US-Ordered Cross-Border Monitorships

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

A monitorship can be difficult to manage in the best of circumstances. Even the most basic arrangement requires the monitor to evaluate a company that he or she does not represent, to report to an agency for which he or she does not work and to gather sensitive information without invading attorney–client privilege. Worse, the company will almost certainly not welcome the monitorship, let alone its intrusive features – including the monitor’s examination of proprietary data, interviews with company personnel and customers, and findings that could require the company to abandon well-established practices or to discipline long-standing employees.

A US-ordered cross-border monitorship poses all these challenges and more. To monitor a company with operations outside the United States, especially one with operations around the globe, is to contend with several, if not dozens, of disparate legal systems and business cultures. As a result, although the work that a monitor typically performs – such as conducting interviews, collecting data and recommending discipline – can be accomplished with little difficulty in the United States, it may be sharply restricted in some countries. Moreover, practices or attitudes that are commonplace in one affiliate may be radically different in another affiliate of the same company.

In the face of these legal and practical challenges, and particularly given updated guidance from the US Department of Justice (US DOJ) indicating that corporate monitorships may become more common in the future,[2] the cross-border monitor would do well to consider a few key attributes of cross-border monitorships before proceeding. First, it is not the monitor’s primary job to investigate misconduct. This is a basic tenet of almost any monitorship but one that is not always well understood. Second, the monitor may not be able to visit every place in which a company does business – particularly if the company operates around the world – and consequently must devise ways to assess the company’s compliance with that limitation in mind. Third, foreign privacy and labour laws may apply and must be considered carefully, as they could impede the monitor’s work (or worse). The same is true for foreign laws governing the imposition and publicising of employee discipline. Finally, although companies must implement a coherent global compliance programme, local variations will be appropriate and necessary to account for differences in local business culture and practice.

The role of the monitor

The monitor is not always an investigator

Infrequent in the United States, monitorships are entirely unknown in many parts of the world. The first challenge facing a cross-border monitor, therefore, is the most fundamental: clarifying both what the role of a monitor is and, perhaps more important, what it is not. As the US DOJ’s guidance on corporate monitorships makes clear, the monitor’s ‘primary responsibility is to assess and monitor a corporation’s compliance with the terms of the agreement specifically designed to address and reduce the risk of recurrence of the corporation’s misconduct[3] . . . [t]he monitor’s mandate is not to investigate historical misconduct’.[4] Indeed, the US DOJ has explained that one of the ‘clear benefits’ favouring the imposition of a monitorship is to ensure that a company’s compliance programme is effective, adequately resourced and fully implemented – particularly when that programme is either untested or has been identified as deficient in some respect.[5]

Clarity on this issue is important in any monitorship; only by understanding the purpose of their work can monitors design an appropriate work plan and discharge their mandate effectively. In a cross-border monitorship, clarity of purpose is crucial. Some countries prohibit or restrict corporate investigations of misconduct[6] and, in these jurisdictions, the consequences of overextending the monitor’s role could be significant. If witnesses mistake the monitor for a criminal investigator, they may report the monitor to the local authorities. Those authorities, which may previously have been unaware of the monitorship,[7] could begin investigating the monitored entity or insist on exploring the contours of the monitorship with the monitor and the enforcement agency. At the very least, interference of this kind would unnecessarily complicate the monitorship and potentially delay the monitor’s work.[8] Before beginning their work outside the United States, monitors must ensure that the company and its employees – particularly the witnesses they intend to interview – clearly understand the monitor’s role.

The monitor cannot go everywhere

When a company has wide-ranging operations across the world, potentially spanning multiple business lines, the monitor’s team may be unable to visit each location during the course of the monitorship – nor should they. The monitor’s goal is not to assess every facet of compliance in every jurisdiction where the company does business, but rather the company’s overall compliance environment. The monitor must thus think critically about which sites to visit, bearing several considerations in mind.

The first priority should be to review the company’s operations in jurisdictions that pose the highest risk. These will almost certainly include locations where the underlying misconduct occurred. They may also include countries where the company’s largest operations are situated, or where the highest-risk functions take place. Another indicator of risk is the nature of the violations that led to the monitorship in the first place. In cases involving violations of the US Foreign Corrupt Practices Act (FCPA), for example, the monitor should focus on countries with a known corruption risk – taking into account Transparency International’s Corruption Perception Index[9] and any risk rankings generated by the company itself.

