This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Internal investigations are an integral part of German corporate culture and landmark cases include Siemens, Ferrostaal or Volkswagen. The extraterritorial reach of US and UK authorities to German corporates fuels the vivid discussion of the corporate, criminal and administrative offences, employment and data protection law aspects of an investigation. The scope of attorney-client privilege in internal investigations is currently under scrutiny of Germany’s highest court following a Munich prosecution seizure of documents in a German law firm conducting investigations on behalf of Volkswagen. Further, the agenda of the new German government (again) contains corporate criminal liability in response to corporate wrongdoing and seeks to ‘effectively prosecute and adequately punish’ white-collar crime and to impose stricter sanctions on companies.

Corporate liability for crimes

German penal law addresses primarily the criminal liability of individuals, not of companies. Administrative liability under the Administrative Offences Act with considerable consequences may attach to a company for criminal acts of its senior management that may be attributed to the company in connection with business activities that qualify as a crime or administrative offence, including corruption of public officials, provided that the activity either violated duties of the company or enriched or was intended to enrich the company.

Administrative liability under the Administrative Offences Act also attaches directly in case the owner fails to prevent actual misconduct through negligent or intentional lack of oversight that would have prevented or materially impeded misconduct. Thus the company’s management as the owner’s representative can be held personally liable for failure to take reasonable supervisory measures to prevent criminal offences by the company’s employees. The personal administrative liability of the leading personnel for a failure of oversight can, in turn, trigger the administrative liability of the company.

The sanctions under the Administrative Offences Act are administrative fines of up to €10 million and disgorgement of profits, alternatively the forfeiture of proceeds of crime.

The new German government seeks to address certain shortcomings of the current regime. Namely, as the prosecutor currently has discretion whether to investigate or prosecute a case under the Administrative Offences Act, the prosecution of companies in Germany is patchy, at best. Thus, mandatory prosecution shall become a requirement, and the current misdemeanour law shall be upgraded to a full criminal law. Because it is likely that prosecution offices will be overburdened by the new caseload, the prosecutor shall be permitted to handle cases more flexibly and be granted extended and specific permissions to end a prosecution. The catalogue of cases where this applies will likely include situations where a company has internally investigated itself, cooperated fully with the prosecution, repaired the damage, and probably also paid a fine and accepted the disgorgement of profits. It is currently not expected that companies will be required to report themselves to the authorities but it cannot be excluded yet whether Germany will also permit a monitorship and deferred prosecution.

Corporate duty to investigate

Corporate law requires the management of a German company to establish and maintain an adequate compliance management system. As part of the obligations, the management is required to get to the bottom of compliance deficits. The extent, effort and means for an investigation have to be commensurate to the expected violations. Failure to conduct an adequate investigation can result in civil liability vis-à-vis the corporation, or criminal liability.

Data protection

A characteristic feature of investigations in Germany is strict adherence to data protection laws when using personal information.

From May 2018, the European General Data Protection Regulation (GDPR), which is uniform data protection law across the EU member states, provides for a new set of rules for data processing in the context of investigations. Protected personal data is any information relating to an identified or identifiable individual, irrespective of its citizenship. The GDPR covers any use of personal data in an investigation, including the collection, search, review and transfer of personal data.

The principles of the GDPR require data processing to be lawful and data storage to be limited as is necessary for the investigation purpose. Authorities’ overbroad data requests may conflict with the principle of data minimisation that seeks to reduce the amount of data to be processed to what is ‘adequate, relevant and necessary’ for the investigation. Further, the principle of accountability calls the corporation to prepare a concept to be memorialised in a data protection documentation that permits to demonstrate its compliance vis-à-vis the authorities and the custodians.

German corporates are generally required to appoint a data protection officer tasked with the monitoring of data protection compliance and the liaising with the data protection supervisory authority. The officer should be involved in the discussion of data protection compliance from the outset, in particular in case the company decides to conduct a GDPR data protection impact assessment. The GDPR permits the company to enter into a shop agreement on data protection with the works council in anticipation of an investigation and in order to accelerate the process.

The hiring of external law firms and forensic service providers shall be made, inter alia, on the basis of an assessment of the technical and organisational measures taken to protect the personal data. A written data processing agreement with certain mandatory minimum data protection content is required in case of hiring outside service providers.

