the framework of defence during any proceedings, i.e. not just during regulatory or criminal investigations, but all administrative authority procedures as well as all court procedures launched by Hungarian authorities or before Hungarian courts, such as, in particular, competition, data protection and tax related proceedings, and regulatory proceedings relating to the financial services, energy, food, gambling, insurance, pharmaceuticals and other sectors. Such “legal privilege” will then prevent Hungarian authorities from reviewing or using as evidence any communication containing legal advice relating to defence in regulatory proceedings, so long as it is apparent from the communication and related documents that those were created by or related to exchange with external counsel.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
According to Hungarian law, all documents created by attorneys also have a legal privilege after those have been handed over to the clients. This means that Hungarian authorities shall not be allowed to use those documents as evidence in proceedings, that contains legal advice irrespective of whether they are available from the clients. They are only allowed to inspect only to the extent necessary to determine whether the lawyer has unreasonably refused access on the grounds of legal privilege. Legal advice in Hungary is defined broadly, so it is not limited to the advice itself, but to all information that the client and the attorney communicates between themselves (including documents both from attorney and client).
Therefore it remains very important to structure an investigation, including the imbedded reporting channels, in a way that is sufficient to exclude the risk of any access by the investigatory authorities.
Does legal privilege apply to in-house lawyers?
Pursuant to a recent change in law, “legal privilege” applies to communication between the company and its in-house counsel to the extent that such an in-house counsel concerned is registered with the Hungarian Bar Association to perform attorney-activities.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
“Legal privilege” in Hungary is exclusively reserved for attorneys (including in-house counsel in certain instances, as discussed above). Although other regulated professions in Hungary (such as auditors, notaries, forensic or accountancy experts etc.) are also bound by certain professional secrecy obligations, their client-provider relationship will not benefit from the legal privilege provisions in Hungary. So long as their work products are bundled together and channelled through the external lawyer, however, the client will be able to benefit from the same legal privilege exemption.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company must determine what data are needed for the internal investigation. The company should keep in mind the following questions:
- What forms of communication are used? (e.g. emails, apps, phones etc.)
- How does the company handle the business and private contents? Is it allowed to keep private contents on any company device?
- What contains the internal policies concerning data protection?
- What devices do employees use to communicate?
- On what devices does the employer store data? (e.g. cloud, local servers etc.)
- Is the cooperation of a local IT expert needed?
It is then essential to determine whether and to what extent the company can legally access and review the data. A comprehensive and clear internal policy or guide providing the complete rules on communication, archiving and the use of company devices by employees on the one hand, and explicit information on how the company can review and collect these data on the other, is a cornerstone of any proper internal investigation.
Destroying any potential evidence during the investigation may be considered a breach of their employment duties by the side of the employees.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Any personal data processing may take place only on one of the lawful grounds specified by GDPR. The consent of the employee cannot serve as a lawful basis, however, as – based on the EU Data Protection Working Party’s opinion – the precondition of “freely given nature” is almost never satisfied in case of employment relationships. Having regard to the rules of Grand Chamber of European Court of Human Rights set out in Barbulescu vs. Romania, and the Hungarian data protection authority’s (“NAIIH”) related recommendation, in case of reviewing the employees’ business emails the legal basis could be in the employer’s legitimate interest, which requires previous legitimate interest assessment.
Based on NAIH recommendations it is of the utmost importance to create an internal policy related to the reviewing of business email correspondence. In this policy the employer should lay down conditions for review of emails.
The process of internal investigation requires compliance with further obligations as well. Accordingly, the affected employees must be informed in advance of – among others – the legal basis of data processing, the purpose of processing and (possible) technical means used for reviewing (in accordance with the GDPR and the applicable Hungarian law). Email review can affect exclusively the business communication. Email review is allowed only to the extent strictly necessary to achieve its aim, e.g. based on the related practice of the headline or subject field of the email being sufficient to state the infringement the employer cannot process further data and open the email, the investigation shall refer only to a certain limited period in time, etc. If a software is used to find the relevant emails with the appropriate keywords, after sorting these emails, private email correspondence cannot be the subject to further investigation. As a general rule, the presence of the affected employee should be also ensured. Provided, however, that effectiveness of the investigation is compromised by the presence of the affected employee, it is in the employer’s legitimate interest that the employee is not present at the investigation, subject to appropriate safeguards.
As such an email review may imply a high risk for the data subjects where a large amount of data is processed – despite the fact that the “black list” of mandatory data protection impact assessment issued by NAIH does not contain the review of business emails – the email review may require a data protection impact assessment (Article 35 of GDPR), and, where appropriate, the evidence related to the consultation with the data subjects (employees and their representatives).
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Cross-border transfer of data collected during an investigation to a third country is subject to strict requirements. In particular, companies must ensure adequate protection of the data even after their transfer. ‘Available and adequate means’ includes binding corporate rules and standard data protection clauses adopted by the Commission.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be erased, with only the most important findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings. Employees whose data were processed must be informed of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Yes, which obligation can be inferred from the general obligation of cooperation set out in the Hungarian Labour Code, but the employee cannot be obliged to testify against himself / herself. However, refusal to cooperate may be considered a breach of their employment duties.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No, employees do not have to be informed of the outcome of interviews or the investigation.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
The EU Whistleblower Directive came into force November of 2019 and required member states to implement the directive into national law by 17 December 2021. The purpose behind the directive is to create ‘safe channels’ for whistle-blowers to ensure greater and adequate protection from discrimination, dismissal and retaliation.
As of 25 May 2023, Hungary adopted Act XXV of 2023 on complaints, disclosures in public interest, and related rules on reporting abuses, thereby transposing the EU Whistleblower Directive into Hungarian national legislation and superseding previous national law regarding whistleblower protection in Hungary.
The Whisleblowing Act prescribed that entities with a headcount of at least 50 people are required to implement, maintain and operate an internal whistleblowing system aimed to allow reporting abusive behavior within the workplace. Entities employing workers in the numbers between 50 and 249 can operate such systems jointly. Entities required to maintain such reporting systems have an obligation to acknowledge receipt of reports filed within a maximum of seven days. Operators must conduct thorough investigations into the report’s contents within a reasonable timeframe, not exceeding a mandatory deadline of 30 days from the date of receipt, save for a couple of limited exceptions provided by law.
Furthermore, the Whistleblowing Act prescribes specific safeguards to protect individuals filing their reports. As such, not any retaliatory measures (e.g.: forced demotions) can be deployed against lawful filings made in connection with an existing legal relationship that are in line with the Whistleblower Act. The operator of the reporting system must provide transparent and easily accessible information regarding the system’s functions, the process of reporting and the reporting systems itself.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Criminal liability of legal persons is indirect and contributory meaning that criminal measures can only be applied to companies if the criminal liability of a natural person has been established. Accordingly, criminal proceedings are pending against a natural person, however the court is entitled to order criminal measures against the company in the same proceedings. Otherwise, companies cannot be treated as perpetrators or be prosecuted in criminal proceedings.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes. Both the company and the individual perpetrator may be prosecuted for the same misconduct, though they would face different criminal sanctions.
Can corporate criminal liability be avoided or mitigated?
A company cannot automatically avoid criminal prosecution by, for example, cooperating with authorities. However, cooperation and voluntary self-disclosure will always be considered at least as a mitigating circumstance (i.e. leading to lower sanctions).
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
Under the relevant provisions of the Criminal Procedural Act and the Acton Criminal Measures Applicable to Legal Entities it is possible to conclude a settlement with the enforcement authorities during criminal proceedings, though a criminal measure ultimately becoming applicable to the company may not be the subject of any such settlement. A concluded settlement makes the investigation much easier and mitigates the penalty to a greater extent.
8. Integrity Authority
The Hungarian parliament has responded to ongoing concerns regarding the misuse of EU funds by enacting the Act on the Control on the Implementation of EU Funds, establishing the Integrity Authority responsible for monitoring the distribution of EU subsidies. Starting from November 19, 2022, the Integrity Authority operates as an autonomous administrative body that prioritizes the protection of the EU’s financial interests. One noteworthy aspect of the Integrity Authority is its selection process for the presidency, which involves a public international tender and attracts influential civil society bodies such as Transparency International.
The Integrity Authority’s main task is to identify and address circumstances that could negatively impact the implementation of EU funds, including instances of fraud, corruption, and conflicts of interest. It achieves this by monitoring projects and investments in Hungary that utilize EU-related funds. Furthermore, the Integrity Authority conducts integrity risk assessments, focusing specifically on Hungarian public procurement practices. It also produces integrity analysis reports and provides recommendations. To ensure effective oversight, the Integrity Authority has the authority to initiate investigations either proactively or in response to anonymous reports submitted by various stakeholders, including foreign investors, NGOs, and individuals. Additionally, the Integrity Authority can request assistance from other public bodies and, when deemed necessary, engage with Hungarian or European authorities such as the European Anti-Fraud Office and the European Public Prosecutor’s Office.
Related experts
POLAND
Key Takeaways
- Companies may be criminally liable for the misconduct of their employees and board members
- Investigating misconduct is included in management’s fiduciary duties and indicatesa sound compliance system.
- Internal directives regulating the processing of employees’ data and the investigation of misconduct are essential for a proper investigation.
- The concept of legal privilege is limited to the obligation of registered attorneys to preserve the confidentiality of information received from their clients
- Self-Reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company in general criminal proceedings but does have a benefit in criminal fiscal proceedings
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
There is currently no such regulation requiring companies to conduct internal investigations in connection with reported misconduct. Nevertheless, the Polish Company Code introduces the liability of board members for the obligations of a limited liability company in cases where enforcement against the company proves unsuccessful. Although no obligation to carry out internal investigation is set forth by this provision, board members may still be very much interested in conducting such an investigation given the risk of being held jointly and severally liable with the company for its obligations in the above-mentioned circumstances.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
Board members who are “not investigating suspicion of misconduct” might still be liable for “passivity” or “ignorance” because of the duty of care/fiduciary duties regarding the investigation of misconduct.
Such failure to act can result in a breach of duty of care or a breach of fiduciary duties and consequently cause damage to the company. (e.g. the CEO of a company ignoring signs that one of his/her subordinates is stealing from the company) (monetary from the fraudulent behaviour, or reputational for any criminal prosecution that is triggered later). Therefore, board members can be held accountable on the basis of civil and criminal law. The company may sue themfor damage caused by their passivity, or may bring a criminal referral against them.
However, unlike in certain other jurisdictions, passivity cannot be recognised as participation in a crime, even in situations where a board member has ignored obvious signs of a crime (e.g. bribery) committed by one of his/her subordinates. Even gross ignorance of a board member cannot result in criminal liability for participation in that crime or aiding its commission.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
As a rule, there is no duty to reportthe outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities. Companies are not obliged to self-report. However, Polish criminal law provides for two kinds of reporting duties. Firstly, the Polish Criminal Code recognises the failure to specifically report the most serious listed criminal offences, including offences of a terrorist nature, murder, grievous bodily harm, bringing general danger, piracy, unlawful detention, rape, sexual abuse of a minor and hostage-taking. Failure to report such crimes constitutes a criminal offence.
Secondly, the Code on Criminal Procedure introduces a general obligation for anyone who has learned of the perpetration of a criminal offence that is prosecuted ex officio, to report it to the prosecutor or to the police, including fraud, money laundering, bribery and other offences. However, this is merely a social duty and failure to comply with this obligation does not imply any negative legal consequences.
Regarding the obligation of a company to self-report, Polish law does not require suspects to provide any evidence against him/herself.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
There is a legal obligation on both individuals and entities to provide assistance to authorities that are conducting criminal proceedings whenever so requested by the authorities and within the required time period.
Otherwise, cooperation and voluntary self-disclosure must be taken into account (in relation to both individual and corporate liability) by the law enforcement authorities in criminal fiscal cases.
Any offender who, after committing a prohibited act, has notified the authorities appointed for his/her prosecution and disclosed the material circumstances of the act, in particular the persons cooperating in its perpetration, is not subject to punishment for a fiscal offence or fiscal misdemeanour. Furthermore, any person who submits a legally effective correction of a tax return and pays in full, either immediately or by the deadline set by the fiscal authorities, the monies by which public funds have been depleted or threatened to be depleted, is not subject to a penalty for a fiscal crime or fiscal misdemeanour. For clarity, a criminal fiscal case is a case related to a fiscal offence, whereas a fiscal offence is an offence directed against the financial interests of the Polish State, which threatens financial detriment to the State Treasury.
The benefits of cooperating/self-reporting are limited to fiscal crimes and do not extend to crimes against property. The benefits cooperating/self-reporting also apply to perpetrators of the offence of giving a bribe, but not to the recipient of the bribe. Perpetrators of giving a bribe will not be subject to punishment if a material or personal benefit, or a promise thereof, has been accepted and the perpetrator has notified a body established to prosecute offences and has disclosed all material circumstances of the offence before the body learned of it.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
Because of the lack of specific legislation on internal investigations, companies would be well advised to introduce an internal regulation that governs the process for dealing with actual or suspectedmisconduct as part of their compliance management system. The regulation should contain provisions regarding internal investigations. Moreover, it should specify the persons responsible for dealing with internal investigations and how the structure of the internal investigation should be decided, including a process for independent reporting.
Whenever there is a risk that a reporting duty has arisen, or will arise during the investigation, or if there is a risk of a police dawn raid, an attorney should be engaged as an external counsel to lead and conduct the investigation to minimise the risk of exposure to the reporting duty, and to maintain legal privilege over the outcome of the investigation. If further advice is needed from specific service providers such as forensic or accounting professionals, they should be subcontracted directly by the attorney and report directly to him or her so that the risk of exposure is minimised and legal privilege is maintained.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
Polish law provides for two types of confidentiality privileges: defence counsel privilege and attorney-client privilege.The defence counsel privilege is absolute and unlimited in time. Nobody can release the defence counsel from his/her privilege. Persons bound by the obligation of professional confidentiality, such as notaries, attorneys-at-law or tax advisers, – may be questioned about the facts covered by secrecy only where this is necessary for the sake of justice and where the circumstances cannot be determined from other evidence. The permission to question these individuals must be granted by the court.
