Austria

General context, key principles and hot topics

1Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.

Since 2017, a wide-ranging investigation of the construction sector has been pending in Austria. Currently, the authorities involved are assuming that the companies concerned have colluded on up to 800 construction projects. In most cases, the projects were administered by public authorities who were required by law to invite tenders for their public works. The cost of the construction projects is estimated at several hundred million euros.

The Central Public Prosecutor’s Office for Economic Crimes and Corruption (WKStA) and the Austrian Federal Competition Authority are involved in the investigation. Following the first raids in 2017, and further raids in 2018, around 60 companies and more than 150 individuals are now subject to prosecution. To date, the authorities have seized more than 70,000 pages of documents and 57 terabytes of IT data.

While it is currently assumed that the criminal proceedings conducted by the WKStA (natural persons face a prison sentence of up to 10 years, companies face fines of up to €1.3 million) will still take several years before indictments are filed, the Federal Competition Authority announced the first applications for fines by the turn of the year. Antitrust behaviour may be sanctioned with fines of up to 10 per cent of a corporate entity’s total turnover.

2Outline the legal framework for corporate liability in your country.

The Austrian legal system distinguishes between civil liability (for breaches of private law), criminal liability (for offences against criminal law) and liability under administrative penal law (for regulatory offences). The main focus of this chapter is on criminal liability of corporations.

Pursuant to the Law on Corporate Liability (VbVG), corporations are liable for the unlawful and culpable actions of their decision makers and, under more restrictive conditions, for the actions of their employees, provided that the offence was either committed for the benefit of the corporation or the offence violated duties incumbent on the corporation. Moreover, an offence committed by an employee must have been either rendered possible or facilitated by the decision makers’ failure to take essential precautionary measures, in particular of a technical, organisational or personal character.

In contrast to the liability for criminal offences, corporations are only directly liable for regulatory (administrative law) offences against tax law (section 28a, Penal Tax Code). In other areas of administrative penal law, there is only an indirect joint liability of the corporation for fines imposed for offences committed by the managing director or other ‘persons in charge’ (section 9, Administrative Penal Code). However, these offences are considered offences by the natural person, not the corporation.

3Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?

Criminal offences are investigated by public prosecutors with the assistance of the criminal investigation department of the police. Pursuant to section 20a of the Code of Criminal Procedure (StPO), the WKStA is responsible for prosecuting economic crimes and corruption. The Federal Bureau of Anti-Corruption assists the WKStA in matters relating to corruption.

Administrative law is enforced by various administrative authorities, often with sector-specific competences. The most notable examples are the Financial Market Authority, which oversees, inter alia, banks, insurance companies and companies listed at the Vienna Stock Exchange, and the Competition Authority, which conducts investigations into possible violations of national and European competition law.

Although competences between criminal and administrative authorities are distinguished ratione materiae, situations can arise in which different authorities have parallel competence over the same facts. Pursuant to section 15 of the StPO, criminal courts must autonomously decide preliminary questions pertaining to other areas of law. However, they may await the decision of a competent court or administrative authority on such preliminary questions if the decision is to be expected in the foreseeable future. Administrative authorities, in turn, may suspend their investigations if a preliminary question forms the object of another proceeding.

4What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?

Yes, for the opening of a criminal investigation, an ‘initial suspicion’ is required. Pursuant to section 1, paragraph 3 of the StPO, this is the case whenever specific indications give reason to suspect that a criminal offence has been committed.

5How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?

Persons suspected of a crime have a right against self-incrimination (see question 27). However, non-compliance with a notice to produce documents or a subpoena to appear before the investigation authority may lead to coercive measures, such as house searches. A coercive measure can be challenged by means of a complaint, arguing, for example, that the measure violates the principle of proportionality (section 87, StPO). If documents are protected by attorney–client confidentiality, an objection to the temporary securing can be filed and the sealing of the documents or data can be requested, to obtain a court decision to release the data (see question 26).

6Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?

See questions 28 and 51. The intention of the leniency programme is to promote assistance from the perpetrator of a crime, to detect and prosecute other crimes that could otherwise not, or only with great difficulty, be investigated. In this way, both the state and the perpetrator derive benefit from the leniency programme.

7What are the top priorities for your country’s law enforcement authorities?

Fighting corruption is an express priority of the current government, more specifically the Austrian Ministry of Justice. Since Austria’s ratification of the UN Convention Against Corruption in January 2006, a – more or less – constant improvement of the anti-corruption laws could be observed. A number of legislative improvements have been implemented to fight corruption, including the creation of the Federal Bureau of Anti-Corruption in 2010 and the WKStA in 2011 (see question 3).

Cyber-related issues

8Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.

The Austrian Act on Security of Network and Information Systems (NISG) was enacted in 2018 to implement the corresponding EU Directive (2016/1148 concerning measures for a high common level of security of network and information systems) as the first EU-wide regulation on cybersecurity. It obliges companies to establish comprehensive security measures and to prove their effectiveness. Failure to comply with the requirements of the NISG could result in penalties and loss of reputation. The focus of the NISG is on operators of essential services that are of major importance, in particular for the maintenance of public health services, the public supply of water, energy and vital goods, public transport, and the functionality of public information and communication technology, the availability of which depends on network and information systems.