The GDPR has no uniform law for the employment context, and the new German Federal Data Protection Act fills the gap by replicating in essence the former strict national German data protection regime. The German legislator clarified that, if personal data of employees are processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. In practice, consent remains a weak legal basis for employee data processing because the employee can withdraw its voluntary consent any time and thus prevent any further processing. In the absence of consent, employees’ personal data may be processed to detect crimes only if there is a documented reason to believe that the employee has committed a crime while employed, the processing of such data is necessary to investigate the crime and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent of data processing are not disproportionate to the underlying reason.

Internal investigations may involve the sharing of personal data with non-EU group companies, advisers or authorities. The GDPR, like the previous data protection regime, generally prohibits data transfers to non-EU countries, unless based on a European Commission adequacy decision, standard contractual clauses or binding corporate rules, or exceptions (derogations). In particular, the GDPR abolishes any additional local law requirements for data transfers to non-EU countries. If a company responds to a non-EU authority request, it can rely on the exception that permits transfers necessary for the establishment, exercise or defence of legal claims. Data protection authorities are expected to interpret the exception narrowly though and have indicated that the mere interest of such authorities or possible ‘good will’ to be obtained from the authority will not, as such, be sufficient to qualify as ‘necessary’.

In case of a violation, data protection authorities and courts may prohibit the collection, review and transfer of personal data. Further, failures to comply with the GDPR requirements may result in administrative fines of up to €20 million or up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher. The company can be civilly liable for material and non-material damages and the burden of proof that it is not responsible for the damages rests with the company.

Labour law

Works council involvement

If a German company has a works council, its early involvement can be a success factor for the investigation process. The task of the body is to protect employee interests in statutorily defined matters, in particular compliance with employment laws. Because of its statutory co-determination rights, the works council has a strong position in the investigation process. A shop agreement between the company and the works council dealing not only with data protection but also other measures used in the investigation, including the conducting of interviews, enables the council to exercise its statutory rights. In practice, a strong backing of the investigation by the works council can encourage the cooperation of the employees.

Employee duty to cooperate

A current employee is under a duty to cooperate with the employer investigation, in particular to attend interviews and to respond truthfully to any questions. The prevailing view is that this also holds true in case the employee is risking his or her dismissal or other negative consequences. Whether or not the employee is required to give self-incriminatory responses is disputed.

The general view is that the employee’s obligation to cooperate with the employer investigation diminishes with growing distance of the employee to the persons and circumstances concerned within the daily work environment.

Damage claims and leniency programs

The management of a company is under a corporate duty to pursue substantiated damage claims against employees, unless other interests of the company, such as the success of the investigation or the avoiding of negative impact on the business, prevail. In order to entice employees to come forward with relevant information, the company may grant leniency in the form of a waiver of damages or dismissal rights to an individual employee or a group of employees. Leniency should not be granted from the outset but is meant as a measure to progress an otherwise ‘stuck’ investigation.

Termination requests

German companies should be mindful that certain measures agreed with foreign authorities to settle or mitigate penalties and other claims may not be enforceable in Germany for labour law reasons. In 2016, the Higher Labour Court of the State of Hesse found the termination of a German bank employee to be unlawful under German law although the bank had issued the termination upon request of the New York State Department of Financial Services (NYDFS). In addition to payment of a substantial fine, the bank had agreed in the NYDFS consent order to take all necessary steps to terminate a certain employee in Germany, whom the US authorities had found responsible for the sanctions violations. Such or similar requested undertakings might often also be part of deferred prosecution agreements with the US Department of Justice (DOJ) or other settlements with foreign authorities.

Conducting of interviews

In interviews conducted by external counsel, it is standard practice to have an ‘Upjohn’-type of warning at the beginning of the interview and to inform the employee, among other things, that:

  • investigating counsel is not acting for the employee but for the company;
  • the interview and its contents are confidential and privileged;
  • the privilege belongs to and may be waived by the company, not the employee; and
  • the company may decide to share the contents of the interview with domestic and foreign public authorities.

Whether formal written records are taken, shared with and signed by the interviewee or whether external counsel simply takes notes for its internal purposes only is a question to be decided in the individual investigation at hand. In cases involving parallel investigations against the company by the public prosecutor or other authorities, external counsel can claim attorney–client privilege only with respect to its own notes.