The scope of legal privilege under Polish law is established in statutes with reference to two attorney professions carried out in Poland: attorney-at-law (adwokat) and legal advisor (radca prawny).In both cases, the attorney must be registered with theBar Association. The following rules also apply to foreign EU attorneys registered with one of the Bar Associations, as well as trainee attorneys. In general, EU attorneys not registered in Poland are subject to the legal privilege provisions set forth in the law of their country of origin. The confidentiality obligation requires attorneys to ensure confidentiality of everything he/she learned by providing legal advice.Legal privilege covers all information regardless of whether it is on paper, on computer or in a cloud, and irrespective of where it is located. This obligation cannot be limited in time. Information not covered by legal privilege includes information that an attorney acquires in circumstances that would justify suspicion of money laundering or terrorism financing. Information covered by tax mandatory disclosure rules (MDR) is also not covered by legal privilege.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
According to one internal regulation (the Code of Ethics of Attorneys-at-law), legal privilege also applies to case-related messages, notes and documents received from the client or other parties, irrespective of their location. Furthermore, a similar internal regulation (the Code of Ethics of Legal Advisors) states that the confidentiality obligation should be extended to all documents created by the legal advisor and to the legal advisor’s correspondence with the client and persons involved in their case, all of which are created for the purpose of providing legal advice. Attorney-client privilege does not apply to documents in the possession of a person suspected of a crime (as opposed to a suspect; i.e. a person who has been criminally charged).
As a rule, these regulations are upheld by courts and prosecutors.However, both public prosecutors and the courts do attempt to use the means legally available to them to obtain testimonies of attorneys and/or access to documents in legal proceedings of various types.
Does legal privilege apply to in-house lawyers?
Only in-house lawyers registered with a Bar Association enjoy legal privilege. In-house lawyers who are not registered with a Bar Association have the status of regular employees and do not enjoy legal privilege unless they are a defence counsel in disciplinary proceedings. In this latter case, in-house lawyers who are not registered with a Bar Association would also enjoy legal privilege.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Besides attorneys, various other professions do enjoy legal privilege within the scope established in the legal regulations for each profession. Such professions include tax advisors, auditors and auditing firms. However, the confidentiality obligation does not extend to accountants. Attorneys-at-law and legal advisors are required to ensure that their co-workers maintain confidentiality within the scope of attorney’s legal privilege.However, legal privilege cannot be extended by attorneys to the attorney’s subcontractors.
It is worthy of note that one consequence of the absolute nature of defence counsel privilege is the prohibition on reading documents containing information covered by this privilege.
The appropriate course of action with respect to a letter or document depends on who made the statement as to whether it contains information covered by defence counsel privilege – a defence counsel or another person.
Where such a statement is made by a defence counsel or a person who is not a defence counsel (e.g. secretary at a lawyer’s office) but it does not give rise to any doubts, the authority performing the activity should leave the documents to that said person without learning of their content or appearance. Any statement by a defence counsel has an absolute character, as it is deemed credible and cannot be questioned.
Only when the statement of a person who is not a defence counsel does give rise to doubts, the authority carrying out the search should, without reading the letter or document, wrap and seal it and hand it over to the court, regardless of who ordered the seizure of property or the search. The public prosecutor, even if he/she himself conducts the search, is not entitled to acquaint himself with the seized documents and to assess whether they are messages covered by the defence counsel privilege.
The court should decide on how the retained letters or documents will be handled further. It should analyse the submitted letters and other documents in terms of whether they cover circumstances connected with the performance of the function of defence counsel. Only those documents which are not related to the performance of the function of defence counsel are retained for the purposes of the proceedings.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
In the preparatory stage of an internal investigation, the company should define what data must be obtained, identify the people who are in possession of the data and determine what form (digital or paper form) it takes and where it is kept.
A good starting point for internal investigations is a clearly defined internal policy which outlines the rules on use of the IT and communications systems and networks of company, use of company devices, and the methods of monitoring, gathering and processing data obtained by the company.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Regulations protecting employee privacy include the GDPR, the Labour Code and the Act on Personal Data Protection. Before starting an internal investigation, the internal privacy policy or privacy notice used by the company should be checked in order to determine whether employees have been properly informed about the purpose and legal basis for processing their personal data in relation to the internal investigation, as well as their rights in this respect.
Employees’ data can only be processed on one of the lawful grounds determined in Article 6 of the GDPR. Given that the employee’s consent to the data processing must be freely given and can be withdrawn at any time, the processing should rely on a legal basis other than consent. In internal investigations, the most common legal basis is the company’s legitimate interest. Should the company rely on its legitimate interest, it must run a balancing test and carefully consider whether the aim of the processing is a legitimate interest and whether the legitimate interest is not overridden by the employee’s interests or fundamental rights and freedoms. In accordance with the principle of data minimisation, the data processing must be necessary and proportionate for the purpose pursued. The company must ensure that the least intrusive methods of data collecting and processing as regards the employee’s privacy and data protection rights are selected.
In the course of the internal investigation, the employee’s personal rights – in particular, secrecy of correspondence – must be respected. Employees’ emails/other records identified as private (e.g. from the subject header) cannot be accessed. A recommended solution to preserve privacy is to filter emails/documents by running keyword searches, which bring up only emails containing one of the chosen keywords. In any case, if it turns out upon reading an email or record that they are of a private nature, the review must be stopped immediately. No private data should be processed.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
If data collected during an internal investigation is transferred outside the EU, there must be a legal basis for such a transfer under the GDPR. An adequate level of data protection must be ensured by the company also after any data transfer to a third country. Based on adequacy decisions of the European Commission, data can be transferred to Switzerland, Canada, Japan, Israel and New Zealand, in particular. If data cannot be transferred under an adequacy decision, the most common arrangement is to enter into the standard data protection clauses adopted by the European Commission or have binding corporate rules in place.
What should the company do once the internal investigation is finished?
Once an internal investigation is closed, it must be evaluated as to what findings should be retained for possible disciplinary action or potential court or administrative proceedings. In accordance with the storage limitation principle determined in the GDPR, all other data collected and processed during an internal investigation must be deleted, since the purpose of the data processing has already been achieved. The transparency principle requires employees whose personal data are processed in connection with the investigation to be informed as to how that data are used.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Yes, it is the employee’s duty to participate in internal investigations when instructed to do so by the employer. This obligation arises as part of the duty of care over the best interests of the employer (loyalty obligation). Employees must follow orders of the employer which are related to work and which are lawful. Therefore, an employee who may potentially have information about any irregularities which occurred in the company, and who is instructed by the employer to actively participate in interviews, must follow that instruction. Refusal to cooperate can result in disciplinary measures.
Former employees are not required to cooperate in internal investigations. However, such an obligation can be imposed in a settlement agreement. This is usually the case if the irregularities have been reported before the employee left the company and the employer grants the employee additional voluntary severance pay in the settlement agreement.
Do employees have the right to receive minutes from the interview?
No, because these are documents prepared for the employer’s internal purposes.
Do employees have the right to be informed of the outcome of the investigation?
Currently, no, but if the interviewed employee is the whistleblower who triggered the internal investigation, he/she will need to be provided with feedback under the EU Directive on the protection of whistleblowers, which has nonetheless yet to be implemented in Poland. The whistleblower should be informed about the action envisaged or taken as follow up and on the grounds for such follow-up.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
The Whistleblower Act introduces an obligation to establish an internal procedure for reporting violations of the law and following up on them for legal entities for which at least 50 persons perform gainful work (under an employment or civil law contract), including self-employed on B2B contracts who do not employ other persons to perform this work. Entities in the financial sector, entities with anti-money laundering (AML) obligations must establish an internal procedure regardless of the number of persons employed.
The internal reporting procedure (whistleblowing policy) must specify in particular the internal organizational unit or a person within the organizational structure of a legal entity or an external entity authorized by the legal entity to receive reports. Moreover, the procedure must define methods of submitting reports by the whistleblower. These methods must include, at least the possibility to report verbally or in writing. A verbal report can be made by phone or other voice communication systems. The Whistleblower Act specifies how to document the reports. At the request of the whistleblower, a verbal report can be made at a face-to-face meeting arranged within 14 days of receipt of such a request. A written report can be made on paper or electronically.
Also, the internal reporting procedure must specify an impartial, internal organizational unit or a person within the organizational structure of the legal entity, authorized to take follow-up actions, including verification of the report and further communication with the whistleblower, including requesting additional information and providing feedback to the whistleblower.
Under the Whistleblower Act follow-up actions must undertake with due diligence. The whistleblower should be provided with feedback within a maximum deadline not exceeding 3 months from the confirmation of receipt of the report or, in the event of failure to provide the confirmation, 3 months from the expiry of 7 days from the date of submission of the report, unless the whistleblower did not provide a contact address. to which feedback should be provided.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes.
Corporate bodies (Companies) are held liable for any offence involving the conduct of an individual:
- who acts for or on behalf of the company, within his/her right or obligation to represent it,make decisions on its behalf or perform internal audits, or who violates that right or obligation,
- who is enabled to act because of the violation by an individual referred to in the first bullet of his/her rights or obligations,
- who acts for or on behalf of the company with the consent or acquiescence of the person referred to in the first bullet,
- who is an entrepreneur directly cooperating with the company on to achieve a legally admissible purpose,
provided that the company benefitted or could have benefitted from that conduct. This applies to both financial and non-financial benefit.
However, the company will not be held liable if it can prove that it decided to employ this individualwith due diligence or that it exercised due supervision over him/her.
Strict corporate criminal liability exists, which means that a corporatecriminal liability depends solely on the actions and intentions of theindividual who committed the crime..
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
As a rule, no. There must be two independent criminal proceedings, one against the individual and the second against the company. The company can be prosecuted and held liable if the commission of a crime by the individual has been proven in court. The only exception from this rule are crimes against environment, where prior conviction of an individual is not necessary to commence proceedings against the company.
Both the perpetrator and the company can be prosecuted in the same proceedings for fiscal offenses and fiscal misdemeanours.
Can corporate criminal liability be avoided or mitigated?
A company can deflect liability if it can be proven that a corporate body or a representative of the company – acting with the adequate diligence required under the given circumstances – put organisational arrangements in place regarding the entity’s activity that would prevent the individual from committing the criminal offence.
If the organisational arrangements put in place to prevent a criminal offence provide that an internal investigation should have been carried out in a given case, then the company will have to prove it has carried out that investigation if it is to avoid liability. In fact, it may be difficult to prove that the company has acted without due diligence or supervision considering the internal compliance systems and other monitoring instruments put in place nowadays by companies.
Corporate criminal liability can be avoided through cooperation and voluntary self- disclosure, which the law enforcement authorities must consider in criminal fiscal cases.
Any offender who, after committing a prohibited act, has notified the authorities appointed for his/her prosecution and disclosed the material circumstances of the act, in particular the persons cooperating in its perpetration, is not subject to punishment for a fiscal offence or fiscal misdemeanour. Furthermore, any person who submits a legally effective correction of a tax return and pays, either immediately or by the deadline set by the fiscal authorities, the monies by which public funds have been depleted or threatened to be depleted in full, is not subject to a penalty for a fiscal crime or fiscal misdemeanour.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
The company and the prosecutor can enter into a court settlement in which they agree a sentence and file a motion for conviction. The court may grant the motion for conviction where the circumstances of the crime and guilt are not in doubt and the objectives of the proceedings will be achieved even if a full trial is not held.
8. Upcoming Developments
Unfortunately, the Corporate Liability Act currently in force has turned out inefficient. This motivated the government to propose the Corporate Criminal Liability Amendment Act, but legislative work has been discontinued at the end of 2022. Most importantly, the amendment intended to hold the companies liable without obtaining a prior conviction of an individual regardless of the crime committed. .
Related experts
ROMANIA
Key Takeaways
- Under Romanian law, companies face criminal law and other exposures for misconduct of their employees, managers and/or Board members.
- Timely internal investigations, other actions and sound compliance programmes are key for complying with the Board’s and other managers’ obligation to prevent harm to the company.
- Data protection by design should enable safe and sound internal investigation processes. Not addressing the data protection angles entails negative consequences from several perspectives.
- Legal privilege covers external attorney-client communication and could be extended to subcontractors (in-house counsels’ advice is not protected).
- There is an active duty to report corruption and assimilated crimes to the prosecuting authorities.
- The national implementation law on whistleblowers is giving rise to an intensification of reported cases.
- Increased enforcement and more frequent cross-border cooperation are on the rise.
- New local and international legislation enacted and other developments are expected also.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Until now, local legislation has not expressly required companies to investigate misconduct internally. Internal investigations were often triggered by the Board or other members of the management or other functions (e.g. compliance, legal) in exercise of their duty to address and prevent damage to the company. This duty also includes exerting efforts to ensure there is a compliance culture within the organisation, to investigate cases where there are red flags indicating wrongdoings or even the possible occurrence of damage and, ultimately, to address any issues identified by making informed and appropriate decisions to mitigate their negative consequences.
This outlook is changing also as a result of, inter alia, new enforcement and practice trends and also in light of recent, additional legal obligations under the local rules, such as, for example, the ones implementing the EU Whistleblower Directive. For example, private companies have a duty to follow up on whistleblowers’ reports and keep a special register stating the internal investigation measures taken. According to the national implementing law1, the application of which is evolving and, an internal report will be able to be rejected/closed in limited circumstances where the alert does not satisfy the relevant legal conditions. The evolving interpretation and practice around such legal conditions and other related enforcement considerations are still being looked into and assessed further by authorities, with the outcomes set to depend also on some of the next steps or recent into force of certain additional provisions at the end of 2023.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
Very briefly, without going into details, Directors/Board members/General Manager, among others, are held to a “warranty liability”. Namely, in their capacity as warrantors and controllers of the other officers and of personnel (if any of the latter cause damage to the company in carrying out their activities), the directors/Board members/General Manager are held responsible for any damage that would not have occurred if they had properly fulfilled their monitoring and control tasks. This liability may also apply to other functions in companies (e.g. Heads of Compliance, Audit or Legal functions, etc.), depending on, inter alia, elements such as the corporate structure, attributions, applicable internal rules within the companies and their groups, etc.
The directors/Board members/General Manager are held to multiple types of statutory liability towards the company, third parties and the authorities. Directors can be personally accountable for example for several types of liability, such as:
(i) civil law liability towards the company (in particular, if they violate their duties),
(ii) civil law liability towards third parties (in particular towards creditors if the company is insolvent and if the directors contributed to the insolvency of the company),
(iii) fiscal law liability for the debts of the company regulated, in specific cases, by the provisions of the fiscal procedure code and
(iv) criminal law liability for misconduct, as set out in criminal law provisions. The most relevant criminal offences provided for by Romanian law are abuse of the company’s assets or credit, abuse of the powers granted by directors, and deceptive accounting. Some of these may also be relevant for other functions in the company, depending on the corporate structure, attributions and applicable internal rules.