Additionally, the General Data Protection Regulation (GDPR) must be considered in connection with requirements of cyber­security (see question 22).

9Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?

In 2013, the European Parliament enacted Directive 2013/40/EU on attacks against information systems, which was incorporated as part of Austrian national (criminal) law in 2015. The Directive seeks to ‘approximate the criminal law’ in the area of cybercrime and to improve co-operation between competent authorities.

Moreover, a cybercrime competence centre to combat computer crime was set up as a separate unit within the Austrian Federal Criminal Police Office. The cross-border prosecution of computer-related crime in the European Union is coordinated by the European Cybercrime Centre, set up by Europol.

Cross-border issues and foreign authorities

10Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.

Austrian criminal law has no general extraterritorial effect (section 62 of the Austrian Penal Code (StGB)). Criminal offences committed on an Austrian ship or aeroplane are subject to the StGB, as are certain offences regardless of the criminal law of the location of the offence, including economic espionage, criminal offences against an Austrian official, human trafficking, terrorism, corruption and several other types of major crimes (section 64, StGB).

Other offences committed abroad are only subject to Austrian criminal law (1) if the offence is also punishable under the laws of the place where the offence is committed, (2) if the offender is Austrian or is arrested in Austria and cannot be extradited, and (3) none of the exceptions set out in section 65(2)4 of the StGB applies.

11Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.

The co-operation between Austrian prosecutors and their counterparts in other EU Member States is greatly facilitated by three instruments: the European evidence warrant, the European investigation order (EIO) and joint investigation teams (JITs). Hereafter, the focus of our discussion is on the latter two. Also of relevance is the Law on Judicial Cooperation in Criminal Matters.

The EIO replaces the classic system of judicial assistance, as it allows the competent authority of one EU Member State (the issuing state) to order, after validation by a court or public prosecutor of the issuing state, the execution of most acts of investigation, including coercive measures, in another EU Member State (the executing state) (Article 2, Directive 2014/41/EU of 3 April 2014). Subject to certain grounds for non-recognition, non-execution or postponement, the executing state must ensure the execution of the order as if the investigative measure concerned had been ordered by a domestic authority (Article 9, Directive 2014/41/EU). The national law of the executing state may provide that authorisation by a domestic court is required (Article 2(d), Directive 2014/41/EU). When this is not the case, the EIO may be directly executed by the executing authority.

JITs are multinational investigation teams based on an agreement between two or more law enforcement authorities in EU Member States and are set up to investigate a specific matter for a fixed period. The co-operation can be extended to non-EU Member States if all other participating parties agree.

By contrast, the co-operation between Austrian prosecution authorities and non-EU Member States (and Denmark) still follows traditional judicial assistance practice based on the principle of reciprocity and governed by international agreements and, when these do not contain a governing rule, the Extradition and Judicial Assistance Law, which only applies in ongoing criminal proceedings in Austria; it does not apply to administrative proceedings. Unless an international agreement provides for direct judicial assistance, the Austrian authorities must request judicial assistance through the Federal Ministry of Justice. Moreover, unlike in an EIO, the public prosecutors must request and obtain court authorisation from the domestic court for co­ercive investigation measures.

Finally, special challenges arise when investigations relate to countries with strong secrecy rules, for example Swiss banking secrecy.

12Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?

The transnational effect of the ne bis in idem principle (established in section 17(1), StPO) is based on international agreements to which Austria is a party (see Alois Birklbauer in Fuchs and Ratz, Wiener Kommentar zur Strafprozessordnung, section 17). Of particular importance for the transnational effect of the principle is Article 54 of the Convention implementing the Schengen Agreement (the implementing Convention), which prohibits prosecution for ‘the same offence’, if a person has been ‘finally judged’ and has already served, or is serving, a sentence in another contracting state (note that Austria has made declarations relating to all exceptions enumerated in Article 55 of the implementing Convention).

In the context of Article 54 of the implementing Convention, Austrian authorities apply different concepts of ‘same offence’ to different situations. For a criminal court, confronted with a previous sentence of another criminal court, the previous sentence deploys a blocking effect in relation to the same factual matrix. This concept is favourable for the accused. By contrast, a criminal court can convict an accused on the same facts if the accused was previously sanctioned by an administrative authority (rather than a criminal court) and the sanction did not fully correct the injustice done.

Article 54 of the implementing Convention speaks of a person who has been ‘finally judged’. According to both case law and legal scholarship, the concept of final judgment encompasses all judgments that conclude a main trial, namely both convictions and acquittals. No differentiation is made by the Court of Justice of the European Union (CJEU) between an acquittal based on a judgment on the merits or a procedural judgment. Moreover, the closure of proceedings by the prosecution authority without the involvement of a court has a blocking effect for the purpose of Article 54 of the implementing Convention if it is the result of an action for compensation (in Austria, this is called diversion – see question 51) brought by the person under investigation and the closure is final (Gözütok and Brügge, CJEU judgment of 11 February 2003, C-187/01, C-385/01). Other provisions dealing with previous convictions abroad are section 192 of the StPO and section 66 of the Austrian Penal Code (StGB).

