News

Partner Nicolas Brooke and Senior Associate Mathilde Gerot, examine the impact of Sapin 2 and GDPR on internal investigations and the balance that needs to be struck in order to ensure compliance with both sets of rules, in Legal Week.

Nicolas and Mathilde’s article was published in Legal Week, 30 July 2020, and can be found here.

Internal investigations are undergoing significant development within French companies, notably due to the adoption of the Sapin 2 Law on transparency, the fight against corruption and the modernisation of economic life which came into force on 1 June 2017. Since 25 May 2018, those responsible for running investigations must also bear in mind the data protection requirements articulated under the General Data Protection Regulation (GDPR). Two years after the implementation of the new Regulation, the time has come to take stock of the areas of tension between the objectives pursued by commercial operators when running an internal investigation, and their duty to protect personal data under GDPR.

Data subjects have a right to information under Articles 13 and 14 of GDPR. The purpose of this entitlement is to enable anyone to be informed, by the data controller, of how their personal data can be processed. A key consideration when running an internal investigation, however, is to ensure that the work remains confidential: the law may require it (e.g., pursuant to the whistleblowing protection rules provided for under the Sapin 2 Law); the sensitivity of the matter under investigation, or the risk of evidence being tampered with justifies it.

Focusing more specifically on the risk of destruction of evidence, Article 14.5 (b.) of GDPR provides for an exception that can be usefully invoked in order to delay informing the data subject about the data processing that is contemplated if providing such information is “likely to render impossible or seriously impair the achievement of the objectives of that processing”. GDPR does not provide for the same exception with regard to the right of access to personal data, including investigative work-product that may refer to such data. It should be noted in this regard that when this work is carried out by counsel, the duty of professional secrecy, which is protected as a matter of public policy under French law, should be opposable to the data subject in all circumstances. This is also the National Bar Council’s (Conseil national des barreaux) position in a guide on internal investigations released in June 2020, according to which the exception provided for at Article 14.5.d. of GDPR, even if it does not directly concern the data subject’s right of access but only its right to information, should allow the company or counsel to refuse access to the investigatory work product if this would lead to a violation of professional secrecy.

It is often difficult or even impossible in the early stages of an internal investigation to determine the exact scope of work, the breadth of data to be collected, the custodians to be interviewed, the extent of the look-back period. The time required to complete the work is also difficult to assess. This lack of visibility is inconsistent with the so-called principle of minimisation provided for under Article 5, c) of GDPR, pursuant to which the data collected must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In practice, this means that the relevance and adequacy of personal data collections must be systematically reassessed throughout the investigation.
Information collected during the course of an investigation, including personal data, must often be kept for varying lengths of time. Indeed, it is not unusual for investigations to continue for several months, sometimes years. How, then, can this need for data retention throughout the investigation be reconciled with the principle of proportionality of the retention period?

The position of the Commission Nationale Informatique et Libertés (or “CNIL”, the French data protection agency) in this respect is consistent with the reasoning set out above regarding the principle of minimisation. Any data that is no longer demonstrably relevant for the purposes of the investigation must be deleted. This will typically be the case if the investigation concludes that the facts did not in fact amount to wrongdoing. On the other hand, if the investigation leads to follow-on situations such as disciplinary or other proceedings, this should provide grounds for prolonging the retention period until those proceedings come to a close. The answer will be less obvious when the internal investigation runs for a number of years without any action, disciplinary or judicial, being initiated in parallel. Much will depend on whether the data controller running the investigation is in a position to assess how long the investigation will take to be completed.