The more difficult choices arise beyond the highest-risk locations. Because monitors cannot go everywhere, they should identify a representative sample of locations that will enable them to assess the company’s global compliance efforts, which can be a formidable task. Compliance risks can vary not only by country but by business line, by business unit and even by product. They can also depend on the business model. Joint ventures, in which authority is shared between the monitored entity and its partner, may pose a greater risk than wholly owned subsidiaries, over which the company has full control. Manufacturing plants may be riskier than commercial operations, and commercial operations riskier than distributorships. Recent acquisitions typically pose an enhanced compliance risk, especially if the acquired company’s compliance culture is immature and not yet fully integrated into the company’s global culture. Third-party relationships often pose the greatest risk of all, warranting a sharper focus on business units that retain third parties in high numbers or for sensitive engagements.[10]

How can a monitor practically assess the adequacy of a company’s global compliance programme under these circumstances? One viable strategy is to identify common operational or other relevant features among the company’s different affiliates, group the affiliates according to those common features, visit an affiliate within a group and extrapolate findings from that affiliate to others in the same group. Deciding which common features to select depends heavily on the company at issue, of course, but the following are a few options:

  • Common reporting structure: the monitor should consider whether business operations fall under the same global reporting structure. If several sites report to the same business unit or managers, they will at least have some elements of supervision in common. Depending on the conduct under review, the monitor may be able to draw some conclusions about the adequacy of compliance by evaluating the common supervisory team.
  • Common processes: if the company has compliance processes that vary from region to region or between different business lines, the monitor can group sites according to the processes they share. In an FCPA inquiry, for example, the company might employ the same third-party due diligence procedures at five of 25 affiliates. The monitor could test the procedures at one of the five affiliates and extrapolate his or her findings to the remaining four in the same group (after accounting for any site-specific anomalies).
  • Common business models: a monitored company might employ different business models across the world, each with a different risk profile. The monitor should test each model – especially those that present heightened risk, such as recent acquisitions.
  • Common systems: a key component of any functioning compliance programme is internal controls, which are usually embedded within a company’s enterprise resource planning and procurement systems. If the company employs a unified global platform across all its affiliates, the monitor’s examination of internal controls may be relatively simple. However, if the company does not make use of a single platform – as is often the case for companies that have expanded through acquisitions – there may be multiple legacy systems, each with its own user interface and technical challenges. In these cases, the monitor should endeavour to visit representative sites where each of the systems is in use.

All these approaches can be fruitful in the right circumstances. However, they are of limited value for assessing one company affiliate that does not share common features with any other, and if the monitor simply cannot visit because of civil unrest, armed conflict, public health emergencies, or the like. These types of affiliates are a vexing challenge for the monitor – especially in corruption cases, where they are often located in the same countries that pose the highest corruption risk – and dealing with these locations requires some creative thinking. Among other workarounds, the monitor team could perform remote transaction testing, conduct video interviews with in-country employees and interview in person any employees outside the country who may be assisting the affiliate with implementing financial and compliance controls.

Observing privacy and labour laws


Companies in cross-border monitorships must abide by the privacy laws of the countries in which they operate. The complexity of these laws can be daunting for the monitored entity and the monitor alike but they are vitally important to the cross-border monitor: because the life blood of a monitorship is information, any limitations on acquiring it could jeopardise the monitor’s ability to fulfil his or her mandate. It is incumbent on the monitor team, therefore, to identify applicable privacy laws in advance of its work and take the steps necessary to comply with them.

Among the most recent and best known privacy laws that monitors must contend with is Regulation (EU) 2016/679 (the General Data Protection Regulation (GDPR)).[11] The GDPR restricts the ability of companies that operate, offer services or sell goods (whether paid for or free) or even track the behaviour of individuals[12] in the European Union and Member States from processing personal information without first obtaining permission to collect and distribute it, or satisfying one of several other specified criteria for processing the information.[13] Processing is defined broadly in Article 4(2) of the GDPR to include:

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Additionally, and perhaps most relevant to the activities of a monitor, the GDPR restricts companies from transferring personal data to countries lacking – in the eyes of the European Commission – adequate protection for personal data.[14] To satisfy the requirements of the GDPR, the monitor may need to enter into an agreement with the monitored entity to verify the steps the monitor will take to protect personal data being transferred by the monitored entity.[15] Further, depending on the monitorship, the monitor may hire third-party experts, accounting firms, data processing companies and others. The GDPR would govern the monitor’s transfer of personal data from the monitored entity to any of these third parties. As a result, the monitor may also need to enter into contractual arrangements with these vendors to ensure the monitored entity can lawfully share information.