A further provision entitling criminal prosecutors to refrain from prosecution is contained in section 192(1) of the StPO (which applies in cases falling outside the scope of the implementing Convention or other international agreements), provided that the suspected person is charged with several offences, the person has already been convicted by a foreign court for the offence, or the person has made compensation abroad and as a result has been exempted from further prosecution (diversion), and no more severe penalty is to be expected in Austria. Finally, pursuant to section 66 of the StGB, Austrian courts must take into account a punishment for the same crime imposed and served abroad. Otherwise, the Austrian legal system does not provide for a ‘anti-piling on’ policy.

13Are ‘global’ settlements common in your country? What are the practical considerations?

Global settlements are not common in Austria. For the effect of a diversion in EU Member States, see question 12.

14What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?

See question 12, and paragraph 17 of the Preamble to Directive 2014/41/EU regarding the European investigation order in criminal matters, which allows an EIO aiming ‘to establish whether a possible conflict with the ne bis in idem principle exists’.

Economic sanctions enforcement

15Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.

Austria itself has not imposed any sanctions against other states. However, for the Austrian economy, the sanctions imposed by the European Union on various states, for example in connection with Syria or Russia, must be considered.

16What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?

Parallel to the (primarily) EU sanctions that should be taken into account, a supplementary Austrian Sanctions Act (SanktG) is in force, which regulates, for example, domestic implementing measures of sanctions of the European Union or the United Nations and penal provisions relating to any violation of imposed sanctions.

According to published crime statistics, there has been no conviction under the SanktG – which is only a subsidiary offence – in recent years.

There has been no apparent increase in the enforcement of sanctions violations, based on publicly available information.

17Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?

Yes. The co-operation is based on the existing European legal instruments (see question 11).

18Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.

Austria, itself, has not enacted any blocking legislation. However, see question 60 regarding Council Regulation (EC) No. 2271/96 protecting against the effects of the extraterritorial application of legislation adopted by a third country (the Blocking Statute).

19To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?

Austria, itself, has not enacted any blocking legislation. However, see question 60 regarding the Blocking Statute.

Before an internal investigation

20How do allegations of misconduct most often come to light in companies in your country?

Occasionally, allegations of misconduct arise out of tax audits. It is also not infrequent that competitors and victims of misconduct bring unlawful conduct to the attention of the authorities. Other common ways are chance discoveries of an offence, whistleblowers, standard screening processes, suspicious activity reports, internal audits, tax reporting, compliance and media reports.

Information gathering

21Does your country have a data protection regime?

EU regulations on data protection – with their usual high standards – are applicable in Austria. The GDPR, which is directly applicable in all EU Member States, became effective on 25 May 2018. In addition to the GDPR regime, the Austrian Law on Data Protection (DSG) has further provisions on data protection, and on institutional and procedural aspects.

Personal data is defined as any information relating to an identified or identifiable natural person (see Article 4, GDPR). When it comes to the processing of personal data during an internal investigation, companies must comply with GDPR stipulations. According to Article 5 of the GDPR, personal data shall be collected only for specific, explicit and legitimate purposes and, inter alia, be processed lawfully, fairly and transparently. In that regard, the processing of personal data is lawful only if the data subject has given consent and if it is necessary, inter alia, for:

• the performance of a contract or responds to the data subject’s request prior to entering a contract;
• compliance with a legal obligation to which the data’s controller is subject; or
• the purpose of the legitimate interests of the data’s controller (see Article 6, GDPR).

Moreover, the GDPR provides for a catalogue of rights applicable to data subjects, including the right to be informed about the processing and storage of personal data, the purpose of data processing and the duration of storage. Furthermore, the GDPR provides for a data subject’s right to file a complaint with the relevant supervisory authority (see question 22) if the processing of personal data may have violated data protection rights.

22To the extent not dealt with above at question 8, how is the data protection regime enforced?

As is widely known, infringements of GDPR provisions are sanctioned by severe administrative fines, which can amount to €20 million or 4 per cent of the corporation’s annual global turnover, whichever is higher. Implementing the GDPR provisions, Austria’s Data Protection Authority (DSB) was established to monitor the application of the Regulation and, as Austria’s supervisory public authority, is competent to enforce GDPR provisions.

As an exceptional measure in implementing GDPR provisions, the Austrian legislature added its own provision regarding the DSB’s use of corrective powers (see Article 58, GDPR). According to section 11 of the DSG, the DSB shall make use of its corrective powers under Article 58 of the GDPR, particularly in the case of first-time infringements, primarily by issuing warnings. Since the GDPR does not entitle EU Member States to direct supervisory authorities on how to exercise their powers, this provision may violate the DSB’s independence, under Article 52 of the GDPR.

23Are there any data protection issues that cause particular concern in internal investigations in your country?

As in all EU Member States, GDPR provisions must be considered carefully when data is processed. The term ‘processing’ is defined as any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation upon, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (see Article 4, GDPR).