Diligent behaviour by Board members might deflect any civil liability on their part, even though the legislation does not provide express rules relating to this outcome of the internal investigations. In other words, even if there is no express legal requirement to perform an1 internal investigation (as a separate process), it is unquestionably beneficial to conduct such an investigation before claiming civil liability on the part of an employee or Board member in the courts. If the Board members perform such an internal investigation and they are not involved in the offence that led to the civil damage to the company, the Board members may, in their defence, use this evidence to prove their innocence.
Romanian labour law regulates the disciplinary procedure for all employed personnel, whether management or non-management. This procedure applies to both the public and private sectors (and also applies to board members/directors who are contracted by a company under an individual labour contract). This is a right held by the company/shareholders, rather than an obligation imposed on the company. Therefore, if an employer/company decides to take disciplinary measures, this decision may – in most case – be taken after performing an internal investigation under the disciplinary procedure regulated by the Romanian Labour Code. During the disciplinary procedure, the company will process the evidence of potential misconduct by the employee and offer the employee the opportunity to defend himself/herself and present his/her own evidence. Board members may find the evidence disclosed during a prior internal investigation to be useful in proving that the general duty to protect the company was fulfilled. Companies may also perform an internal investigation as a process preceding employment disciplinary procedures – and may pursue the findings of the investigation – in order to commence disciplinary procedures against the employees involved. Following this procedure, the relevant disciplinary measures may be applied. In any such case, the statute of limitation term for applying the employment disciplinary measure will also need be observed.
Moreover, not only must Board members set appropriate procedures to prevent misconduct, but they must also investigate any misconduct detected, which should often include an internal investigation. If the company and the Board members contribute to mitigating the negative consequences of a criminal offence, the Board members who made the appropriate decisions, who actively investigated the wrongdoing and who performed their activities diligently on behalf of the company may use such evidence to defend themselves and even to obtain a full deflection of criminal liability in cases where they were not directly involved in the criminal offence and to prove that they did not tolerate such misconduct and that they cooperated with the law enforcement agencies.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
If the outcome of the investigation relates to public or private corruption2 or other associated crimes, the representatives of the company (with control duties) have an obligation to report it to the authorities. The individuals with control duties are required to notify the criminal investigation body, or other bodies empowered by law, of any information indicating that an illicit operation or act may have occurred which may be subject to criminal liability according to Anti-Corruption Law No. 78/2000 on preventing, discovering and sanctioning acts of corruption, as amended. Failure to report may trigger personal criminal liability of respective individuals, which in practice may create sensitive or tensed situations, which our team has managed to address successfully for clients in several crisis situations.
The Romanian Criminal Code also provides that any public servant (but also any person who supplies a public service, or who is under the control or supervision of the public authorities) who becomes aware of an offence criminalised by law in connection with the service but fails to immediately notify the criminal investigation body will be punished with up to three years’ imprisonment or a criminal fine. A person employed in the private sector might also be subject to this obligation if his/her activity falls under the control or supervision of a public authority; this may apply, for instance, to employees working in banking, insurance or in other areas regulated and controlled by a public authority in Romania.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
In Romania, the criminal authorities may take cooperation and voluntary self-disclosure into account in relation to both individuals and companies/legal entities. For example, under the Romanian Criminal Code, a person (i.e. the perpetrator) will not be punished if, before the criminal authorities become aware of the illicit act, that person has desisted from committing the act or informed the authorities of the illicit act in question in such a way as to prevent the illicit act from being completed, or if that person directly prevents the crime from being committed3. Any efforts made by an offender to eliminate or reduce the consequences of their own offence or any circumstances relating to the committed offence, which reduce the seriousness of the offence or the threat posed by the offender, may count as mitigating circumstances, leading the penalty prescribed by law to be reduced by one-third4. Also, for certain particular criminal offences (i.e. giving bribes and buying in influence/influence peddling) and, likewise, where certain incentives are in play such as in anti-trust matters, the briber/buyer of influence will benefit from immunity if it/she/he reports it first.
1 The main aspects relating to the draft law implementing the whistleblower mechanism are briefly summarized under Section 6 ‘Whistleblowing’ below.
2 Article 308 of the Romanian Criminal Code sanctions not only acts of corruption committed by public servants, but also corruption in the private sector.
3 Article 34 of the Romanian Criminal Code.
4 Articles 75 and 76 of the Romanian Criminal Code.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
Internal investigations are not specifically regulated by Romanian law. Therefore, the internal investigation procedures should be regulated by the company as part of its compliance management system. For example, it should specify the persons responsible for dealing with internal investigations (usually an independent compliance function) and how the structure of the internal investigation should be decided, including a process for independent reporting and the involvement of objective external advisors, as the case may be.
Whenever there is a risk that a reporting duty has arisen, or will arise during an internal investigation, or if there is a risk of a dawn raid, the internal investigation should be conducted externally, i.e. by engaging an external law firm to lead and conduct the investigation in order to minimize, among others, the risk of exposure to the reporting duty and to better protect by ensuring legal privilege over the products of the investigation and with non-legal advisors engaged as subcontractors to the external law firm, aiming to extend related legal privilege and minimize other risks, etc.. Thus, as in other jurisdictions, in-house legal counsels, accountants, tax advisors or forensic advisors do not benefit from legal privilege, so any involvement on their part should be structured through the external law firm – see Section 3 below for more details.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
Confidentiality and attorney-client privilege (“legal privilege”) refers to the information/ data/correspondence and communication between an attorney and his/her clients, and to the legal services provided by an attorney to his or her clients, in compliance with deontological and ethical standards. It does not apply to any criminal activities carried out by the attorney in relation to client activities, on behalf of or for the respective client.5
Under Romanian law, attorneys have an obligation to keep professional secrecy over any aspect of a case entrusted to them, unless provided otherwise by law. Professional documents and paperwork that are in the attorney’s custody or in his/her law office are inviolable.
Any search of an attorney or his/her residence or law office, or any seizure of records and assets, may only be carried out by a public prosecutor under a warrant issued under the terms of applicable law. Correspondence between an attorney and his/her client or documents containing records made by an attorney on matters relating to the defence of a client are exempt from evidence seizure and confiscation procedures. Also, the attorney’s phone calls cannot be listened to or recorded by any technical means, nor may the attorney’s professional correspondence be intercepted and recorded, except under the conditions and under the procedure provided for by law.
The relationship between an attorney and the person he/she is assisting or representing cannot be the subject of technical surveillance, except when there is evidence that the attorney is committing or is preparing to commit a crime. If the technical surveillance also covers the relationship between an attorney and a suspect or defendant, the evidence obtained cannot be used in criminal proceedings and will be immediately destroyed by the prosecutor.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
Although subject to various discussions, The safer interpretation is that legal privilege is not extended to documents created by attorneys after they are handed over to the client. Hence, any information or document that is protected when in the possession of the attorney is not protected the same when it is in the hands of the client or an unrelated third person. The confidentiality obligation is strictly related to the person of the attorney (including his/her employees and subcontractors), rather than to the information or document itself.
Does legal privilege apply to in-house lawyers?
In Romania, the law does not grant in-house legal advisors the same privilege.6
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
In Romania, no specific legal provisions relate to the privileges of third-party providers. Nonetheless, because they are employed by the attorney to support the attorney in dealing with an investigation or to clarify certain aspects that will allow the attorney to advise his/her clients, legal privilege should – in principle – extend to communication and correspondence with service providers, including any electronic data of the client sent by the attorney to a forensic accountant for analysis which is to be used to further document the client’s defence. This privilege should be expressly written in any contract signed between the attorney and the service providers.
5 Legal professional privilege is regulated by Law No. 51/1995 regarding the organisation and exercise of the profession of attorney, by the Statute of the profession of attorney and also by the Romanian Civil Procedure Code, the Romanian Criminal and Procedure Codes and by Law No. 21/1996 regarding competition, as amended.
6 Law No. 514/2003 regarding the activity of in-house counsels, as amended.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company should have in place internal norms/procedures providing comprehensive and clear rules on communication, data storage and the use of company devices by its employees, as well as information on how the company may collect and review personal data within an internal investigation. In this regard, the company should assess and determine which data are needed for the internal investigation and to what extent it can legally access and review the data, in observance of data protection legislation.
Moreover, before the commencement of data processing for an internal investigation, the company should issue a preservation notice to the employees in question to ensure that potential evidence related to the investigated matter is not destroyed and to inform the employees about their data processing in accordance with GDPR provisions.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
In Romania, the interception, storage as well as any other processing operations in relation to electronic communications are allowed in certain cases, such as, inter alia:
- the processing is regulated by the law;
- the user of the equipment consented to such processing; or
- access is given to the competent authorities.
As a principle, data processing in the context of internal investigations must rely on one of the legal bases established by the GDPR – compliance with a legal obligation and legitimate interest are two of the legal bases companies can commonly rely on to process data in an internal investigation
- Compliance with a legal obligation (Article 6(1) letter c) of GDPR), as is the case with internal investigation conducted out following a whistleblowing report, according to the applicable national whistleblowing law;
- Legitimate interest of the employer (Article 6(1)(f) of the GDPR), such as fraud prevention. A legitimate interest assessment should be carried out and the outcome of the balancing test should be in favour of the employer; in other words, the measure of accessing an employee’s business emails and other communication methods must be proportionate to the specific aim pursued by the employer (e.g. such access is triggered by a serious incident, such as an event indicating serious fraud, corruption, etc.).
Prior to accessing the employee’s business email account of the employee for the purpose of an internal investigation, the employer, acting as controller, must comply with its obligation under the GDPR to inform the data subject/employees about the processing of their personal data. Under some circumstances, where data processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller/employer may have to perform a data protection impact assessment prior to the data processing to assess the impact of the envisaged processing operations on the protection of personal data. The Romanian Supervisory Authority for Personal Data Processing (ANSPDCP), in its Decision No. 174/2018, published a list of criteria based on recital 75 of the GDPR that determine the need for a data protection impact assessment, such as: large-scale collection of sensitive data, systematic monitoring, matching of data, large-scale processing of data concerning vulnerable data subjects (employees are deemed to be vulnerable with regard to the employer), or large- scale processing of personal data through the innovative use of technological solutions. Therefore, when any such criteria apply to the processing in question, a data protection impact assessment must be carried out.
Consequently, a specific, tailored analysis is recommended, on a case-by-case basis, to establish the steps and framework for allowing access to such emails or other data.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Specific conditions apply to cross-border transfers of personal data collected during investigations, considering the GDPR rules (Articles 44-50). To briefly summarize, when personal data is transferred outside the European Union/European Economic Area, companies should ensure that the data will be adequately protected even after their transfer to a third country (i.e., that the level of protection of individuals afforded by the GDPR remains the same in the non-EU/EEA country where data is transferred). Accordingly, cross-border transfers of personal data are only permissible if:
- an adequacy decision by the European Commission is in place with regard to a third country (Article 45 of the GDPR), confirming that the third country, territory or international organisation maintains an adequate level of data protection;
- there are appropriate safeguards (e.g. standard contractual clauses adopted by the European Commission, an approved certification mechanism or an approved code of conduct) and, for data subjects, enforceable data subject rights and effective legal remedies (Article 46 of the GDPR);
- there are binding corporate rules (Article 47 of the GDPR);
- an international agreement, such as a mutual judicial assistance treaty, is in force between the requesting third country and the Union or Member State (Article 48 of the GDPR);
- “derogations” apply for specific situations with an equivalent level of protection for personal data, in particular if (i) the data subject has explicitly consented to the proposed transfer, or (ii) the transfer is necessary for the establishment, exercise or defence of legal claims. If none of these derogations applies, the legal provision specifies that such transfer may be justified on the basis of compelling legitimate interests (Article 49 of the GDPR).
What should the company do once the internal investigation is finished?
The data collected and processed during the internal investigation should be erased once the internal investigation is finished, except for those findings necessary for, for example, potential court or administrative proceedings.
7 Article 35 of the GDPR in conjunction with Article 5 of Law No. 190/2018 regarding the implementation of the GDPR and the Decision of the National Supervisory Authority for Personal Data Processing No. 174/2018 regarding the list of the personal data processing mandatory in the scope of the data protection impact assessment.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Employees have the right to participate in interviews performed as part of an employment related disciplinary procedure (i.e. it is not an obligation, but if the employee does not attend, she/he will have missed the opportunity to defend himself/herself to the employer’s representatives). In corporate investigations or internal audits, there is no express legal obligation for employees to actively participate. Such an obligation may be regulated though through, for example, internal procedures of the company, communicated to employees, as part of the loyalty obligation of employees or of their general duty to act responsibly and to cooperate with the company in protecting the integrity of the other employees or the assets of the company. However, if the employee refuses to participate in such an interview, the employer cannot oblige him/ her to participate. For public authorities, the legal obligation of public clerks to participate in internal investigations is assessed on a case-by-case basis, taking into account some specific sector related regulations, as the case may be.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No. Employees do not have to be informed of the outcome of interviews or of the investigation.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Towards the end of 2022 Romania enacted local rules implementing Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law. Thus, in December 2022, Law No. 361/2022 entered into force and Romania implemented the EU Whistleblowing Directive. This happened after earlier attempts in the first part of 2022, which were not properly implementing requirements under the EU Whistleblowing Directive, hence an updated, more robust version of the Romanian implementing law entered into force in December 2022.
The current legislation replaced the previous national legislation on whistleblower protection mechanism, which was limited to the public sector. The currently in force Romanian whistleblower law has extended the scope of the whistleblower mechanism and protection also to the private sector. As a result, currently private companies with more than 50 employees will have to identify or establish internal reporting channels, which they will make available for potential alerts. The main obligations of companies and risks to which they are subject: apart from addressing report received in a timely manner, another main obligation of companies is to identify and to establish internal reporting channels and establish internal reporting procedures (the procedures for internal reporting and follow-up actions should include, among other things: the designation of a person, a department or a third party to receive, record, examine, take follow-up action and settle reports, acting impartially and independently in the exercise of those duties). This obligation for companies entered into force on 17 December 2023 and is mainly addressed to companies that have between 50 and 249 employees. Among other possible consequences, failure to comply with this obligation is also punishable by a fine of up to RON 30,000. Companies operating in specific sectors (e.g. insurance or financial services, the oil industry) must fulfil the above obligation regardless of their number of employees. Also, for companies with less than 50 employees, such procedures can be implemented and their employees can submit such reports (however, if there are no internal reporting channels put in place, the whistleblower will have to report externally).
Whistleblowers may be the companies’ employees, but may also be any other person who, due to his/her professional activity, becomes aware of violations of the law at the company level, such as self-employed persons, shareholders, administrators, directors, suppliers of products or subcontractors of services, as well as paid and unpaid volunteers and trainees. Also, an interesting aspect is that persons/candidates whose employment relation has not yet started and who make public reports/disclosures in relation to information obtained during the recruitment process and persons whose employment/employment has ended can also act now as whistleblowers.