The monitor should also be aware that EU Member States are free to enact requirements that surpass those found within the GDPR. Thus, monitors must assess not only the GDPR but any country-specific laws that may govern the transfer of information from the monitored entity to the monitor. And, of course, EU Member States are not alone in imposing privacy-related restrictions.[16]

In addition to restricting access to documents, privacy laws also address the manner in which a monitor and monitored entity receive reports of wrongdoing throughout the monitored entity.[17] Most multinational companies have established a reporting mechanism, or hotline, through which employees can report potential misconduct either by company employees or by a third party associated with the company. Some countries permit companies to implement systems for confidential reporting, but others may require companies to obtain permission from employees or government authorities before doing so.[18] Still other countries limit the types of conduct that can be reported, and others discourage any confidential reporting at all.[19]

In short, privacy laws can create stumbling blocks to the smooth transfer of information during the monitorship. The monitor and the company must consider privacy issues as early as possible and establish protocols for document and information transfers well in advance of the monitor’s field work.

Blocking statutes

Some countries in which monitors may operate have enacted what are known as blocking statutes. Intended to protect the sovereignty of the enacting country against extraterritorial interference by other countries, these statutes bar or limit the transfer of evidence to foreign jurisdictions. In China, for example, the International Criminal Judicial Assistance Law restricts companies from providing evidence to foreign law enforcement authorities conducting a criminal investigation.[20] And in Switzerland, Article 271 of the Swiss Criminal Code forbids Swiss parties, under certain circumstances, from cooperating with foreign governments in connection with foreign proceedings.[21] The consequences of violating these laws are not merely theoretical. For example, the Swiss Federal Supreme Court has repeatedly upheld the criminal convictions of company executives for sharing information with the US government, in violation of Article 271.[22]

Although monitors are not government authorities, they are often appointed by, work closely with and submit detailed reports to them. Companies may therefore be reluctant to disclose information for fear of running afoul of a blocking statute. And even where blocking statutes provide a means for disclosing information to foreign authorities, the process may cause a delay in the monitor’s work, which is by definition of limited duration. To avoid these issues and delays, the monitor should identify potentially applicable blocking statutes as soon as possible and develop a plan to obtain the necessary information without triggering liability for any of the parties involved.


Local labour laws may also restrict a monitor’s access to both information and employees. Some countries in Europe, for example, require that employee representatives (known as work councils) be consulted prior to an employee being interviewed.[23] In some countries, employees have the right to refuse to attend an interview or otherwise cooperate with the monitor. Employees in certain countries may also expect to receive, or at a minimum review, any notes taken during interviews or other materials prepared as a result of interviews.[24] Labour laws also limit the type of discipline companies can impose. Some labour laws impose penalties or other liabilities on companies for terminating an employee in a manner that does not comply with specified legal protections. Others have restrictions on when employers can take disciplinary action against employees.[25] These restrictions range from requiring an employer to impose discipline within a certain time frame to forcing an employer to follow a particular procedure before dismissing an employee.[26]

In short, there is great variety among the labour laws that companies and monitors may encounter. Sophisticated multinational companies are well aware of them. The monitor must thoroughly understand them as well, and can draw upon the company’s own expertise for assistance. (The US DOJ contemplates that very process, often requiring monitored companies to provide guidance to the monitor on applicable local law.) As with most aspects of a monitorship, careful planning is critical at the outset to account for and ensure compliance with local labour laws.