During an internal investigation, a considerable amount of evidence, including personal data, will be processed by collecting, storing, using, disclosing, etc. To comply with GDPR provisions, it should be well documented which data is classified as personal and which as non-personal. Furthermore, investigating companies should document in detail the purpose of processing personal data and comply with GDPR provisions regarding storage limitations, integrity and confidentiality. Besides that, companies should be especially careful when it comes to transnational data transfers, especially from or to non-EU Member States.

24Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?

Private email accounts or telephone conversations may not be monitored by the employer under any circumstances.

The protection of the employee’s privacy must also be observed regarding professional emails or telephone calls. Monitoring affects human dignity and triggers the employee’s or works council’s obligation to give his or her prior consent. The obligation of pre-approval does not depend on whether the private use of the professional email account or internet connection is permitted by the employer; it applies in every case, unless higher interests justify the screening of the company’s data. In any event, the GDPR must be considered (see question 21).

Affected employees can assert injunctive relief claims and, if necessary, contact the DSB (see question 22).

Dawn raids and search warrants

25Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.

With the approval of the court, the public prosecutor may order the search of a specific location – for instance, an office building – to collect, temporarily secure or seize evidence, or any kind of assets that may serve as evidence, not only for the subsequent phases of the proceedings but also for the sole purpose of securing civil claims of parties injured by the (alleged) criminal offence (section 119(1), StPO). In cases in which there is a risk that by waiting for a court order the evidence may become unavailable, the public prosecutor may order the search of a location before seeking court approval (section 120, StPO).

Persons in possession of documents, data carriers or assets that form the object of a request for temporary securing are under a legal duty to comply unless they are suspected of the underlying offence or discharged from testifying, or have a right to refuse to give evidence (section 111, StPO). However, the public prosecutor can obtain the evidence by coercive means, such as a house search. Regarding the protection of privileged material, see question 26.

In addition to prior or subsequent court approval, house searches are subject to certain prerequisites. Most importantly, there must be a founded suspicion (this threshold is higher than the initial suspicion required to open investigations – see question 4) and the coercive measure needs to comply with the principle of proportionality. A temporary securing or seizure is not lawful if a less intrusive means is available (for instance by photocopying documents – see section 110(4), StPO).

Persons against whom a search warrant was issued, or whose premises have been subject to a search, can file an objection with the competent public prosecutor within six weeks of the measure (section 106 StPO). The public prosecutor can either comply with the objection or, within four weeks, pass the objection to the competent criminal court.

26How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?

Attorney work-product and attorney–client communications are protected in several ways. Attorneys (and a small number of other professions) have a legal duty of confidentiality and a right to refuse to give evidence (section 157, StPO). The duty may not be circumvented. This prohibits the seizure of attorney documents and the information contained therein at the attorney’s premises and, since November 2016, also at the premises of clients under suspicion or accused in criminal proceedings. The attorney–client confidentiality only extends to the attorney’s work-product and attorney–client communications created for the purpose of defending the client and not to previously existing evidence.

Any person subject to or present during a measure of temporary securing may object to the temporary securing of material protected by attorney–client confidentiality (sections 106 and 115, StPO). In the case of such an objection, documents and data carriers have to be sealed and presented to a court, which must decide promptly whether the evidence is protected (section 112, StPO).

27Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?

Accused individuals or companies have a right to avoid self-incrimination. In the case of a corporation, the managers (persons in charge) and the employees suspected of having committed an offence are to be interrogated as accused (section 17(1), VbVG). It is forbidden to use coercive measures (or promises or misleading statements) to induce the accused to make a statement (section 7(2), StPO). Pursuant to section 166 of the StPO, compelled testimony is classed as prohibited evidence and is null and void.

Relatives of the accused are discharged from the duty to testify (section 156(1)1, StPO) and witnesses can refuse to testify if they would incriminate themselves or expose a relative to the risk of criminal prosecution (section 157(1)1, StPO). On attorney–client confidentiality, see questions 26 and 38.

Privileges exist for members of certain professions, such as lawyers, auditors, medical doctors, psychiatrists, mediators, priests and reporters (section 157, StPO).

Whistleblowing and employee rights

28Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?

Whistleblowers can bring alleged offences anonymously to the attention of the WKStA through a whistleblower website, for which a legal basis was created in 2015.

A whistleblower may benefit from the crown witness regulation (section 209a, StPO). This regulation concerns serious offences and is available, if the witness freely confesses his or her contribution to the offence, if the information disclosed is new and not yet part of an investigation against the witness, and if it contributes substantially to the investigation. Subject to further prerequisites (section 209a, StPO), criminal prosecutors may terminate the investigations against such a person, for example in return for payment of a monetary contribution. This will generally be less than a fine imposed by the court in the event of a conviction, which can also create a financial incentive.

Similarly, section 11b of the Austrian Act on the Establishment of a Competition Law Authority also contains a crown witness regulation. Other provisions on whistleblowing are contained in section 160 of the Federal Law on the Stock Exchange 2018 (BoerseG).

29What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?

Employers have a duty of care towards their employees, including those in an executive or managerial position (section 1157(1), Austrian Civil Code; section 18(4), Law on Employees (AngG). Pursuant to this duty, the employer must, inter alia, respect the private life of employees, protect their honour and treat them equally. This also has an effect on the conduct of internal investigations. Prior to an interview, the employer (or third party acting for the employer) should, for instance, inform employees that they may be accompanied by their own legal representative, at least in situations of a (potential) conflict of interest. For protection provided by other branches of law, see question 48.

30Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?

A finding of misconduct will frequently destroy the trustworthiness of an employee and justify dismissal. However, a mere suspicion of a criminal offence is insufficient. Stricter standards apply to employees in executive positions (Decision of the Austrian Supreme Court, RS0029652).

Under Austrian law, an employer may only dismiss an employee without giving notice if the employer exercises this right immediately after becoming aware of the reason justifying the dismissal (Decision of the Austrian Supreme Court, RS0029131). Employers forfeit this right if they fail to exercise it immediately (a requirement that has proved controversial in cases of a suspected criminal offence – see Silke Heinz-Ofner in AngG: Angestelltengesetz – Kommentar, Reissner (editor), 2nd edition, section 27, No. 52). If there is any doubt, an employer can suspend an employee until the investigation yields more evidence.

31Can an employee be dismissed for refusing to participate in an internal investigation?

Employees have a duty of loyalty to their employer and a duty to inform (for the employer’s corresponding duty of care, see question 29). Whether this duty gives rise to an obligation to answer the questions of private investigators that may reveal personal misconduct is a matter of controversy in Austrian scholarship. On the one hand, it is recognised that the right against self-incrimination is only applicable as regards state authorities. On the other, it has been argued that an employee must have some right against self-incrimination, if the internal investigation forms a prelude to criminal investigation, since the employee would otherwise be effectively deprived of his or her defence rights in criminal proceedings (see, for example, Ingeborg Zerbes, ‘Strafrechtliche Grundsatzfragen “interner Untersuchungen”’, Jahrbuch Wirtschaftsstrafrecht und Organverantwortlichkeit 2013, 263, at pages 271 and 272). To our knowledge, the matter has not yet been decided by a court.

Commencing an internal investigation

32Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?

Austrian corporations follow the international practice of setting out the terms and the personal, material and temporal scope of an internal investigation in a document. The issues usually covered include:

• person acting as internal investigator;
• definition of types of documents and electronic data (correspondence, documents) and method of screening;
• internal or external interviewers;
• persons to be interviewed;
• definition of documents or (provisional) outcomes of the internal investigation with which the interviewees will be confronted;
• channels of communication;
• involvement of an accounting department;
• definition of spheres of confidentiality;
• phases of the internal investigation;
• point in time of informing persons whose data is used; and
• treatment of data during and after completion of the investigation.

33If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?

In principle, companies are under no legal duty to bring misconduct to the attention of enforcement authorities. Doing so can allow a company to benefit from the crown witness regulation (see question 28) or from gaining ‘victim status’ (as an injured party) rather than being treated as a suspect in the proceedings. Reporting duties can arise from rules on corporate governance and company law, depending on a company’s size and other relevant factors (see, notably, the requirement of a status report pursuant to section 243 et seq. of the Austrian Commercial Code). Managing directors of public limited companies must report to the president of the supervisory board any violations, or any suspicions of violations, that are of significant consequence to the company, and managing directors of limited liability companies have a corresponding duty to report to the shareholders.

See also question 73 regarding the duty of publicly listed companies to issue ad hoc notifications.

34What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?

As a general rule, everyone is under a legal duty not to destroy material that may become relevant in a legal dispute. Suppression of evidence is a criminal offence (section 229, StGB).

Advisable measures include the search and preservation of relevant data and the drawing up of an internal memo recording the findings. Companies should also review the settings of deletion routine and instruct employees not to delete any emails, nor to destroy relevant data.

35At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?

See questions 33 and 73.

36How are internal investigations viewed by local enforcement bodies in your country?

The views of local enforcers can vary. Internal investigations may be regarded as helpful, especially if the results are shared with the prosecution, or as a fig leaf that obfuscates rather than assists the criminal investigation. The sharing of the results of an internal investigation may be taken into account as a factor leading criminal prosecutors to refrain from prosecution (section 18, VbVG – see also question 51).

Attorney–client privilege

37Can attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?

If an attorney is conducting an internal investigation or mandates a third party (see question 45), products such as investigation reports are covered by attorney–client confidentiality (see question 26). It is recommended to store attorney work-product so that the data continues to belong to the attorney, for example using only a SharePoint provided by the attorney. In this way, objections and challenges in the case of a house search at a client’s or third party’s premises can be avoided.

38Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?

The holder of the confidentiality obligation is the attorney. He or she owes it to the client and the client may release the attorney from the duty. However, attorneys are under no duty to testify. Even if the attorney is released from the duty of confidentiality by the client, he or she still must consider the potential to cause damage to the client when testifying and, if required, refrain from testifying. If, on balance, a refusal to testify serves an attorney’s client’s interests better, he or she is under a duty not to testify. The confidentiality obligation applies regardless of whether the client is an individual or a company.

39Does the attorney–client privilege apply equally to in-house and external counsel in your country?

The attorney–client privilege applies only to external counsel.

40Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to (internal or external) investigations in your country?