In addition, under the current national legislation, the scope of reporting appears broader than the exhaustive list of EU law violations provided under Directive (EU) 2019/1937. Under the local law, whistleblowers may report any violations of the law whatsoever; in other words, all actions or omissions that constitute non-compliance with legal provisions, which represent disciplinary violations, administrative offences or criminal offences, or which contravene their object or purpose, including non-compliance with ethical and professional rules. Due also to historical and cultural background particularly relevant to Romania or other countries in the CEE&SEE, some of these provisions have been criticized by some representatives of the business community as going beyond the rationale of public interest and over-expanding the whistleblower mechanism to include potentially trivial alerts.
The law regulates the reporting and follow-up procedure to be implemented by private undertakings, including the following key steps to be designed within the internal procedures: (i) the appointment of an internal or external independent person/entity to receive, register, examine, follow up on and settle reports, who will act impartially and who will enjoy independence in the performance of those duties, (ii) the design, establishment and management of the manner in which reports will be received, which must protect the confidentiality over the identity of the whistleblower and of any third party mentioned in the report and prevent access to it by unauthorized staff members, (iii) the obligation to send to the whistleblower, within a maximum of seven business days from the receipt of the report, confirmation of its receipt and to inform the whistleblower about the status of subsequent actions no later than three months after the date of confirmation of receipt and whenever subsequent actions are taken, unless the information could jeopardize the inquiry. The designated person/entity, as well as the means of reporting, must be brought to the attention of each employee, either by publishing it on the website of the institution or by posting it at headquarters, in a visible and accessible place. The employer must ensure that at least one means of reporting is accessible at all times. Aspects regarding reporting have been also clarified. The law sets out three procedures that the whistleblowers must follow in order to benefit from the protection of the law:
- internal reporting – the communication of information about infringements of the law within a company, carried out by means made available by the company (through its own channels);
- external reporting – communication of information about violations of the law to one of the following public authorities: public authorities and institutions that receive and deal with reports in their field of competence; the National Integrity Agency; and other authorities/institutions to which the National Integrity Agency forwards reports for assessment, etc.; and
- public disclosure – making information about violations of the law available in the public domain in any way. However, this action must meet one of the following conditions: (i) the whistleblower has first reported internally and externally or directly externally, but considers that appropriate action has not been taken within 3 months of receipt of the report (6 months in justified cases); or (ii) has reasonable grounds to consider that the breach may constitute an imminent or manifest danger to the public interest or a risk of damage that cannot be remedied or in the case of external reporting there is a risk of retaliation or a low likelihood that the breach will be effectively remedied, given the specific circumstances of the report.
Even if some of the angles regulated by the national law could be further improved, the latest form of the implementing law demonstrates progress on a practical level. It should be expected nevertheless that that certain aspects will still be subject to discussion on their practical implementation (such as, for example, the interpretation and scope of “indications” for of violations of the law, etc.). At the same time, the law also creates some more proactive compliance steps and approaches with regard to companies, not only on establishing internal reporting and related processes, but also on more actively dealing with and addressing such reports.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes. Under the Romanian Criminal Code, legal entities/companies in the private sector can also be liable for criminal acts. This operates in parallel to and in addition to any criminal liability of individuals who are involved or responsible (e.g. Board or other management members or officers, employees, other staff, etc.). The main criminal sanction is a criminal fine.
At the same time though and probably more impacting from an operational, business or other practical perspective, other ancillary sanctions might be added, ranging from the suspension of activity, the closure of certain work sites, prohibition from participating in public procurement procedures, placement under judicial supervision or the display or publication of the conviction decision, to the dissolution of the legal entity. In addition to these criminal and ancillary sanctions, civil sanctions may also apply in the event of civil liability. Hence, there could be significant consequences in case of criminal liability, which could also trigger civil liability.8
In addition, there may also be other adverse consequences (e.g. reputational harm, defaults under existing contracting arrangements, breaches of certain licenses due to a criminal conviction, claims from shareholders, etc.). For companies belonging to an international group, these consequences may escalate further – for example, the criminal liability of a local subsidiary may trigger knock-down consequences in the wider group and/or in other jurisdictions, depending on the particular case and/or the requirements laid down by the laws and authorities in those jurisdictions, combined with possible cross-defaults under contractual or other arrangements of the entire group of companies. A robust compliance system may prevent and mitigate corporate criminal liability if correctly implemented, enforced and monitored by the company’s management. In accordance with the criminal law territoriality principle, the Criminal Code recognizes that foreign legal entities that commit criminal offences in Romania can be held criminally liable locally as long as the other conditions laid down in Romanian criminal law are met, as mentioned below.
Furthermore, as in other jurisdictions, the State and public authorities/public institutions cannot be held criminally liable. From this perspective, however, the fact that a public institution cannot be held criminally liable does not exonerate the individuals who contributed to perpetrating the criminal offence from being criminally liable on a personal level.
It must also be underlined that legal entities, either private or State-owned, are susceptible to criminally liable as long as the criminal offences in question refer to the performance of a private domain type of activity. Another – broader – condition for triggering the criminal liability of a legal entity is that the criminal offence must have been committed in pursuit of the object of business of the legal entity, in its interest or in its name. Therefore, in the Romanian criminal system, the criminal liability of a legal entity derives its source from the system of general liability, which is also stipulated in common-law jurisdictions, for instance, according to which legal entities are criminally liable for any criminal offence, without excluding some criminal offences entirely.
In practice, the existence of one of the three scenarios mentioned above needs to be assessed, which comprise this condition for corporate criminal liability, namely that the criminal offence was committed (i) in pursuit of the object of business, (ii) in the interest or (iii) in the name of the legal entity. Yet, in order for a legal entity to be held criminally liable from this perspective, one of these three scenarios listed above must be assessed and substantiated. We have been seeing an uphill trend in a higher focus on prosecutorial authorities extending their investigations to alleged companies involved too.
It also bears mentioning that even if a criminal offence is committed in the name of a legal entity, it is possible that this will trigger only the criminal liability of the natural person. This is particularly true where, by perpetrating the criminal offence, the natural person has harmed certain interests of the legal entity, but not because the act was against the interests of that legal entity but because the act might not fulfil the ingredients of the subjective element (because guilt is determined in relation to the attitude of the natural persons within the legal entity).
It should be noted that recently some decisions of the Romanian Constitutional Court and of the High Court of Cassation and Justice had impacts in ongoing criminal cases (involving both legal entities and individuals), due to the statute of limitation of the criminal offences investigated. Thus, the High Court of Cassation and Justice established that the legal provisions referring to the interruption of the statute of limitations of criminal liability are substantive law rules and are subject to the principle of the application of the more favorable criminal law. This decision was issued based on two decisions by the Romanian Constitutional Court, one in April 2018 and one in May 2022. Without entering into technical legal details, in short, the impact of such decisions of the Constitutional Court and of the High Court of Cassation and Justice is the shortening of the statutes of limitation for criminal liability for cases and offences investigated during a particular period of time.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Companies and individuals can both be prosecuted for the same misconduct. The Romanian Criminal Code expressly stipulates that the criminal liability of a legal entity does not exclude the criminal liability of the individual participating in committing the same offence. From analysing the scenarios where the criminal liability of a legal entity may be triggered, we see that, if we exclude exceptional situations, the general rule is that a natural person who meets all the objective requirements of a criminal offence mentioned in criminal law is personally liable, whereas a legal entity in relation to which the criminal offence has been committed may be held liable in certain cases. In practice, there are usually very few cases in which only the legal entity is criminally liable.
Furthermore, most of the opinions in the legal doctrine are of the view that establishing the criminal liability of legal entities entails, in all cases, assigning criminal liability to one or more natural persons who committed the respective criminal offence. Without this correspondence, triggering the criminal liability of only the legal entity would basically become arbitrary. Also in practice, there have been very few cases where a legal entity has been held criminally liable and no representative or employees have also been convicted.
It is also important to analyze the forms that the guilt of legal entities can take in order to establish the form of guilt with which the crime was committed. The guilt of a legal person is tied to its representatives and its organization, and it can be said that pinning guilt on the natural persons who are part of the representative body of the legal person is equivalent to pinning guilt on the legal person in question. However, if an act is perpetrated by a person other than the legal representatives of a legal person, guilt must be pinned on the legal person with reference to the attitude of its representative body concerning the crime committed.
Even though, theoretically at least, the criminal liability of a legal entity can be triggered without holding a natural person liable, the objective material element of the criminal offence must always be in regards to a natural person, even if his/her identity cannot be ascertained (for example, in the case of the collective representatives). In practice we are seeing more focus and more scrutiny around the possible liability of corporate entities/companies, alongside the separate types of liability attributable to the involved individuals (e.g. employees, managers, other staff or Board members, etc.).
Can corporate criminal liability be avoided or mitigated?
Romanian law provides no specific option generally applicable on how a company/legal entity can avoid criminal liability. For example, there are particular scenarios and offences when reporting leads to immunity and the avoidance of liability. At the same time, as we have seen in practice, there are also other instances where, for example, the proactive approach and attitude of a company to a particular case can, if not avoid criminal liability, at last achieve (significant) mitigating circumstances. The circumstances of each case and timely coordination across various angles, specialties and/or jurisdictions may be key, as we have also applied successfully in practice.
Also, from a prevention perspective, a robust compliance system may prevent and mitigate corporate criminal liability if correctly implemented, enforced and timely monitored.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
There is no established practice of out-of-court settlements, particularly if compared to the US settlement practice. Settlement and leniency policies are regulated in relation to antitrust offences. A company may benefit from full or partial immunity from fines if it applies for leniency or recognises a competition law breach early in the investigation process.
During the criminal investigation phase, the defendant can enter into a guilty plea agreement with the prosecutor regarding the crimes for which the respective defendant is investigated. In this respect, the legal entity can decide to enter into a guilty plea agreement if to do so is in its best interests. However, this most of the times is a different decision given that such guilty plea agreements mean, among other things, also admitting liability from a criminal law perspective. This procedure can also achieve several benefits for the defendant, such as the possibility to enter discussions with the case prosecutor and to negotiate the sanction that will be applied (criminal fines for legal entities are the main sanction from a local criminal law liability perspective). Also in this case, the prosecutor will not send the file to be judged by a court of law (there will be no indictment act drafted) and only one hearing will be set up for the judge to analyse if the guilty plea agreement complies with the prescribed legal provisions.
Of course, entering into such a guilty plea agreement means that the defendant recognises the fact that the legal entity committed the crime being investigated. Also, such an admission of criminal law liability may have consequential effects (e.g. reputational, contractual default clauses, impact on the wider group of the legal entity that admits criminal law liability in Romania, etc).
From this perspective, our team is also involved in various national and international working groups and proposals and debates for non-trial resolutions (NTRs) similar to those used successfully in other jurisdictions, such as the USA or the UK. The fact that Romania is also in the process of becoming an OECD Member State means that these NTR solutions might be more actively pursued for implementation in Romania too.
8 Art. 135 et seq. of the Romanian Criminal Code.
8. Upcoming Developments
Given the extension of the whistleblower mechanism to the private sector, the increased focus in the media and the prospects of rewards being granted to the individuals involved, we can expect an increase in the use of the whistleblowing tool to report statutory violations during work-related activities. Companies will not only have to allocate resources to set up a functional whistleblower mechanism that complies with various legal standards, but they might also require a shift in organizational mindset and culture in connection with conducting internal investigation measures in response to credible whistleblowing reports. Such follow-on corporate investigation measures will need to be documented and kept in a specific register.
As regards internal investigation processes, given work-from-home arrangements and some circumstances that might become permanent or quasi-permanent at least for some companies, internal procedures will need to be adapted to make remote investigations more practical, especially since, in practice, there are still gaps or backlogs of unchecked or uninvestigated situations. Other legal and related practical points, such as particular operational, data protection issues and potential interim measures will also need to be further adapted to (better) address the new realities of working from home.
At the same time, we also see a backlog of cases and slower progress in cases investigated by the authorities, due to various procedural, other lockdown-related or other restrictions implemented during the pandemic period or due to other more urgent cases following the recent Russian invasion in Ukraine, which froze or significantly slowed down some of the investigations. As mentioned by authorities and as seen by our team in practice, pending or slower cases are expected to be picked up and accelerated, especially in cases where there are potential statute of limitation issues or where international cooperation is relevant.
Also, from our team’s experience, in such unusual situations (e.g. pandemic, crisis, war in Ukraine, international sanctions, other geopolitical elements), companies usually fail to detect, or detect only later, internal fraud and/or other irregularities. Therefore, a proactive approach to looking into matters and/or periods not regularly or properly checked is advisable, especially in international groups that operate similar patterns or business models in several jurisdictions in the region. And this is ever more advisable for groups that are also subject to – aside from local laws in our region – laws sanctioning foreign corruption and other foreign irregularities (e.g. the US FCPA or the recent FEPA, the UK Bribery Act, the French Sapin II, foreign proceeds of crime or anti-money laundering laws, etc.). This is probably even more relevant in EU countries where the activity of the European Public Prosecution Office, operational from 1 June 2021, is now also even more relevant and where the first notable successful have already been seen in several EU jurisdictions, including Romania.
In the same challenging landscape over these last couple of years, we should not ignore sanctions-related compliance matters and related local provisions and local enforcement. From that perspective, 2022- 2024 have been very busy and most of the sanctions-related matters and local enforcement activities also diverted the focus and resources of companies and authorities away from other non-compliance areas. Therefore, when upgrading and adjusting to the various sanctions packages and requirements, it is advisable to keep track of all other areas of possible non-compliance or other vulnerabilities, such as cybercrime related matters too, where our team has also seen a significant increase.
At the same time, various authorities in Romania (as well as in other EU Member States) are also increasing their enforcement activities and enforcement-related resources in light of Romania’s (as with other EU Member States’) commitments under its Recovery and Resilience Plan, which was approved by the European Commission. And in a landscape in which our team is also seeing swifter and more frequent international judicial cooperation in ongoing cases, a proactive, timely and coordinated approach from several jurisdictions also becomes key. This is even more the case in light also of the recent European Commission’s draft directive on anti-corruption matters, which, depending on its next steps and final form, may represent another enhancer and game changer for investigations and enforcement at a wider level in the EU. Our team is also part of various initiatives and task forces overseeing developments in such areas also.
Related experts
SERBIA
Key Takeaways
- Companies may be criminally liable for the misconduct of their employees and management.