Employees have no right to be represented in interviews by outside counsel, members of the works council or other persons of trust. The assistance of an independent counsel may encourage the employee to be as forthcoming as possible and the communication with the employee remains protected by legal privilege. In contrast, members of the works council or other persons of trust cannot claim privilege and may have to testify before an authority about the content of the interview.

Attorney–client privilege

German legal privilege relates to the attorney’s secrecy obligation, flanked by procedural rules providing for the attorney’s right to refuse testimony and, in criminal proceedings, protection from seizure of attorney–client communication and documents pertaining to such communication. The privilege covers only the particular attorney–client relationship and communication resulting from this relationship, including attorney work product. Importantly, in criminal proceedings, privilege attaches only to communication with external counsel, but not with (admitted or non-admitted) in-house counsel.

Third-party documents and evidence other than attorney–client communication or work product can be seized from a German attorney as from any other person. The German Criminal Procedure Code specifically provides for rules for law firm searches and seizures, including limitations, to ensure the protection of privileged evidence.

Currently, the German Federal Constitutional Court is reviewing the scope of German privilege concerning evidence resulting from internal investigations in the possession of a German law firm. For example, in connection with the Volkswagen diesel emissions scandal, the Munich prosecutor searched the Munich offices of the law firm acting on behalf of the company and seized material relating to the internal investigation. The court barred the inspection of the seized material until its decision, which is expected in the first half of 2018.

Absent clear rules, German courts still differ as to the privilege protection of investigation reports in the possession of external law firms. In 2010, the Hamburg Regional Court ruled in proceedings against HSH Nordbank that the seizure of internal investigation documents from its external counsel was lawful, whereas in 2012 the Mannheim Regional Court protected an internal investigation report from seizure on the basis of new law. In 2015, the Braunschweig Regional Court extended the privilege protection from seizure to documents in the possession of the company that were prepared for legal defence purposes in anticipation of not yet instigated proceedings.

In response to those uncertainties, the new German government promises ‘clear and transparent rules’ that increase ‘legal certainty for affected companies’. It is quite unclear what this specifically aims at. Probably, the government is aiming to address the long debated issue that prosecutors are currently confiscating evidence and reports generated in internal and voluntary company investigations, as was the case with Volkswagen. Legal provisions will probably provide for limitations on the confiscation of documentation from internal investigations.

Whistleblower protection

There is no comprehensive system of whistleblower protection in Germany and no such rule exists in the field of corruption. EU law may require the enactment of whistleblower protection rules, and the German legislator implemented a rule that protects whistleblowers informing the German financial supervisory authority about actual or suspected breaches of financial supervisory provisions.

Self-reporting, cooperation, fines and settlement


There is no general obligation for German companies to self-report to or cooperate with public prosecutors or other law enforcement agencies. In practice, however, German companies will often seek to proactively report wrongdoings to the authorities because of a speciality in the German Fiscal Code according to which a taxpayer and its legal representatives are obliged to inform the tax authorities about a previously filed incorrect tax return before the end of the assessment period for the tax return. Bribery payments may often have been booked as tax-deductible expenses, thus rendering the relevant tax return false. If the management uncovers such bribery payments and fails to report the resulting change in tax-deductible expenses to the tax authorities, management may be committing the criminal offence of tax evasion, which can be punished with several years in prison. Once the tax authority learns about the alteration and underlying bribery payments, it is then obliged to notify the competent public prosecutor.

Other instances of self-reporting or notification exist in certain regulated industries (eg, financial services) with respect to the reporting of criminal offences and other misconduct to the regulator. Self-reporting may also be necessary under domestic or foreign public procurement laws to avoid black-listing. The company may also be required to self-report to law enforcement agencies and prosecutors under the laws of foreign jurisdictions.


In addition, cooperation with law enforcement authorities is often a substantial mitigating factor to reduce the company’s exposure to administrative fines and disgorgement of profits and also the exposure of its employees. In a global investigation, the need to obtain ‘cooperation credits’ with foreign authorities will also drive the cooperation with the local authorities and prosecutors in Germany. In 2015, the US DOJ in its ‘Yates Memorandum’ announced a targeted focus on investigation of senior management and reinforced its position that companies subject to investigation in the United States are required to disclose respective misconduct. The UK Serious Fraud Office has taken a similar approach. Under German labour and corporate law, the reporting of management and employees to the public authorities may require a prior balancing decision and strong proof of the underlying facts.