Section 157 of the StPO (see question 26) stipulates that lawyers are entitled to withhold testimony. This applies to Austrian lawyers and to lawyers from other European countries who can work in Austria as service providers or as European lawyers in private practice in accordance with EIRAG (Federal Act on the Free Movement of Services and the Establishment of European Lawyers and the Provision of Legal Services by Internationally Active Lawyers in Austria). It has not yet been decided whether a non-European lawyer may also invoke the obligation of confidentiality under Austrian law in Austrian proceedings. In our opinion, this would have to be permissible otherwise the procedural right of the accused client to avoid self-incrimination could be circumvented. In practice, Austrian courts respect the right of a private practitioner to refrain from testifying against the interests of a client.

41To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?

There is a general understanding that waiver of the attorney–client privilege is necessary to obtain co-operation credit. However, no legal rule exists that would render a waiver mandatory. As noted under question 38, attorneys may be under a duty to insist on confidentiality even if a client has discharged them from it.

42Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?

It is not possible to limit disclosure of information to the prosecuting authority for the whole duration of the proceedings. The prosecuting authority must share relevant information with the parties who have access to the criminal file. It can only grant confidentiality for a limited period but will ultimately have to disclose it.

Accused or suspected persons may release their attorneys with regard to certain aspects of the facts only. As explained in questions 38 and 41, attorneys are under no obligation to testify, even if they are released from their duty of confidentiality.

43If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?

There is no legal requirement in Austria to waive attorney–client confidentiality. However, if information is in the public domain, it is no longer protected. If information is made part of the criminal file, the prosecution may restrict access only for a limited time.

44Do common interest privileges exist as concepts in your country? What are the requirements and scope?

Given the fundamental difference between the discovery provisions under Austrian law and those applicable in common law jurisdictions, there is no need for a US-style concept of common interest privilege.

Third parties to whom information was disclosed may not have a duty to keep the information confidential or may not benefit from a right to refuse to testify.

45Can privilege be claimed over the assistance given by third parties to lawyers?

Where it is necessary for an attorney to resort to third parties (e.g., a forensic or accounting expert) for the purpose of carrying out his or her own mandate, these third parties are considered as assistants of the attorney and information they obtain or the work-product they produce is confidential (section 9(3), Law on Attorneys; see also Alexander Tipold and Ingeborg Zerbes in Fuchs and Ratz, Wiener Kommentar zur Strafprozessordnung, sections 110 to 115, No. 30).

Witness interviews

46Does your country permit the interviewing of witnesses as part of an internal investigation?

Yes. Based on their duty of loyalty, employees must participate in such interviews (for limitations, see questions 29, 30 and 31). If the interview is conducted by an Austrian lawyer, he or she must refrain from influencing the witness’ future statements.

47Can a company claim attorney–client privilege over internal witness interviews or attorney reports?

There is no case law confirming that attorney–client confidentiality covers interviews conducted by, or reports drafted by, attorneys on the instruction of their client. However, based on the general principles outlined in questions 26 and 37, it must be presumed that such information is protected. The attorney–client privilege applies in the same way regardless of whether the client is an individual or a company.

48When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?

Any interview has to be conducted within the confines set by law, notably the employer’s duty of care towards its employees (see question 29), the protection of privacy, substantive criminal law and data protection law. Data protection law requires, inter alia, the respect of the principle of proportionality in using data. In most situations, recording the interview will require the agreement of the interviewee, but may also be justified by the prevailing interests of the company (section 12(2), DSG).

Whether further legal restrictions apply, in particular the right against self-incrimination, is subject to debate in Austria (see question 31). As long as the current legal uncertainty persists, it seems advisable to at least inform interviewees of their potential right against self-incrimination and their right to legal representation. There is no duty of care between a company and third parties who are not employees.

If the interview is conducted by an attorney, the attorney will have to comply with the attorneys’ code of conduct. This requires the attorney to inform the interviewee about the capacity in which he or she is acting and by whom he or she was instructed. Attorneys conducting interviews are required, moreover, to avoid influencing the witness’ future statements.

49How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?

Interviews are usually conducted by two interviewers with the help of a questionnaire. It is common that a written record is taken of the interview. Less frequently, interviews are recorded (see question 48). Depending on the circumstances, the interviewee may be presented with documents. Especially in the case of a potential conflict of interest between the interviewee and the interviewer or company, an employee may be accompanied by his or her own legal representative (see question 48).

Reporting to the authorities

50Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?

There is no legal duty for private companies to report misconduct to law enforcement authorities. There may be such a duty for state companies exercising sovereign power.

51In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?

Self-reporting may be advisable in circumstances in which the company can take advantage of a leniency programme, such as through the crown witness regulation (see question 28) or the diversion procedure, or to gain victim status in the proceedings (as an injured party) rather than facing the risk of accusation.

Diversion in relation to corporations is regulated in section 19 of the VbVG. Pursuant to this provision, the public prosecutor must close a criminal prosecution against a corporation if certain requirements are met. These include that the alleged offence is liable to ex officio prosecution, the facts of the case are sufficiently established (here self-reporting may be essential), the personal culpability of the accused is not grave, the consequences of the alleged wrong­doing was appropriately compensated by the payment of damages, and the punishment of the corporation is necessary for reasons neither of special nor of general prevention.