- Ensuring compliance with applicable laws and regulations is included in management’s fiduciary duties and is a sign of adequate corporate governance.
- Internal directives regulating the processing of employees’ data and the investigation of misconduct are the cornerstone of a proper corporate investigation.
- Self-reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company.
- Attorney-client privilege is protected in various procedural laws, effectively preventing attorneys from being forced to reveal confidential information received from their clients.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Although there is no explicit obligation for companies to conduct internal investigations aimed at identification of potential misconduct related to their business operations, companies are required to ensure compliance with applicable laws and regulations, which fact necessitates special care and diligence in the course of conducting business operations, from the company’s perspective.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
To mitigate the risk of the liability for damages or criminal liability, a company’s management needs to take appropriate steps in order to ensure the remediation of identified breaches, one of which steps could be the performance of an internal investigation. Members of the management bodies (i.e. directors, supervisory board members, other representatives) have specific duties towards the company, including a general fiduciary duty. This duty means that all the above persons must act in accordance with their duties consciously, with the diligence of a “prudent businessman”, and with a reasonable belief that they are acting in the best interests of the company. One of the obligations of directors of the company is reporting to the shareholders assembly, or the supervisory board, on the status of company’s compliance with applicable laws and regulations.
Breaching the above-mentioned duties may lead to liability for damages of the director towards the company and/or the shareholders. Further, if the action (or inaction) of the director caused damages to third parties under the general rules of tort, the company may also be liable for damages to such third parties.
Acting in accordance with fiduciary duties described above may also serve to exclude potential criminal liability (due to strict terms of criminal liability) of the company’s management for potential breaches of laws and regulations within the company.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
There is no explicit self-reporting requirement under Serbian law with respect to the bribery-related criminal offences.
On the other hand, a separate criminal offence titled “Failure to Report a Criminal Offence” applies, inter alia, to an authorized person within a legal entity who knowingly fails to report a criminal offence of which he/she became aware in the course of his/her duties, if the identified criminal offence may be subject to imprisonment of at least five years.
Although the prosecution of the above criminal offence is not very common in practice, a general recommendation is that, once a suspicion of a potential misconduct arises, it should be properly investigated and evidenced, in order to reasonably determine all relevant facts surrounding the case. Especially since intentional false reporting of a criminal offence is also incriminating under Serbian law and there is no clear legal standard under Serbian law defining when a person “knows” that the criminal offence has been committed.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Self-reporting does not guarantee exclusion of either individual or corporate criminal liability, although it may lead to such an outcome in certain cases. If the self-reporting does not exclude the existence of criminal liability, it should still be considered a beneficial occurrence while determining the punishment by the competent court.
Under the Corporate Criminal Liability Law, legal entity may (i.e. this is not a guarantee) be exempted from criminal punishment if it (i) reveals and reports a criminal offence before it finds out that criminal proceedings were instigated, and (ii) voluntarily and without delay remedies damaging consequences or returns unlawful benefits which it received.
Moreover, for criminal offences which are threatened with monetary fines or imprisonment of up to three years, the public prosecutor may decide to drop the criminal charges against a legal entity, if it is deemed that conduct of criminal proceedings would not be purposeful. When making its decision, the public prosecutor will consider whether the legal entity (i) reported the criminal offence before it found out that prosecution authorities became aware of the criminal offence, (ii) prevented occurrence of damages or compensated the damages and remedies other consequences of the criminal offence, (iii) voluntarily return any proprietary gain obtained through criminal offence, (iv) has no assets or is subject to insolvency proceedings.
In respect of the individual criminal liability, the court may release the defendant from criminal punishment for criminal offences subject to imprisonment of up to five years, if the perpetrator, after the execution of the criminal offence, and prior to him/her becoming aware that his/her criminal offence was revealed, remedies the consequences of the offence or reimburses the damages arising therefrom.
In addition, the public prosecutor may drop the criminal charges with respect to:
- criminal offences subject to a monetary fine or imprisonment of up to five years, if the defendant accepts one or several of specific obligations ordered by the public prosecutor (e.g. removing damaging consequences, donating money to a humanitarian cause, performing work in the public interest, etc.); or
- criminal offences subject to imprisonment of up to three years, if the defendant, due to obvious remorse, prevented the occurrence of damages or if he/she fully reimbursed such damages, and the public prosecutor deems that, based on the circumstances of the case, imposing a criminal punishment would not be righteous.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company should have effective internal policies established that deal with the prevention and revealing of potential misconduct.
Such policies should primarily be focused on educating the company’s management and employees on acceptable behaviour and should clearly outline the actions and measures necessary for avoiding the occurrence of potentially detrimental situations. Training sessions should also be organized by compliance officers in order to acquaint the relevant persons within the company with applicable rules.
On the other hand, the internal policies should also include the possibility of performing a specific process, i.e. the internal investigation, aimed at revealing the existence of potential misconduct, with a preliminary outline of rights and obligations of (i) the company (e.g. to collect, process and control employee data, organize interviews, request return of business laptops and inspect employees’ business emails, etc.), and (ii) its employees (e.g. to participate in the investigation process, to receive basic information on the reasons for the conduct of the investigation, to request their privacy to be respected where there is no prevailing legitimate interest of the company, etc.).
Whenever there is a risk that a criminal offence may have been committed or whenever the inspection of employees’ communication needs to be performed, it is recommended that an external attorney specialized in the conduct of internal investigations be included in the process, as a legal counsel who will assist the company with the conduct of the internal investigation and, thereby, minimize the risk of violating the applicable legal procedures during the course of the investigation. If further advice is needed from specific service providers, such as forensic or accounting professionals, they may be recommended by the engaged external legal counsel and cooperate with him/her, so that the process is kept as efficient as possible.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
Legal privilege exists in Serbian law through the concept of an “attorney secret”. The attorney is obliged, in accordance with Attorney Bar statutes and Codex on Professional Ethics, to keep as a professional secret all information that was conveyed to the attorney by the client, or which he/she became aware of in any other way during the course of the preparation, provision, or post-provision of legal services. The attorney needs to ensure that all persons employed in his/her office keep the secret as well. The attorney secret is unlimited timewise.
The above legal framework is protected in various procedural laws, e.g. civil, criminal, misdemeanour, administrative, etc. The exact mechanism of protection of the attorney secret and specific rights granted to attorneys in general, depend on each specific law; however, it is common for all these proceedings that the attorneys cannot be forced to reveal the facts which fall under the attorney secret.
The attorney secret encompasses not only information, but also the documents, case files and other written instruments, and the attorney’s office as well. A search in an attorney’s office may be ordered solely by the court regarding the exact case file, object or document, and must be done in the presence of an attorney appointed by the president of the Attorney Bar. Information and documents identified during the search, which are beyond the court’s order, become inadmissible and cannot be used against the attorney’s other clients.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
No. The attorney secret is focused on protecting the attorney from being obliged to reveal information and/or findings that he/she came across in the course of his/her duties.
Accordingly, such secrets do not encompass any documents and information handed over to the clients.
In light of the above, we note that engaging an external legal counsel who will assist the company with the conduct of the internal investigation is generally useful, since the legal counsel’s report on identified findings arising from the internal investigation is provided to the company only once all the relevant facts and circumstance have been closely inspected and determined in the process. Does legal privilege apply to in-house lawyers? No. Legal privilege does not extend to in-house lawyers (i.e. lawyers formally employed by a company).
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Other professions may also be subject to different confidentiality obligations, regulated under separate laws. However, this confidentiality framework is in principle more limited when compared to legal privilege, and generally does not allow for confidential information to be kept away from the competent authorities during criminal proceedings.
It is unlikely that the attorney secret protection rules may extend to persons sub-contracted by an attorney, unless these persons are formally employed by such an attorney. Still, the Codex on Professional Ethics adopted by the Serbian Attorney Bar requires that the attorney personally ensure that all the associates, officials, trainees and other persons engaged by the attorney during the representation of the client, are warned about the confidential nature of the attorney secret information.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company must determine what data is needed for the internal investigation and where it is. What means of communication are used (emails, apps, phones)? What devices do employees use to communicate? Is there any cloud or local share-drive? Is the cooperation of a local IT expert needed? Is there any solely-paper information? It is then essential to determine whether and to what extent the company can legally access and review the data.
It is not unusual for employees to use apps that are encrypted or do not save content, and it is then very difficult to distinguish between the personal content of their communication from work content. A prior, comprehensive and clear internal directive providing the complete rules on communication, archiving and the use of company devices by employees on the one hand, and explicit information on how the company can review and collect these data on the other, is a cornerstone of any proper internal investigation.
The company should also issue a preservation notice to employees to ensure that potential evidence (and all data relevant for the matter being investigated) is preserved and not destroyed. The employees in question should sign or give confirmation that they are complying with the preservation notice, and this should be kept on the record.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Employee privacy is protected both by the Serbian Constitution and by the Serbian Personal Data Protection Law (modelled under the GDPR).
Internal investigations must be conducted in such a way that the risks of breaching privacy laws are minimised. This must be assessed on a case-by-case basis since, generally, the greater the harm faced by the employer (e.g. a large-scale corruption scheme), the more intrusive investigative instruments might be considered proportional.
One-off targeted searches of emails/documents using selected key words should not be considered disproportionate if the employer is aiming to protect itself, its property and its reputation by helping to determine if employees may be in breach of their responsibilities. However, only work-related data is allowed to be processed. No private personal data can be subject to review and any processing of private personal data should be immediately stopped.
Employees’ data processing can only take place on one of the lawful grounds specified by the Serbian Personal Data Protection Law. In the internal investigations, the most frequently used legal ground is a legitimate interest of the employer. However, the employer must delicately balance its own interests against the interests or fundamental rights of the employees (e.g. right to a private life and secrecy of communication) as a part of a legitimate interest assessment – LIA). This balancing exercise should be properly documented in the form of the balancing test. Every balancing test should include at least the information regarding the purpose of data processing, necessity of the data processing potential consequences of data processing – impact on data subjects, protective measures adopted; and outcome of the assessment.
A privacy impact assessment (PIA) is explicitly required under the Serbian Personal Data Protection Law if a type of processing is likely to pose a high risk to the privacy of natural persons (such as employees). PIA must be performed particularly if the processing involves the processing of sensitive information, the merging or combining of data which was gathered by various processes, or occurs systematically over a longer time-period and may affect decisions about data subjects which have a significant effect on their life (such as legal decisions). It must be always assessed whether PIA must be executed for purposes of the internal investigations.
The extent of the processing must be as strictly necessary to achieve the aim of the investigation, and there must be no less-invasive measures available. The information included in the investigation should be carefully selected prior to review and no private information should be accessed as part of the investigation. It is essential that the right key words are selected, and the reviewers are sufficiently trained.
An internal directive should inform employees that their data may be processed as part of any investigation. This must include, among other things, the legal basis and purposes of the data processing and the corresponding rights of the employee. Requiring consent of employees with their data processing during investigation cannot be recommended as the consent must be freely given (it is questionable if the criteria of “freely given” consent could be fulfilled in the employment relationship and can be withdrawn at any time).
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Any cross-border transfers of data collected during investigations to countries outside Serbia should be analysed, as such a transfer must be done in line with the Serbian Personal Data Protection Law. This further means that that this transfer will be permissible to a country, a part of territory or one or more sectors of determined activities within such a country and an international organization procuring an adequate level of protection of personal data (i.e. a country/part of territory/sector/organization that is included in the “List” maintained and published by the Serbian Government, or has entered into relevant bilateral agreement with Serbia). Otherwise, companies must ensure that the data will be adequately protected even after their transfer to a third country (i.e. country/part of territory/sector/organization that is not included in the above-stated “List”), by applying appropriate safeguards. The latter approach should be taken to the transfers to the USA, even if it is included to the “List”, as the Serbian Data Protection Authority took a stand that so-called EU-U.S. “Privacy Shield framework” cannot be used as an adequate mechanism for transfer of personal data to US under the Serbian Personal Data Protection Law.
Available instruments include, for example, the standard data protection clauses adopted by the Serbian Data Protection Authority, intended for controller-to-processor relationships. In addition, where the data is transferred within the group companies, the relevant intragroup polices should be in place.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be erased, with only the most important data and findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings. Employees whose data were processed must be informed of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Yes. For an employee, this obligation may be inferred from the general obligation to prevent damages to the employer.
However, to ensure the legality of such interviews, these should take place within the working hours of employees and should be strictly connected to their work. Refusal to cooperate may be considered a breach of their employment duties.
Do employees have the right to receive minutes from the interview?
Not by law, but such obligation may be imposed by the employer’s internal enactment.
Do employees have the right to be informed of the outcome of the investigation?
No, employees do not have to be informed of the outcome of interviews or the investigation.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Yes, Serbia has had a Law on Protection of Whistleblowers in force since 2014.
Any employer with more than 10 employees must adopt a specific internal act, which regulates the internal whistleblowing procedure and must be available to all employees (e.g. via announcement boards, copies, intranet, etc.).
Moreover, the employer must inform all employees of their rights under the Law on Protection of Whistleblowers, and a specific person for receipt of whistleblowing reports must be appointed. Under the Whistleblowers Act, employers are obliged to act upon a whistleblower’s report within 15 days and remedy the reported issue, in accordance with its authorizations. The whistleblower must be protected from all harmful consequences and his/her identity must remain anonymous, if the whistleblower did not reveal it on his/her own initiative.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes, Serbia has a Corporate Criminal Liability Law in force.
The liability of a company is based on the liability of its authorized person. An authorized person is broadly defined as a person within a legal entity that under a law, regulation or by other authorization performs management, supervision or other duties in the scope of the legal entity’s business activity, as well as the person that actually performs such activities.
A legal entity shall be liable for (i) a criminal offence committed by its authorized person, within the scope of the activities and/or authorizations of the authorized person, with an intent to establish a gain for the legal entity; or (ii) a criminal offence carried out for the benefit of the legal entity, if the offence was committed by a natural person acting under the supervision and control of an authorized person within the company, if the offence resulted from the lack of required supervision or control by the authorized person.
While there is no established case law confirming that having a compliance system would exculpate the company, it is obvious from the above provisions that the acts of supervisions and control of a company’s authorized person(s) are crucial for evaluating the criminal liability of the company. Thus, the existence of such a compliance system serves an important role in the legal defence of the company.
In addition to the criminal liability, Serbian law also recognizes the liability of legal entities for misdemeanours (prekršaji) and commercial offences (privredni prestupi).
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes, both the perpetrator and the company can be prosecuted.
Can corporate criminal liability be avoided or mitigated?