Publicising employee discipline

One of the most important tasks for a monitor is to assess whether the monitored company has undertaken appropriate remedial measures in the wake of wrongdoing, and one of the most important of these measures is the disciplining of employees responsible for misconduct. Indeed, US regulators have repeatedly emphasised this component of a remediation programme. The US DOJ’s Justice Manual, for example, highlights appropriate discipline of employees as one of five components required for a company to demonstrate that it has remediated FCPA violations appropriately and in a timely manner. It also makes clear that discipline should extend not only to those who committed the misconduct but also to those responsible for oversight:

The following items will be required for a company to receive full credit for timely and appropriate remediation . . . Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred.[27]

The US Securities and Exchange Commission (SEC) likewise emphasises appropriate discipline as a component of an effective compliance programme.[28]

Beyond underscoring the importance of discipline itself, the US DOJ and the SEC both encourage companies to turn discipline into a teaching opportunity. In describing how a company can effectively enforce its anti-corruption compliance programme, for example, those agencies have noted that ‘[m]any companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences’.[29] The challenge for companies seeking to follow this guidance is discerning what, precisely, may or may not be ‘appropriate under local law’.

The GDPR is a case in point. It restricts the processing of personal data[30] and it defines ‘personal data’ broadly to cover ‘any information relating to an identified or identifiable natural person’, the latter being any person ‘who can be identified, directly or indirectly’.[31] This definition encompasses information that in the aggregate could be used to identify a particular person.[32] Likewise, ‘processing’ is defined broadly to include the ‘collection, recording, organization . . . storage . . . use . . . [or] dissemination’ of personal data by either automated or non-automated means.[33] To the extent that the GDPR applies to the dissemination of information about an incident of employee misconduct, a company would have to comply with the law’s requirements before sharing any information. Among other steps, the company would be obliged to provide the employee with notice of how his or her data may be processed, and to conduct a legal analysis to assess whether the company has an appropriate legal basis to distribute the information.[34]

None of these data privacy protections should prohibit a company from publicising fully anonymised information about an incidence of employee misconduct.[35] Nevertheless, companies operating in an environment of heightened sensitivity to employee privacy may be hesitant to engage in the legal analysis necessary to determine what information can be shared, and how, under local law. That is particularly true in countries where the privacy laws are new and the regulatory guidance sparse. Given the importance to US regulators of imposing and publicising appropriate discipline, however, monitors should be examining how companies make use of discipline – and companies should carefully consider what information they can share with employees.

Variations in local business culture and practices

Multinational companies must maintain a coherent global compliance programme, while at the same time contending with local distinctions in business culture and practice. This is no easy feat, especially for companies that span the globe, but the monitor should expect nothing less, as that is what the government requires. As the US DOJ makes clear in its compliance guidance, a corporate compliance programme must actually work in practice, not simply have the right components on paper.[36] To succeed in this regard, multinational companies must understand relevant local practices and adapt their global compliance principles accordingly.

Corruption cases offer a useful illustration. Regardless of where a company operates, it can never (whether under the FCPA or other anti-bribery legislation) permissibly bribe a government official in exchange for business. A company’s compliance policy must be unyielding on this point. However, the means to prevent bribery from occurring may require some variation from country to country to account for the local business environment. In larger countries, for example, where the pool of qualified employees might be abundant, a company could, without jeopardising its business, choose not to hire any employee with close family ties to a distributor that sells company products to the government. In smaller countries, the relevant talent pool might be much smaller, making it impractical for a company to impose a blanket ban of this sort. Instead, a company might reasonably apply rigorous controls to its hiring process, such as walling off potentially conflicted employees from any interactions with a distributor.

The number of examples of this nature is nearly limitless. The point is that one size does not necessarily fit all in the implementation of a global compliance programme. Variations may be entirely appropriate and often critical. If a company’s policies create significant practical barriers to conducting business in a particular country, the company runs a greater risk that employees will circumvent compliance controls. By calibrating its programme to account for local variations in business practice, while still maintaining a compliant environment, a company can make its compliance policies both more practical and more likely to be effective in the long run. Like the other lessons for cross-border monitors noted above – clarifying the monitor’s role, strategically choosing the right locations to visit, and being mindful of privacy and labour laws – careful attention to local culture and practice will position the monitor well to achieve his or her primary mission: assessing whether the company’s compliance programme adequately addresses and reduces the risks that led to the monitorship in the first place.