Moreover, dropping charges pursuant to section 19 of the VbVG is subsidiary to section 18 of the VbVG, which entitles public prosecutors to close a criminal prosecution against a corporation if punishment seems unnecessary considering a number of factors, including the conduct of the corporation after the alleged offence (here self-reporting may again be of particular importance), the seriousness of the alleged offence, the amount of the fine to be imposed, and the detriment suffered by the corporation owing to the misconduct.

To take advantage of the leniency programme, it is important, inter alia, to self-report before the criminal prosecution becomes aware of the alleged misconduct. The disclosure should include all companies and persons who are to benefit from the leniency programme. Owing to the complexity of the procedural rules, it is highly recommended to engage a local lawyer to secure the benefits of such a programme.

In cases involving misconduct in several countries, the advice will have to take into account the principle of ne bis in idem. It is essential to form a strategy considering all countries having criminal or regulatory jurisdiction over the case simultaneously.

52What are the practical steps you need to take to self-report to law enforcement in your country?

See question 51. In any event, a local lawyer who specialises in business crime law should be engaged before taking any practical steps of self-reporting in Austria. The disclosure can be made anonymously, using, for example, the WKStA’s whistleblowing tool, or openly by providing the names of all involved parties, as is especially the case when seeking leniency.

Responding to the authorities

53In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?

Companies should immediately inform their attorney of a notice or subpoena and should, in most cases, seek to enter into a dialogue with the law enforcement authority. In most instances, this will be initiated by calling the authority to arrange a meeting between the company and its attorney at the authority’s offices.

54Are ongoing authority investigations subject to challenge before the courts?

The only remedy to challenge an ongoing investigation is a motion to terminate the prosecution (Einstellungsantrag), which can be filed with the public prosecutors, at the earliest, three months after the opening of the investigation (section 108, StPO). The public prosecution may either close the prosecution or pass the motion to the court, with an (optional) statement of its position. Generally, the motion is likely to succeed if it is filed with the blessing of the authority or even if an initial suspicion is lacking. However, if the authority is of the opinion that further facts need to be clarified, the court would usually allow the investigation to continue and dismiss the motion.

55In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?

The company may regard the two proceedings as separate and handle them separately. However, a negotiation of disclosure packages with authorities from various countries is advisable, especially if the prosecution teams co-operate closely. In any event, companies are well advised to safeguard consistency.

56If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for, and produce material, in other countries to satisfy the request? What are the difficulties in that regard?

Companies are not required to search for and produce material, whether they are located in Austria or abroad. Orders for temporary securing of evidence (see question 25) can extend to documents abroad, but require either traditional judicial assistance or, between EU Member States, an EIO (see question 11).

Although there is no obligation, it may be advisable for a company to search for documents and produce them to avoid coercive measures, such as house searches.

57Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?

See question 11.

58Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?

Austrian officials may not disclose any secret entrusted or accessible to them by virtue of their office (section 310, StGB). In practice, leaks to the public are quite common in Austria as soon as a more extensive number of parties have access to the criminal file (see question 42). In addition, in cases of public interest, the authorities are expressly required to keep the public informed (see also question 70 concerning the Media Decree of the Ministry of Justice). This duty to inform compromises the duty of confidentiality to a certain extent.

59How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?

If the company does not want to disclose the document, we would advise the public prosecutors that our client is not entitled to disclose the document. If the company prefers to disclose the document, we would inform the public prosecutors that they have to resort to coercive measures based on judicial assistance or an EIO to obtain the document in the country where the document is located (see question 11).

60Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?

On 7 August 2018, the European Union enacted an updated Blocking Statute to nullify US sanctions on countries trading with Iran, after the US announced sanctions against those countries following its withdrawal from an agreement permitting trade if Iran curtailed its nuclear programme. The 2018 Blocking Statute essentially prohibits companies within the European Union from direct or indirect (via subsidiaries or intermediary persons) compliance with the laws listed in the US Sanctions Annex. It also does not recognise any verdicts by courts that enforce US penalties. Reuters described the Blocking Statute more ‘as a political weapon than a regulation’, as its rules are ‘vague and difficult to enforce’.

Otherwise, the term ‘blocking statute’ is not part of Austria’s legal system. Of course, in cross-border cases, complying with a notice or subpoena in one country may often have implications in other countries. For example, a potential waiver of privilege is an important negative side-effect to consider. We have seen Austrian authorities accept well-argued excuses arising out of restrictions provided by foreign law, such as the potential waiver of privilege.

There is no blocking statute in Austria. However, the applicable data protection law, including the GDPR, must be considered in this regard, as it contains several requirements in connection with the cross-border transfer of data (see questions 21 to 23).

61What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?

Voluntary production of evidence may expose the management and board members who authorised the disclosure to liability, whereas compelled production entails no exposure to any liability.

As discussed in question 58, third parties with a duly substantiated legal interest may access the file of criminal proceedings, unless conflicting private or public interests prevail (section 77, StPO). Confidentiality therefore only extends to persons who lack a legal interest. The general public may gain knowledge of information contained in the file through the media. The accused, the defence lawyer, victims and third parties entitled to access the file are subject to regulatory restrictions (section 54, StPO) when passing on information obtained from the criminal file, in particular, when passing it on to the media. The media must take due account of the presumption of innocence when using the evidence and respect data protection laws (see question 60). Officials are under a duty of confidentiality (see question 58).