As mentioned above, there is a possibility for the legal entity to be exempted from criminal punishment if it (i) reveals and reports a criminal offence before it finds out that criminal proceedings were instigated, and (ii) voluntarily and without delay remedies damaging consequences or returns unlawful benefits which it received.
On the other hand, since the existence of corporate criminal liability is closely related to the actions of a legal entity’s authorized person(s), establishment of an effective compliance management system may also serve as an important element in the prevention of any potential misconduct by the legal entity’s officers and/or employees. Further, existence of such compliance management system may potentially serve as a beneficial circumstance before the prosecution authorities.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
Public prosecution is authorized to execute settlement agreements with defendants focused on: (i) admission of guilt, (ii) testimony by an accomplice and (iii) testimony by a convicted person.
The common use of all the above settlement agreements is the possibility to negotiate with the public prosecution on the type, manner and scope of a criminal punishment. Admission of guilt is a necessary pre-condition for the execution of the above settlement agreements and these agreements cannot be offered to a person deemed to have been the instigator of an organized criminal group.
Moreover, all the above settlement agreements need to be confirmed by a competent court, before they are legally adopted.
Given the above however, we once again note that the public prosecutor may decide to drop the criminal charges in certain cases. This possibility also includes a legal framework similar to the concept of a “deferred prosecution agreement” known in other jurisdictions, i.e., public prosecutor may defer criminal prosecution and ultimately, drop the criminal charges with respect to, inter alia, criminal offences subject to a monetary fine or imprisonment of up to five years, if the defendant accepts one or several of specific obligations ordered by the public prosecutor (e.g., removing damaging consequences, donating money to a humanitarian cause, performing work in the public interest, etc.).
8. Upcoming Developments
According to the latest reports of the Serbian Republic Public Prosecutor, prosecution of criminal offences against commerce, as well as prosecution of legal entities in Serbia in general, is becoming more common in the everyday practice of the prosecution authorities. Based on official estimates, out of all commerce-related criminal complaints submitted to the prosecution authorities in 2023, approximately 30% referred to criminal offences with a corruption element.
Тhere is an intensive trend of increasing processes of education / training of acting public prosecutors, competent prosecution personnel and other authorities (e.g. police departments, forensic departments, etc.) engaged in the prosecution of criminal offences related to the performance of commercial activities. This ultimately also results in an increased necessity for companies and other commercial entities to ensure their compliance with applicable regulations.
Moreover, official reports show a continuing increase in the instigation and reporting of misdemeanour and commercial offence proceedings against legal entities, by various competent authorities in Serbia (e.g. Tax Authority, Customs Authority, Business Registers Agency, etc.) as a result of wrongful conduct by the management or employees, leading to potential significant fines and other legal consequences for the entities.
Accordingly, adoption of necessary internal policies, as well as the organization of proper education and internal trainings within companies is highly recommended, followed with performance of necessary internal investigations in situations in which potential issues need to be timely identified and remedied.
Related experts
Aleksandar Ristic
Attorneys at Law in cooperation with Wolf Theiss
Marijana Zejakovic
Attorney at Law in cooperation with Wolf Theiss
SLOVAK REPUBLIC
Key Takeaways
- Companies may be held criminally liable for the misconduct of their employees and board members.
- Investigating misconduct is included in management’s fiduciary duties and is a sign of a sound compliance management system which could help the company to release itself from corporate criminal liability.
- Internal directives regulating the processing of employees’ data and investigation of misconduct are cornerstones of a diligent investigation.
- The concept of legal privilege is limited to the obligation of registered attorney to preserve the confidentiality of information received from their clients.
- Suspicion of bribery may trigger the duty to report information to the authorities.
- Self-reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
The law does not explicitly lay down this obligation. However, diligently investigating misconduct is a fundamental part of any effective compliance management system and the prosecuting authorities will take into account how the company’s compliance management system dealt with the misconduct, when determining criminal liability of the company.
The company may be released from criminal liability in relation to activities of its ordinary employees (however, not in relation to activities of members of statutory, supervisory or control bodies), which was attributed to the company because of failure to exercise due supervision and control over its employees. A criminal offence will not be attributed to a legal entity if the significance of not complying with these supervision and control obligations is minor when taking into account the business activities carried out by a legal entity, the form of committing the crime, its consequences and the circumstances under which the crime was committed.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
The fiduciary duties of corporate board members include ensuring and monitoring that the company behaves in compliance with all relevant regulations and that they exercise their duties with ordinary care. This means that the board members must not only set appropriate procedures to prevent misconduct, but also investigate any detected misconduct, which often includes an internal investigation. If a board member under a reasonable or founded suspicion of misconduct does not ensure that the suspicion is diligently investigated, and any revealed misconduct properly handled, then he or she risks being held liable for an intentional “breach of fiduciary duties”. Moreover, if the suspicion of misconduct entails criminal wrongdoing, then he or she may be held liable for “failing to prevent a criminal wrongdoing” or may even be held co-liable for aiding and abetting the crime.
Failing to conduct an internal investigation could represent a breach of fiduciary duties of the board members, which could as a consequence make the board members liable for any damages to the company (e.g. penal or administrative fines, damages to third persons, loss of further profits, etc.) that may have been prevented.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report? Generally, all individuals who obtain credible information that a specified crime1 or one of the corruption criminal offences was committed or is being committed or prepared by another person have a legal obligation under the Slovak Criminal Code to report or prevent such crime. Failure to do so is a criminal offense. This does not apply to companies, which cannot be as legal entities held liable for failure to report or prevent these crimes under the Slovak Criminal Code and therefore do not have the associated duty to report or prevent the crimes. The question whether the members of statutory, supervisory or control bodies or regular employees can invoke the right against self-incrimination in relation to reporting or preventing crimes committed by the company has not yet been addressed by the courts and remains open.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Both self-disclosure and cooperation are considered mitigating circumstances under the Criminal Code. Depending on the overall balance between mitigating and aggravating circumstances in a particular case, self-disclosure and cooperation may have an impact on the gravity of the sentence. This applies to both individual and corporate liability.
1 Under Article 340 and 341 of the Slovak Criminal Code, the crimes that are to be reported or prevented include all crimes with a maximum prison sentence of at least ten years
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company can implement an internal regulation that governs the process of dealing with (suspicion of) misconduct including internal investigation procedures as part of its compliance management system. The internal regulation should also specify the persons responsible for dealing with internal investigations (usually an independent compliance function) and also how the structure of the internal investigation should be decided, including a process for independent reporting.
Whenever there is a risk that reporting could be applicable, or will be applicable during the investigation, or if there is a risk of a police dawn raid, an attorney should be engaged as an external counsel to lead and conduct the investigation to minimise the risk of exposure to the reporting duty, and to maintain legal privilege over investigation outcomes. If specialised advice is needed from a particular specific service provider, for example, from forensic or accounting professionals, the provider should be subcontracted directly by the attorney and report directly to the attorney, so that the risk of exposure is minimised and legal privilege is maintained.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
The concept of legal or attorney-client privilege under Slovak law is not identical to the concept of attorney-client privilege in the US, where the attorneys have a confidentiality obligation based upon the constitutional rights to a fair trial. The “Attorney” legally defined as a lawyer registered with the Slovak Bar Association in accordance with Slovak law or a European attorney in accordance with EU law has a statutory duty of confidentiality. This duty requires attorneys to maintain as confidential all information acquired in connection with the provision of legal services. This does not only include the information known by the attorney, but also any information in material format (e.g. paper documents, data files or data disks), which the attorney received in relation to the performed mandate.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
No, the confidentiality obligation applies to the person of the attorney (including employees and subcontractors), rather than to the information or document itself. Therefore, any information or document that is protected when in the possession of the attorney might not be subject to the same level of protection when it is in the hands of the client or an unrelated third person. The prosecuting authorities often use this technique to order the company to hand over all documents they have received from the attorney including reports from the internal investigation and protocols from interviews. A recommended best practice is to structure the investigation together with the attorney, who is leading the investigation and who also subcontracts other third parties who participate in the investigation, if such participation is necessary.
It is essential that the investigation and its reporting lines/forms are structured so as to minimise the risk that the investigation report is taken by the authorities e.g. during the dawn raid, and then used as an evidence in court proceedings.
Does legal privilege apply to in-house lawyers?
No. In-house counsels are not regarded as attorneys under Slovak law. They have the status of regular employees and are not bound by the statutory duty of confidentiality, and the communication is not protected by legal privilege.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Service providers (such as forensic or accounting professionals) can invoke legal privilege to the same extent as the attorney, only if they are subcontracted by the attorney in direct connection with the legal services provided by that specific attorney.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company must determine what data are needed for the purposes of the internal investigation and where the data are located. The following questions are fundamentally important for the effective execution of the data collection and processing: what means of communication are used (emails, apps, phones)? What devices do employees use to communicate? Is there any cloud or local share-drive? Is the cooperation of a local IT expert needed? Is there any solely-paper information?
It is then essential to determine whether and to what extent the company can legally access and review the data. It is not unusual for employees to use apps that are encrypted or do not save content, and it is then highly difficult to distinguish between the personal content of their communication from work content. The cornerstone of a diligent internal investigation is a comprehensive and clear internal directive, which provides complete rules on communication, archiving and the use of company devices by employees on the one hand, and explicit information on how the company can review and collect the data on the other hand.
The company should also issue a preservation notice to its employees, in order to ensure that potential evidence (and all data relevant for the matter investigated) is preserved and not destroyed. The employees in question should sign or give confirmation that they are complying with the preservation notice, and this should be kept on the record.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Employee privacy is protected both by Slovak labour law as well as under EU law (in particular GDPR). Internal investigations must be conducted in such a way that the risks of breaching privacy laws are minimised. The aforementioned must be assessed on a case-by-case basis since, in general it applies that the greater the harm faced by the employer (e.g. large-scale corruption scheme), the more intrusive investigative instruments might be considered proportional.
For instance, one-off targeted searches of emails/documents using selected key words should not be considered disproportionally intrusive, if the employer is aiming to protect itself, its property and its reputation by helping to determine if employees may be in breach of their responsibilities. However, only work-related data may be processed for the purposes of the corporate investigation. No private personal data can be subject to the review and any processing of private personal data must be immediately ceased.
Employees’ data processing can only be based on one of the lawful grounds specified by the GDPR. In the internal investigations, the most frequently used legal grounds for such processing is a legitimate interest of the employer. However, the employer must delicately balance its own interests against the interests or fundamental rights of the employees (e.g. right to a private life and secrecy of communication) as a part of legitimate interest assessment – LIA). This balancing exercise should be properly documented in the form of the balancing test. It shall be noted that every balancing test should include at least the information regarding the purpose of data processing, necessity of the data processing and the potential consequences of the data processing – impact on the data subjects, the protective measures adopted; and the outcome of the assessment.
A privacy impact assessment (PIA) is explicitly required under the GDPR, if a particular type of data processing is likely to pose a high risk to the privacy of natural persons (such as employees). In particular, the PIA must be performed if the data processing involves processing of sensitive information, merging or combining of data, which were gathered by various processes, or occurs systematically over a longer time-period and may lead to decisions that could have serious implication on the lives of the data subjects, (such as legal decisions). It must always be assessed whether the PIA shall be mandatorily executed for purposes of the internal investigations.
The extent of the data processing must be set only as necessary, in order to achieve the aim of the investigation. In addition, there must be no less-invasive measures available. The information included in the investigation should be carefully selected prior to the review and no private information should be accessed as a part of the investigation. It is essential that the right key words are selected, and the reviewers are sufficiently trained.
An internal directive should inform the employees that their data may be processed as part of any internal investigation. The said notification to the employees serves as the legal basis for the purposes of the data processing and the corresponding rights of the employee. If employees were never informed that their data might be processed for the purposes of harm prevention, for instance, the company would be in breach of this obligation. In addition, under Slovak labour law, the employer shall not intrude upon the privacy of an employee in the workplace by monitoring him/her or checking e-mail sent from a work e-mail address and delivered to such an address without giving notice in advance. An internal directive is not sufficient to cover this requirement and a notice needs to be served to the concerned employees.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Strict conditions apply to cross-border transfers of data collected during investigations to outside of the EU. In particular, companies must ensure that the data will be adequately protected even after the transfer of the data to a third country. Suggested available instruments include binding corporate rules and standard data protection clauses adopted by the European Commission. In addition, where the data are transferred within the group companies, the relevant intra-group polices should be in place.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be erased, with only the most important findings stored for the purpose of confronting the employee with the findings or for potential court or administrative proceedings. Employees whose data were processed must be informed of such processing.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Employees instructed by the employer to cooperate during internal investigations must do so in accordance with their general obligations arising out of their employment duties (general obligation to prevent damage to their employer and loyalty obligation). To ensure their legality, interviews should take place within the working hours of employees and should be strictly connected to their work. Refusal to cooperate may be considered a breach of the employment duties.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No, employees do not have to be informed of the outcome of interviews or the investigation.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
The framework for whistleblowing in Slovakia is covered by the Whistleblowing Act, which regulates the conditions of provision of protection for the employees in regard to reporting of criminal actions and other forms of anti-social behaviour, and the rights and duties of the persons submitting the reports. The extensive amendment to the Whistleblowing Act transposing the Directive came into force on 1 July 2023, with some provisions coming into force on 1 September 2023.
Employers with at least 50 employees, employers who provide financial services, transport safety services or environmental services and employers who are a public authority employing at least five employees, are obligated to set up an internal system for handling reports of crimes and other anti-social activities (compliance hotline). This also includes the duty to maintain a registry of reports (for at least 3 years following the report).
As part of the internal system, employers are obliged to appoint a responsible person (an employee or an external person), specifically to handle the reports. Accordingly, employees may report not only crimes, and administrative delicts but also other forms of unethical, discriminatory and anti-social behaviour. Whistleblowers are protected during both the reporting and the investigation process.
Employers cannot take any labour law related legal action against the whistleblowers without their prior consent, or without the approval of the Labour Inspectorate. Non- compliance with the Whistleblowing Act can result in fines of up to EUR 100.000 issued by the Labour Inspectorate.
7. Criminal Proceedings against the Company
Is there corporate criminal liability in the country?
Yes. A company is liable for a crime if it was committed by any of a broad range of personnel listed in the Act on Criminal Liability of Legal Persons2 for the benefit of the company, on its behalf, as a part of its activities or through the company. Strict corporate criminal liability is applicable, which means that the criminal liability of a company depends solely on the actions and intention of the perpetrator, while remaining independent from and concurrent with the criminal liability of the perpetrator.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Both the perpetrator and the company can be prosecuted independently, and the company may be prosecuted even if the perpetrator is acquitted. The criminal liability of a company passes to its legal successors.