1 Gil M Soffer and Johnjerica Hodge are partners at Katten Muchin Rosenman LLP.

2 US Department of Justice (US DOJ) Memorandum, Acting Deputy Attorney General Lisa O. Monaco, ‘Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies’, at 4 (28 Oct. 2021), at (last accessed 25 Feb. 2022); see also US DOJ Press release, ‘Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime’ (28 Oct. 2021 (stating that ‘to the extent that prior Justice Department guidance suggested that monitorships are disfavoured or are the exception’, that guidance is rescinded), at (last accessed 25 Feb. 2022).

3 US DOJ Memorandum, Acting Deputy Attorney General Craig S Morford, ‘Selection and Use of Monitors in Deferred Prosecution Agreements and Non-Prosecution Agreements with Corporations’, at 2 (7 Mar. 2008), at (last accessed 25 Feb. 2022).

4 ibid., at 6. It is worth noting, however, that recent US DOJ guidance indicates that the Department may be more interested in a company’s record of misconduct. See US DOJ memorandum (op. cit. note 2, above), at 3 (noting that prosecutors ‘must . . . take a holistic approach when considering a company’s characteristics, including its history of corporate misconduct, without limiting their consideration to whether past misconduct is similar to the instant offense’).

5 US DOJ memorandum (op. cit. note 2, above), at 4–5.

6 e.g., KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (2013), at 10, at (last accessed 25 Feb. 2022) (‘In some jurisdictions, it can be illegal for companies to investigate alleged employee misconduct because the local government considers itself to be the exclusive investigator responsible for law enforcement.’).

7 In some countries, monitors may be required to notify the local government or regulator if they are doing work there. Even if such a disclosure is not required, it may still be considered good practice.

8 A similar risk exists in traditional internal investigations, where employees may ‘seek the intervention of local government officials’ in an attempt ‘[t]o deflect from the investigation’. John Frangos, ‘Southeast Asia: Conducting Successful Corporate Internal Investigations’, Society for Human Resource Management (28 Aug. 2017), at (last accessed 25 Feb. 2022).

9 Transparency International, Corruption Perceptions Index, ‘The results at a glance’, at (last accessed 25 Feb. 2022).

10 In light of such variations in risk, the US DOJ recently underscored the importance of tailoring a compliance programme to a company’s risk profile. See generally, US DOJ, Criminal Division, ‘Evaluation of Corporate Compliance Programs’ (June 2020), at 2, at (last accessed 25 Feb. 2022) (‘The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how a company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.’)

11 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (GDPR), at (last accessed 25 Feb. 2022).

12 European Commission, ‘Who does the data protection law apply to?’, at (last accessed 26 Jan. 2022) (‘The GDPR applies to: 1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or 2. A company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.’)

13 GDPR, Article 6(1). The GDPR imposes even stricter requirements on the distribution of information related to criminal offences. See ibid., at Article 10.

14 GDPR, Article 45(1) (‘A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.’)

15 GDPR, Article 46(2)(f); see also ibid., at Article 46(3) (noting that a third party can receive personal data if there are, among other things, ‘contractual clauses between the controller or processor or the recipient of the personal data in the third country or international organisation’).

16 e.g., KPMG China, ‘Overview of China’s Cybersecurity Law’, at 8, at (listing the privacy-related restrictions in China) (last accessed 25 Feb. 2022); see also Daniel Chen and Michael R Fahey, ‘Data Protection in Taiwan: Overview’, at (discussing privacy-related restrictions in Taiwan) (last accessed 25 Feb. 2022); see also Alexei Koseff, ‘California promises aggressive enforcement of new privacy law’ (16 Dec. 2019), at (discussing the California Attorney General’s intent to enforce the state’s new privacy law, which mirrors the GDPR) (last accessed 25 Feb. 2022).

17 e.g., GDPR (op. cit. note 11, above).

18 e.g., World Law Group, Global Guide to Whistleblowing Programs 2016, at 1, at (noting that, in Argentina, ‘Companies must always notify their employees before the implementation of a whistleblower program’) (last accessed 25 Feb. 2022); see ibid., at 41 (noting that ‘the Czech Data Protection Authority has to be notified prior to the collecting or processing of personal data’).