Prosecution and penalties

62What types of penalties may companies or their directors, officers or employees face for misconduct in your country?

Pursuant to the VbVG, corporations are subject to fines, which are measured in units per day, and to court directives (e.g., to compensate for harm done or to implement a proper compliance system). The current maximum fine for companies is €1.8 million (depending on the corporation’s earnings). Moreover, they can be ordered to make redress, most notably in the form of compensation for harm done and donations to charity. The corporation cannot be indemnified by directors, officers or employees for fines imposed against the corporation (section 11, VbVG). However, the company may pursue its representatives for damages arising from a breach of their employment duties.

Natural persons are subject to the whole set of penalties and other sanctions if they are found (personally) guilty of an offence (section 18 et seq., StGB).

63Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?

Pursuant to the Federal Law on Public Tenders 2018 (BVergG), a company can be excluded from public tenders if one or more of its managers are convicted of an offence that casts doubt on the professional reliability of any of the managers. Companies participating in a public tender must provide proof of professional reliability by submitting criminal records issued by their home country (section 82(2), BVergG). However, a company may establish that, notwithstanding such a reason for exclusion, its professional reliability is guaranteed, notably by implementing measures preventing future offences.

64What do the authorities in your country take into account when fixing penalties?

Section 5 of the VbVG contains a non-exhaustive list of aggravating and mitigating factors. Aggravating factors include gravity of harm done by a corporation, benefit flowing from the offence for the corporation, and toleration or facilitation of misconduct by employees. Mitigating factors include preventive measures taken by a corporation prior to the offence, including directives to adhere to the law issued to the employees, the employees being solely responsible for the offence, the contribution to the resolution of the case, compensation of harm done, essential measures to prevent future offences, and significant economic detriment to the corporation. The sentencing of natural persons follows similar principles (section 32, StGB).

Resolution and settlements short of trial

65Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?

Non-prosecution agreements are not available in Austria. For the dropping of charges through diversion and closure of proceedings pursuant to section 18 of the VbVG, see question 51. The closure of a criminal prosecution by diversion has the advantage that the corporation is not condemned and no entry is made in the criminal register for corporations. The amount paid as a fine is also less than a fine imposed following a conviction for the same offence.

66Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?

Law enforcement authorities have a duty to confidentiality (see question 58). For the possibility of limiting disclosure of information of the case files, see question 42.

67Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?

Austrian law does not allow for settlements with law enforcement authorities. Under very limited terms, it is possible to resolve criminal prosecution by diversion (see question 51) or to benefit from the crown witness regulation (see question 28).

68To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?

As far as publicly known, Austrian law enforcement authorities have not yet used external corporate compliance monitors as an enforcement tool.

69Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?

Under Austrian law, private parties may declare a joinder of their civil claims to the criminal proceedings (section 67, StPO). Private plaintiffs who make a joinder declaration may access the criminal file insofar as their interests are affected (section 68, StPO).

Publicity and reputational issues

70Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.

Investigations are not public in Austria (section 12, StPO). If a matter is deemed to be in the public interest, the prosecutor is asked to inform the public about the status of an investigation through the media offices of the larger courts and the public prosecutors. The co-operation of the prosecution authorities and courts with the media is governed by the Media Decree of the Federal Ministry of Justice JMZ 4410/9-Pr 1/2003, dated 12 November 2003.

Main trial and appeal proceedings are in the public domain (section 12, StPO), but may neither be broadcast on the radio or television, nor recorded by audio or visual means (section 228(4), StPO). In cases of public interest, it is common to have online live news ticker reporting. There are some exceptions to the principle of the public nature of a trial, including for reasons of public policy or to safeguard legitimate interests of the accused, witnesses or third parties.

However, a criminal file is accessible only to the accused and his or her defence lawyer, victims, private plaintiffs, and parties with a duly substantiated legal interest (section 77, StPO; see questions 61 and 69).

71What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?

It is common to use public relations (PR) firms. The author strongly recommends using firms that specialise in litigation PR and crisis management.

72How is publicity managed when there are ongoing related proceedings?

The PR strategy should not only focus on managing the criminal trial, but also include all aspects of the legal matter, including (potential) civil liability matters.

Duty to the market

73Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?

Pursuant to section 155 of the BoerseG in conjunction with Regulation (EU) No. 596/2014 (the Market Abuse Regulation), companies publicly listed at the Vienna Stock Exchange must issue ad hoc notifications regarding inside information, namely information that has not been made public and, if it were made public, would be likely to have a significant effect on the price of the company’s shares or other related financial instrument. Under certain circumstances, immediate disclosure can be delayed, in particular if it would impair the company’s interests, the public is not misled and the fact that a settlement has been reached can be kept confidential to the point of its intended disclosure (see Article 17(1), Market Abuse Regulation).

Anticipated developments

74Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?

Currently, we are unaware of any specific projects to further address corporate misconduct.

Footnotes