Can corporate criminal liability be avoided or mitigated?
Under certain circumstances, a company can be released from criminal liability if it has implemented adequate measures that could have prevented a crime from being committed (in practice referred to as the compliance management system). This however applies only to cases where criminal offenses are attributed to the company due to activities of ordinary employees. In cases where criminal offenses are attributed to the company due to activities of members of statutory, supervisory or control bodies, the release from criminal liability based on compliance management system is not applicable. A criminal offence will not be attributed to a legal entity if the significance of not complying with the obligations to supervise and control the activities of ordinary employees is minor when taking into account the business activities carried out by a legal entity, the form of committing the crime, its consequences and the circumstances under which the crime was committed.
Each compliance management system should be evaluated in the light of the proportionality principle in relation to the organisational size, regulatory density, internationality and nature of business activities, risk profile and market environment of any given legal person. Most importantly, the compliance management system should have viable core elements: be preventive (able to dissuade and impede misconduct), capable of detecting any such misconduct and reactive to misconduct (disciplinary reactions or legal action, or it must learn from the misconduct). Finally, the compliance management system should be able to adopt the necessary adjustments and continuously be improved in accordance with the conducted investigations.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
There is only a very limited practice of out-of-court settlements, particularly if compared to the U.S. settlement practice. Although some instruments are recognised by Slovak law, the out-of-court settlement system has essentially been based on prosecuting individuals. Companies sentenced with a ban on commercial activity, a ban on participating in public tenders or a ban on subsidies can, after serving half of their sentence, ask the court to be paroled and ask for the rest of their sentence to be dropped if the company shows that serving the rest of the sentence is not necessary.
2Act No. 91/2016 Coll. , On Criminal Liability of Legal Persons Section 4 (1) and 4 (2) of the Act on Criminal Liability of Legal Person includes the following: statutory bodies, members of the statutory bodies, persons in the controlling and supervisory functions, or other persons representing the legal persons or deciding on behalf of the legal person, and also ordinary employees in case of failure to exercise due supervision and control over such employees
8. Upcoming Developments
Initially, after the implementation of genuine corporate criminal liability in Slovakia in 2016, prosecuting authorities have acted hesitantly, and there have been only a very limited number of corporate criminal liability cases. However, the interest of authorities in this field has exponentially risen in recent years. What remains unresolved is a framework for out- of-court settlements, which is tailored to prosecuting individuals, and also the incentives for cooperation with the investigation. At present, the OECD and the International Bar Association are in the process of persuading national legislators to establish a predictable system and procedure of out-of-court settlements for companies, which currently have few incentives (if any) to cooperate and self-report.
Related experts
SLOVENIA
Key Takeaways
- Companies can be held criminally liable for the misconduct of their employees and board members.
- Investigating misconduct is included in management’s fiduciary duties and is a sign of a sound compliance management system.
- Internal policies regulating internal investigation processes and the processing of employees’ data are the foundation of a proper investigation.
- Legal privilege is limited to registered attorneys.
- Reporting duties are restricted to the most serious offences.
- Self-reporting or cooperation with prosecuting authorities does not have any automatic benefit for the company but may impact the outcome of proceedings.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
Slovenian mandatory law does not expressly provide for the duty of companies to conduct formal internal investigations in relation to detected misconduct.
However, the Slovenian Reporting Persons Protection Act (“Whistle-blower Act”), which entered into force on 22 February 2023, requires companies with over 50 employees (and certain other entities, depending on their business activities) to establish internal whistle-blower reporting channels, and follow-up on any whistle-blower reports. The Whistle-blower Act requires that companies appoint a trusted person who shall be in charge of following-up on whistle-blower reports, and that the trusted person is obligated to prepare a report on their findings. Whistle-blower reports may be filed for any violations of any laws valid in the Republic of Slovenia.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
In relation to civil liability, management and supervisory board members are ultimately responsible for the lawful conduct of the business of the company. They are bound to discharge their duties with the diligence of a conscientious and honest businessman/ businesswoman, both in the conduct of business, as well as in internal structuring. Failure to meet these obligations constitutes grounds for liability for damages of the management and supervisory board members.
Pursuant to the above general duties, management and supervisory board members are required to take proactive steps whenever they are informed or are otherwise aware of any (potential) illegalities or wrongdoings within the company that may result in any type of damages being incurred by the company.
This duty is especially pronounced in cases where the illegalities or wrongdoings are or may be systemic in nature and are not a direct result of any actions / omissions of the management and supervisory board members. In such cases, properly and demonstrably establishing all the relevant facts and underlying causes of the illegalities or wrongdoings may be essential in order to avoid civil liability for damages. The conduct of an internal investigation (and subsequent steps taken pursuant with their findings) may thus in practice constitute an important or even decisive factor in the determination of whether or not management and supervisory board members have acted in compliance with the required standard of diligence and may (not) be held liable.
In relation to criminal liability, white collar criminal offences (i.e. criminal offences against the economy or legal transactions pursuant to the Criminal Code) require that the criminal intent of the perpetrator be demonstrated. This means that any sort of negligence – including a negligent omission to investigate potential wrongdoings – should in principle not result in criminal liability for offences that have already been committed and where no action by the management board may influence or prevent the criminal offence.
Should however such an omission be intentional in relation to a specific criminal offence (i.e. the omission is intentionally aimed towards assisting the perpetrator), this may under certain circumstances constitute grounds for criminal liability of management and supervisory board members.
With regards to non-specific types of criminal offences, the liability of board members may be established when the conduct of an investigation and subsequent adoption of appropriate measures could have prevented the occurrence of a criminal offence (e.g. failure to investigate information regarding health and safety irregularities and adopt appropriate measures, resulting in death or injury).
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
Yes, in certain circumstances. There is a general requirement to report any criminal offence with a statutory minimum sentence of 15 years in prison. Failure to do so constitutes a criminal offence in itself. Spouses, common-law partners and close relatives are exempt from this duty, as well as defence counsels, doctors or priests of the perpetrator.
Additionally, there is a general requirement to report any criminal offence that is in progress and may be prevented if the offence in question carries a statutory minimum sentence of three years. Failure to do so also constitutes a criminal offence. Only spouses, common-law partners and close relatives are exempt from this duty.
Furthermore, there is an obligation in place for certain types of legal entities and natural persons (principally those involved in financial services, as well as attorneys and notaries) to report any suspicious transactions that raise money laundering concerns to the authorities. There is no general duty to report outcomes or information under the Whistle-blower Act.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
With regard to corporate liability, cooperation and voluntary self-disclosure may constitute grounds for a remission or reduction in sentencing beyond mandatory minimums. Additionally, in such instances special discretion is awarded to the prosecutor who may choose not to prosecute when the sentence may be remitted entirely under the law. However, there are no publicly available data to determine whether this possibility is actually being used.
With regards to individual liability, the above discretion, as well as the possibility of remission or reduction of sentences beyond mandatory minimums, is more restricted; nevertheless, it would probably be regarded as a mitigating circumstance at the very least.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
The company should have internal policies in place that govern the process of dealing with (even the suspicion of) misconduct, including internal investigation procedures as part of the compliance management system. It should specify the persons responsible for dealing with internal investigations (usually an independent compliance function) and how the structure of the internal investigation should be decided, including a process for independent reporting. This should be generally set out in the internal policy that must be adopted under the Whistle-blower Act.
Whenever there is a risk that a reporting duty has arisen, or will arise during the investigation, or a dawn raid by the police is imminent, an attorney should be engaged as an external counsel to lead and conduct the investigation to minimize the risk of exposure to the reporting duty, and to maintain legal privilege over investigation products.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
In general, attorneys at law, registered with the Bar, are bound by legal privilege pertaining to any facts that were made known to them in the course of the performance of their profession, if they are not obliged to reveal such information under applicable regulations. However, this is primarily an obligation of the attorneys, and is only partially reflected in legal protection or privileges in civil and criminal proceedings. Primarily, in both types of proceedings, attorneys may refuse testimony in relation to facts that they are obliged to keep as confidential.
In criminal proceedings, unless the attorney acts as a defence counsel, his/her premises may be searched for documents or information, but only in case it is not possible to obtain said documents or information through any other means. The search can only be conducted based on a court order, which needs to specify for which documents and information the search is to be conducted. A Bar representative must be present during the search. The Bar representative, as well as the attorney whose premises are the subject of a search, may file objections regarding documents seized, stating that they are not covered by the order. These documents are then immediately sealed and special procedures are in place for the examination of the objections by an independent judge.
If the attorney acts as a defence counsel in criminal proceedings, he/she cannot be called to testify in relation to the defendant, their premises cannot be searched for the purpose of obtaining documents or information and their client communications cannot be intercepted. This is an extension of the defendant’s right to defence and privilege against self-incrimination and is absolute
However, if any attorney-client communications, documents or other forms of information media are seized, intercepted or obtained from the company directly or through third parties, they are not covered by attorney client privilege.
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
No, the confidentiality obligation is linked to the person of the attorney (and his or her employees and subcontractors), rather than to the information or document itself. Therefore, any information or documents that are protected when in the possession of the attorney is not protected when it is in the hands of the client or an unrelated third person.
It is therefore recommended that any sensitive information and documents be kept solely by the attorney engaged for the conduct of the internal investigation, and that the conduct of the investigation is itself structured so as to minimize the risk that large parts or the entirety of the materials, as well as the final product of the investigation, could be detected or seized without any advance warning by the authorities in case of any official proceedings.
Does legal privilege apply to in-house lawyers? No. In-house counsel are not regarded as attorneys under Slovenian law. They have the status of regular employees and don’t enjoy legal privilege.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
All service providers that have a statutory obligation to keep as confidential information they are provided with or come across in the performance of their profession (e.g. doctors, priests, bankers, psychologists, social workers, etc.) may refuse to testify in court or civil proceedings, unless statutory conditions for disclosure are met.
The legal privilege enjoyed by attorneys at law registered with the Bar is extended to any persons employed by these (i.e. employed in a law firm); however there is no precedence or direct statutory basis for the possibility of an extension of the attorney’s legal privilege to third party service provider.
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
The company should firstly establish what data may potentially be relevant in respect to the scope of a particular investigation, and all the places where such data may be stored (e.g. physical archives, company servers, employee work laptops or phones, external cloud services, etc.).
As a next step, the company should then determine if and to what extent each set of data may be gathered and accessed. Comprehensive and clear internal rules on communication, archiving, and the use of company devices by employees, as well as rules on access to such data are essential for any proper internal investigation.
The company should also issue a preservation notice to employees to ensure that potential evidence (and all data relevant for the matter investigated) is preserved and not destroyed and obtain acknowledgement of such notification from the employees in question.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
The review of employees’ electronic communications and data stored or hosted on the employer’s assets involves two separate legally-relevant facets:
- the processing of personal data of the employee and potential third parties (such as e-mail addresses and traffic data) as regulated by the data protection laws, and
- the access and review of the substance of the communications as protected by the right to privacy and secrecy of communications.
- While the relevant protections of privacy pursuant to both facets are very similar, they should nevertheless be considered separately in order to ensure that any such measures are deployed lawfully.
- Principally, the employer cannot indiscriminately and routinely monitor and/or access employees’ e-mails or other data. Such measures must be limited both in scope and to specific situations, where a clear aim of such measures to safeguard particular interests and rights of the employer (which enjoy a similar level of protection, as the rights of the employees) can be demonstrated. Further, such interests and rights of the employer must outweigh the interests and rights of the employees in each individual instance in order that such measures be deployed legally.
Such measures must be (i) appropriate, and (ii) necessary to achieve the aim, (iii) cannot be replaced by a less invasive measure, (iv) transparent and (v) limited only to business/work related communications. The measure should affect only employees for which suspicion of a violation exists and the measure should cover only relevant types of communication or data. The scope of the measures should be made transparent to employees prior to the start of the investigation. The most appropriate legal basis for the deployment of such measures is the legitimate interest of the employer. Such measures cannot be based on the consent of the employees.
The employer must delicately balance its own interests against the interests or fundamental rights of the employees. This balancing exercise should be properly documented in the form of the legitimate interest assessment (LIA). Every balancing test should include at least the information regarding the purpose of data processing, necessity of the data processing potential consequences of data processing – and impact on data subjects, protective measures adopted; and outcome of the assessment. Additionally, the employer should carry out a data protection impact assessment, which is explicitly required under the GDPR if a type of processing is likely to pose a high risk to the privacy of natural persons.
In the absence of (i) implemented clear and comprehensive policy regarding employee monitoring and (ii) determination of the investigation as a purpose of processing in the employee privacy policy, an internal directive should inform employees that their data may be processed as a part of any investigation. This must include, among other things, the legal basis and purposes of the data processing as well as the corresponding rights of the employee. If employees were never informed that their data might be processed for the purposes of harm prevention, for instance, the company would be in breach of this obligation.
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Strict conditions apply to cross-border transfers of data collected during investigations to the outside of the EU. In particular, companies must ensure that the data will be adequately protected even after their transfer to a third country. Available instruments include binding corporate rules and standard data protection clauses adopted by the European Commission. In addition, where the data are transferred within the group companies, intra-group polices should be in place.
What should the company do once the internal investigation is finished?
Once the internal investigation is finished, the data gathered and processed during the internal investigation must be deleted as soon as the purpose for their collection has been fulfilled. In practice, this means that only key data and documents necessary for the safeguarding or exercise of the employer’s rights may be retained, but only for the period necessary for this (e.g. for disciplinary measures against a particular employee, for potential court or administrative proceedings, etc.). Employees whose data were processed must be informed of this.
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
Is an employee required to participate and cooperate in interviews?
Employees may be ordered by the employer to cooperate during internal investigations (e.g. by attending an interview), pursuant to general provisions of employment law. Failure to comply with such an order may constitute a breach of their employment duties and may constitute grounds for disciplinary actions up to termination. To avoid unnecessary complications, interviews should preferably take place during the employees’ normal working hours.
Do employees have the right to receive minutes from the interview?
No.
Do employees have the right to be informed of the outcome of the investigation?
No, employees do not have to be informed of the outcome of interviews or the investigation.
6. Whistleblowing
Is there any specific regulation relating to whistle-blowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
The Whistle-blower Act provides for comprehensive regulation of the status of whistle-blowers and related obligations of companies. All legal entities employing 50 or more employees, as well as other entities engaged in certain specific activities, are required to set up internal reporting channels for whistleblowing reports and set up a system to follow-up on reports.