19 See ibid., at 62, 66, 69.

20 International Criminal Judicial Assistance Law, Article 4. Some companies have invoked this Law, albeit unsuccessfully, as a basis for resisting grand jury and Patriot Act subpoenas. In re: Sealed Case, No. 19-5068, consolidated with Nos. 19-5100, 19-5102, 19-5103 at 29 (D.C. Cir., 30 Jul. 2019), at$file/19-5068-1800815.pdf (last accessed 25 Feb. 2022).

21 Swiss Criminal Code, Article 271.

22 e.g., Bundesgericht (BGer) (the Swiss Federal Supreme Court) 1 November 2021, 6B_216/2020 (Switz.) (upholding the conviction of an asset management company under Article 271 for sharing account information with US authorities); BGer 4 December 2018, 6B_804/2018 (Switz.) (upholding the conviction of the chairman of an asset management company for sharing account information with US authorities); see also Lenz & Staehelin, ‘New precedent does not provide clear guidance on the boundaries of the Swiss blocking statute’, Lexology (3 Dec. 2021) (summarising recent court decisions on the scope of Article 271), at (last accessed 25 Feb. 2022).

23 See, e.g., Directive 2009/38/EC of the European Parliament and of the Council of 6 May 2009; see also Philipp von Holst, ‘Germany’ in The European, Middle Eastern and African Investigations Review 2017 (25 May 2017), Global Investigations Review, at (‘a hostile works council can cause serious problems to an internal investigation from delaying it to blocking single measures and leaking information to the press’) (last accessed 25 Feb. 2022).

24 See, KPMG International, ‘Cross-border investigations: Are you prepared for the challenge?’ (op. cit. note 6, above), at 17 (‘Many countries have data privacy laws that allow a target or a witness to have access to certain investigatory material, including a written investigation report.’).

25 See e.g., Juliana Sá de Miranda and Ricardo Caiado, ‘Brazil: Handling Internal Investigations’, The Investigations Review of the Americas 2019, Global Investigations Review (21 Aug. 2018), at (‘As in many other Latin American countries, the Brazilian labour legislation is complex and inclined to protect employees. It is no overstatement that there is a culture of judicial claims by employees against employers in the country, even in cases of weak or lack of proper grounds.’) (last accessed 25 Feb. 2022).

26 See e.g., Donald C Dowling Jr, ‘Internal investigations in overseas workplaces’, Lexology Pro (2 Apr. 2013), at (last accessed 25 Feb. 2022).

27 US DOJ, Justice Manual (2017), Title 9-47.120(3)(c), at (last accessed 25 Feb. 2022).

28 US DOJ and US Securities and Exchange Commission, ‘A Resource Guide to the U.S. Foreign Corrupt Practices Act’ (2012), at 59, at (last accessed 25 Feb. 2022).

29 id. The US DOJ has echoed that theme in recent guidance, noting that ‘some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects.’ See US ‘Evaluation of Corporate Compliance Programs’ (op. cit. note 10, above), at 13.

30 GDPR, Article 6(1).

31 ibid., Article 4(1).

32 Amelia Hairston-Porter, ‘INSIGHT: EU Enacts New Data Privacy Regime with Potential Effects on Cross-Border Investigations’, Bloomberg Law (28 Sep. 2018), at (last accessed 25 Feb. 2022).

33 GDPR, Article 4(2).

34 The GDPR permits companies to process personal data in a limited number of instances, including when the employee consents (although consent can be revoked), when necessary either to comply with a legal obligation or to pursue a legitimate company interest after this interest is balanced against the interests and rights of the employee. See GDPR, Article 6(1), Paragraphs (a), (c) and (f) (lawfulness of processing) and Article 7(3) (consent may be withdrawn at any time).

35 Companies will need to consult local experts regarding the full range of laws and regulations that may limit their ability to disseminate information about employee discipline in a particular jurisdiction.

36 See ‘Evaluation of Corporate Compliance Programs’ (op. cit. note 10, above), at 13. The UK Serious Fraud Office (SFO) has also emphasised that compliance programmes will not be considered effective if they are merely a ‘paper exercise’. See SFO Operational Handbook, ‘Evaluating a Compliance Programme’ (Jan. 2020), at 1, at (last accessed 25 Feb. 2022).

Unlock unlimited access to all Global Investigations Review content