Thus, pros and cons of a voluntary cooperation with law enforcement agencies and coordination of the internal investigation with them should be considered early on when designing the investigation plan and strategy. An increasingly important factor is also the growing cooperation among law enforcement agencies in Germany, the United Kingdom and the United States.

Fines and disgorgement of profits

In addition to the maximum €10 million fine for every administrative or criminal offence committed under the Administrative Offences Act, the administrative penalty can include the disgorgement of profits and, in some cases, forfeiture of assets. Under federal case law, a company may be subject to forfeiture of all direct and indirect profits resulting from bribery.

In 2017, a new law on the confiscation of ill-gotten gains replaced and simplified the former rules of the German Criminal Code. The law implements Directive 2014/42/EU on the freezing and confiscation of instrumentalities and proceeds of crime in the European Union, which is meant to simplify the recovery of profits derived from serious or organised crime. Confiscation, as a sanction, is no longer limited only to certain enumerated crimes, but can be ordered with respect to any object or money that was acquired from or used for the purpose of committing a criminal act. The new law clarifies that gross proceeds remain the prime basis for calculating the amount to be confiscated, but expenses not related to the commission of the crime may still be deducted.

Pursuant to the plans of the new government as set out in its coalition treaty, the sanctions shall become commensurate with the economic power of the corporation and companies generating revenue exceeding €100 million per annum may face a fine of up to 10 per cent of such revenue. The catalogue of sanctions shall also be modified moderately, and some new rules on sentencing will be introduced. It is completely open what exactly this language of the government’s coalition treaty addresses but it is expected that the sanctions and the cooperation of the company will be related to each other. Sanctions imposed upon a company shall be published.

Settlements and DPAs

Under German criminal procedure rules, a settlement in the form of deferred prosecution agreements or non-prosecution agreements is currently not possible. A settlement with a Germany company occurs in the form of a negotiated ‘deal’ between the public prosecution and the company, resulting in the issuance of an administrative (sanctions) order that the company will not challenge. Most of the prominent foreign bribery cases against German corporates ended with settlements that proved to be a successful concept to both the public prosecution and the companies involved. Because of the ability to sanction companies with the disgorgement or confiscation of profits without any specific limit, companies are willing to cooperate with the courts and public prosecutors to reach a settlement. While there is no ability for the prosecutor or court to issue formal orders to compensate victims, make donations to charitable institutions, or implement a robust and effective compliance programme, the willingness of the company to undertake the above steps will be decisive for the public prosecutors to either settle the case with an out-of-court administrative order or go to court.

In 2017, Germany’s highest criminal court suggested in an unprecedented ruling that a court should also take into account in the assessment of the fines whether the company established an efficient compliance management system to prevent wrongdoing, in accordance with its statutory duty. In addition, the court found that the enhancement of an already existing system, commencing even after a crime or offence had been committed, could be considered as a mitigating factor if it is designed to prevent or significantly impede the commission of similar violations in the future.

The landmark case for settlement agreements in foreign bribery investigations in Germany is still the Siemens case. Siemens decided to fully cooperate with the Munich prosecutor as well as the DOJ and the Securities and Exchange Commission. This resulted in coordinated investigations of the three law enforcement agencies on the one hand and in parallel a full internal investigation by Siemens itself. After roughly two years, Siemens had settled the German investigations by means of two sanctioning orders:

  • one in the amount of €201 million consisting of a €1 million fine and €200 million disgorgement of profits; and
  • another in the amount of €395 million consisting of a €0.25 million fine and over €394 million disgorgement of profits.

Other similar settlements followed (MAN, Ferrostaal, Thyssen-Krupp). As shown above, any settlement discussions will focus on the disgorgement of profit element of a corporate sanctioning order. Prosecutors have discretion to reduce the penalties and, while there are no express guidelines, will look to the level and cooperation of the company, the timing of any early self-reporting and the efforts undertaken by the company to take remediating action and to install effective compliance and internal audit organisations.

Unlock unlimited access to all Global Investigations Review content