The internally-submitted report is to be handled by an internally-appointed and trusted person who, after the procedure is completed, prepares an account of the findings on the merits of the report, the proposed and implemented measures and submits it to the management of the company and the whistle-blower. The trustee must be an employee of the relevant company. Engagement of external contractors for this purpose is not allowed. The entities are obligated to report the number of reports received, the number of anonymous and justified reports, and the number of retaliatory actions, on an annual basis to the Slovenian Commission for the Prevention of Corruption (“CPC”).
Only companies employing less than 250 employees are allowed to share their resources for the receipt and investigation of reports with other group companies. The systems for receipt and investigation of reports that are now in place on a group level may not therefore comply with the Whistle-blower Act.
In cases where the breach cannot be addressed effectively through internal reporting channels or if the whistle-blower believes that there is a risk of retaliation in the case of an internal report, whistle-blowers may file their report through an external channel. Depending on the nature of the breach, 22 different state institutions are responsible for receiving and handling external reports (e.g. CPC, the Slovenian Securities Market Agency (ATVP), the Slovenian Competition Protection Agency (AVK), the Slovenian Insurance Supervision Agency (AZN), the Bank of Slovenia, the Agency for Medicinal Products and Medical Devices of the Republic of Slovenia (JAZMP), the Financial Administration of the Republic of Slovenia (FURS), inspectorates, etc.). When dealing with an external report, the relevant institution acts in accordance with the relevant sectoral laws and within its powers. In practice, this may result in the initiation of supervisory, inspection, administrative proceedings and, in extreme cases, even criminal proceedings.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Yes, companies may be held liable for criminal offences, committed in the name or for the benefit of a company, if one of the following conditions is fulfilled:
- the criminal offence constitutes the execution of an illegal corporate decision, order or approval of its management or supervisory bodies; or
- its management or supervisory bodies influenced the perpetrator or enabled the perpetrator to commit the criminal offence; or
- it is the recipient of illegal proceeds or objects created through a criminal offence; or
- if management or supervisory bodies failed in their duty to supervise the legality of the actions of their subordinate employees.
It should be noted (especially in relation to point (c) above) that pursuant to the Slovenian corporate criminal liability concept, corporate liability is not objective by nature, but requires some form of ‘participation’, culpability or at the very least awareness on the part of the management or supervisory bodies. Merely having benefitted in some way from a criminal offence is by itself not enough to establish corporate criminal liability.
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes, both the perpetrator and the company may be prosecuted for the same misconduct (both for criminal as well as administrative offences).
With regard to criminal offences, the law provides that proceedings against the company and perpetrator should be conducted jointly; however, the liability of the perpetrator and the company are severable, meaning that the company can be found liable even if the perpetrator is not liable or was coerced by the company.
Can corporate criminal liability be avoided or mitigated?
The Liability of Legal Persons for Criminal Offences Act does not provide for any mechanism pursuant to which a company implicated in a criminal offence can automatically avoid prosecution.
If the management or supervisory bodies of the company reports the perpetrator of the criminal offence before the criminal offence was detected by the authorities, the sentence for the company may be reduced. If simultaneously the company returns any undue benefits or repays any damages or reports or provides data on other implicated companies, the sentence may be remitted in its entirety. Additionally, according to general rules of criminal law, whenever the conditions for the remission of a sentence are met, state prosecutors may decide not to prosecute.
Separately, the state prosecutor may decide not to start proceedings against the legal entity, if the circumstances of the case indicate that this would not be prudent due to (i) the insignificant participation of the legal entity in the offence, (ii) the legal entity not having any assets or such assets would be insufficient to cover the costs of the proceedings, (iii) the legal entity being in bankruptcy proceedings or (iv) the perpetrator being the sole owner of the legal entity.
It should be noted, however, that all the above possibilities are at the discretion of the competent authorities, who are not obliged to reduce or remit sentences, or not to prosecute, even if all the required conditions are met by the company. Further, it is very difficult (if not impossible) for the management of supervisory bodies to be certain as to whether or not a particular criminal offence was detected by the authorities, since initial parts of criminal investigations are classified as confidential by law, and no information can be obtained in this respect from competent authorities.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
Criminal law in general provides the option to negotiate a plea agreement, whereby the company and the state prosecution conclude an agreement on the admission of guilt and determine the sentence which is to be imposed. However, such an agreement must be confirmed by the court and can only be concluded when criminal court proceedings have been initiated.
Criminal law generally also provides the state prosecution with the option to suspend or drop charges before formal court proceedings have been initiated in instances where the perpetrator is prepared to cooperate and perform certain actions or address the consequences of the criminal offence.
However, all the above possibilities are at the discretion of the prosecution, which is not obliged to deploy them in any particular instance.
Related experts
UKRAINE
Key Takeaways
- Companies may be held criminally liable for the misconduct of their employees and board members.
- Investigating misconduct is included in management’s fiduciary duties and is a sign of a sound compliance management system.
- Internal investigations are not well-regulated by the law, and the procedure for conducting them should be based primarily on the internal compliance management system of the company.
- Compliance with personal data protection laws is one of the foundations of a proper internal investigation.
- Internal directives regulating the processing of employees’ data and the investigation of misconduct are cornerstones of a proper investigation.
- The concept of legal privilege is limited to the obligation of registered attorney to preserve the confidentiality of information received from their clients, with who the lawyers have formal client-attorney agreements.
- Self-reporting or cooperation with prosecuting authorities may have a benefit for the company.
1. Obligation to Investigate Criminal Misconduct Internally
Are companies obliged to investigate misconduct internally?
The law does not explicitly lay down this obligation and generally, a company failing to investigate misconduct would not be liable for it. On the other hand, if the company fails to report a criminal offence, particularly if the criminal offence is evident or obvious, the executives (and the company) of the company may be brought to criminal liability for such failure to act.
In which situations will a decision to internally investigate be necessary to prevent the civil or criminal liability of board members?
Company executives (board members, directors, etc.) may be held liable in case their actions or inaction results in losses for the company. Therefore, if it is proven that in a specific situation it would have been reasonable and expedient to hold an internal investigation, but the company executives have not done so, they may be held liable for their passivity. If there are clear indications of violations in a company and no investigation is conducted even though such an investigation is within the executive’s competence, in a severe case (i.e. if the resulting harm amounts to ca. EUR 3,440 or more) the executive could be held criminally liable for “neglect of duty”.
Is there a duty to report the outcome of the internal investigation or any information obtained during the internal investigation to enforcement authorities?
If so, who is subject to the reporting duty and who is exempt?
Are companies obliged to self-report?
There is a risk that if the executives of the company do not report a discovered crime, this may be qualified as covering up the crime. It is therefore recommended to carefully consider each case and get advice on the recommended course of action.
Would cooperation and voluntary self-disclosure be taken into account by the law enforcement authorities in relation to both individual and corporate liability?
Yes. Cooperation and voluntary self-disclosure are regarded by the Criminal Code as mitigating circumstances (possibly resulting in a less severe penalty or release from criminal liability). However, there is no standardized practice or guidelines in terms of fine amounts.
2. Planning and Structuring Internal Investigations
How should internal investigations be structured?
When should an internal investigation be conducted by an attorney?
As internal investigations are not regulated by law, structuring of the investigation and involvement of external advisors should be decided on a case-by-case basis depending on the situation at hand. Usually, companies involve external advisors in case (i) they have no internal security departments or employees vested with the relevant authority, or (ii) there are reasons to believe that the internal security/compliance department (or official) have been involved in the misconduct.
3. Confidentiality and Legal Privilege
Who can be protected by attorney-client privilege (“legal privilege”)?
Which information/data is and is not protected by legal privilege, and what (if any) are the exceptions from legal privilege?
Legal privilege extends to individual attorneys (lawyers admitted to the Ukrainian Bar), attorney’s offices, persons employed by an attorney or attorney’s office (assistants, trainees, etc.) and applies to:
- any information which has come to the attention of the attorney/attorney’s office or persons employed by the attorney/attorney’s office during the provision of legal services;
- communications, correspondence that passes between an attorney, assistant attorney or trainee and the client during the provision of legal services;
- the content of advice, consultations, explanations, documents, data, materials, belongings, information that was prepared, collected, received by an attorney, assistant attorney or trainee during the provision of legal services;
Does legal privilege extend to documents created by attorneys after they are handed over to the client?
No. Legal privilege extends only to the documents that are kept by an attorney/attorney’s offices, persons employed by an attorney or attorney’s office. Thus, if a client intends for a document to be subject to attorney’s privilege, such documents should be kept by the attorney (attorney’s office).
Does legal privilege apply to in-house lawyers?
There is no specific privilege for in-house lawyers. However, in-house lawyers are subject to general proprietary information protection mechanisms provided by Ukrainian law. As a matter of practice, in-house lawyers who are certified attorneys (advocates) may conclude an agreement based on which legal privilege will apply to their relationship with their employer.
Does legal privilege apply to other types of service providers?
Can legal privilege be extended to them if they are subcontracted by attorneys?
Legal privilege extends to attorney/attorney’s offices, persons employed by an attorney or attorney’s office (assistants, trainees, etc.).
4. Collecting and Processing Data and Data Privacy Protection
How should the company ensure that evidence is properly collected?
Ukrainian law does not provide for any specific requirements appliable to collection of evidence during an internal investigation or other private action. Thus, while collecting evidence the company should comply with general provisions of Ukrainian law on protection of personal data as well as privacy of information about an individual, companies’ confidential information, etc.
This means, inter alia, that before collecting evidence the company should receive clear written consent from an employee to process his/her personal data. The employee should be informed about his/her lawful rights, the purpose and content of the collected data, potential transfers of data to third parties, etc. Further, the company should receive an employee’s consent for (i) making video/audio footage featuring such an employee, (ii) access to his/her correspondence, etc. Because collecting such evidence is not allowed unless the company obtained the consent of the employee or the data used is not anonymized, it is highly recommended to either obtain such written consent when the employee commences his/her employment or anonymize the collected personal data to the extent possible.
Additionally, special rules apply to collecting information/documents that are regarded as containing banking or state secrets, etc.
What conditions must be met to allow investigators access to employees’ emails/other records which potentially contain private information?
Is the consent of the custodian necessary before data collection begins?
Electronic messages sent via company email accounts are subject to the general privacy rights of correspondence of any individual. The correspondence can only be used with the consent of the message originator and its recipients. If the correspondence relates to the private life of an individual, its usage also requires the consent of such an individual.
Therefore, in practice, the use of corporate email accounts should be restricted to correspondence carried out in the employee’s professional roles, or the employee should confirm and agree not to use corporate email for personal purposes, and thus the employer should not require consent for access to corporate email accounts used by employees.
The employer may also have access to email/communication of its employees based on internal policies (and/or relevant provisions in the employment agreement). The employees should be made familiar with any such policy and a record of this should be documented. Cross-border personal data transfer may require consent of the data subject (i.e. the relevant employee).
Are there any restrictions in relation to cross-border transfers of data collected during an investigation?
Ukrainian legislation establishes limitations on cross-border transfer of personal data. Such transfers are possible only if the foreign state where the data recipient is located ensures a proper level of personal data protection.
Countries that belong to the European Economic Area and signatories to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data are considered to be states eligible for cross-border transfer. Additionally, the Government may approve the list of such qualifying states.
What should the company do once the internal investigation is finished?
This is not clearly regulated by the law. Therefore, the course of action would depend on the circumstances of each individual case. The company may take internal remedial or punitive measures against employees involved in wrongful actions based on its internal policies – up to and including dismissal of the employees. The employees’ misconduct may also be reported to law enforcement authorities as well as to relevant professional associations (if the employee is a member of a professional association).
5. Interviewing Employees
Does an employee have an obligation to actively participate in interviews organised by the counsel of the employer?
No, the employee does not generally have such an obligation, unless this obligation is provided for by internal regulations of the company.
Is an employee required to participate and cooperate in interviews?
No. However, arguably, an employee may be required to participate in an interview if (i) an employment contract or internal regulation of the company provides for such duty of the employee, or (ii) if the employee is instructed by his/her superior to participate in the interview.
Do employees have the right to receive minutes from the interview?
This is not regulated by the law and would depend on provisions of internal regulations and employment agreements.
Do employees have the right to be informed of the outcome of the investigation?
This is not regulated by the law and would depend on provisions of internal regulations and employment agreements.
6. Whistleblowing
Is there any specific regulation relating to whistleblowers?
If so, is there any obligation to react to whistleblowing/to have a system in place for reacting to whistleblowing?
Yes, partially. Private companies are not per se required to have in place a system for reacting to whistleblowing.
However, large state-owned companies and private companies participating in public procurement procedures with the value of ca. EUR 50k and more are required to develop and approve a separate internal anticorruption programme that should, inter alia, envisage the whistleblowing protection mechanism.
7. Criminal Proceedings Against the Company
Is there corporate criminal liability in the country?
Corporate criminal liability does exist in Ukraine. The company may be held criminally liable when its executive or authorized representative (i) commits a crime on behalf and for the benefit of the company, (ii) fails to fulfil his/her obligations related to prevention of corruption, which resulted in the commission of a crime, etc. The Criminal Code of Ukraine defines the types of crimes that corporate entities (companies) may be held criminally liable for (e.g. money laundering, crimes that threaten national security and war crimes, violent crimes, etc.).
Can individuals and companies both be prosecuted for the same misconduct (parallel prosecution)?
Yes. Companies may be prosecuted in case of misconduct by their authorized representatives who are also held liable.
Can corporate criminal liability be avoided or mitigated?
Ukrainian law provides for a statutory exemption of companies from criminal liability due to expiration of the limitation period, which constitutes 3, 5, 10 and 15 years after the crime commission depending on the gravity of the criminal offence.
Additionally, since criminal liability of companies is closely related to criminal liability of its executives, any circumstance that works to decrease the official’s liability (e.g. his/her actions aimed to mitigate harm, etc.) could also help mitigate liability for the company.
Can criminal proceedings be settled with the enforcement authorities, or through leniency programmes?
No. Criminal proceedings with respect to companies may not be settled with the authorities.
8. Upcoming Developments
Even though no specific legislation concerning internal investigations has been enacted in Ukraine to date, the number of internal investigations remains high. Given the ongoing war with Russia, the Ukrainian Parliament has not been very active in terms of developing new legislation in the corporate investigations field.
In light of the significant number of Russian-related companies that have been seized by the Ukrainian state in the past year or so, there is a growing need for internal investigations within these companies. As a result, there is an expectation that specific guidelines might be formulated to address the unique challenges and complexities presented in this particular domain.
The growing number of companies with Russian connections under Ukrainian control demands a thorough examination of their operations and financial transactions. These internal investigations will likely delve into various areas, such as potential illicit activities, compliance issues, and financial improprieties.