Principles and Guidelines for Internal Investigations in Germany
The investigation of potential compliance violations by internal investigations is part of everyday business for German companies. Since there are no specific laws in Germany (yet) detailing how to conduct internal investigations, this chapter outlines the relevant issues and offers orientation for dealing with them in practice in the areas of corporate law, labour law, data protection law and criminal law. Lastly we provide an outlook on the current draft bill for introducing corporate criminal liability in Germany.
- Draft bill to introduce corporate criminal liability
- Obligation to conduct an investigation
- Mandatory legal requirements (regarding labour law, data protection)
- Cooperation with authorities and self-disclosure
- Attorney–client privilege
Referenced in this article
- Siemens case (2006)
- Draft bill for an act to combat corporate crime
- German Administrative Offences Act
- German Criminal Procedure Code
- German Stock Corporation Act
- German Anti-Money Laundering Act
- German Constitutional Court
- German Federal Court of Justice
- Federal Chamber of Lawyers
- EU Commission
Past and current cases show that non-compliant business conduct may have a significantly negative impact on a company’s financial capabilities and business prospects, both in its home markets and abroad. It is therefore more important than ever for companies to implement effective compliance management systems. Such systems should not only include strategies to prevent non-compliant behaviour, but also provide measures to detect and sanction misconduct. An essential element of detection is the internal investigation of suspected improper conduct.
In this way, it is possible to:
- identify if there really is misconduct;
- take appropriate action to remedy the issue and minimise the damage; and
- improve the internal controls and processes ensuring that this misconduct does not occur again in the future.
In light of the above, an internal investigation can be defined as a formal procedure that seeks to establish whether obligations applying under the relevant law or internal corporate regulations have been violated, and possibly define the corrective measures.
In deciding whether to conduct an investigation, a company should take into consideration that internal investigations may have a positive effect with regard to cooperation with the authorities. Furthermore, investigations may help ring-fence liability risks and can cover not only liability risks of the company itself, but also of its directors and officers. Internal investigations may also limit reputational risks.
In Germany, the Siemens case in 2006 put a spotlight on investigations. While internal investigations were initially limited to US-related matters, they have become more and more a part of the corporate and criminal legal landscape of various European jurisdictions over recent years. In Germany, the current coalition agreement explicitly states the government’s intention to establish legal incentives to encourage companies to support governmental investigations by carrying out internal investigations and disclosing the findings to the public authorities.
Today, the majority of listed companies in Germany and an increasing number of medium-sized enterprises have implemented guidelines for conducting internal investigations. Even where such guidelines are not already in place, internal investigations are increasingly being triggered by, among others, proceedings initiated by public authorities or by the company’s own supervisory board.
However, there are no specific laws in Germany detailing how such investigations are to be conducted and that could serve as a guideline. This chapter will analyse the key questions that may arise when conducting an internal investigation in Germany and summarise the main principles that must be observed.
Legal obligation to conduct an investigation
Under German law there are no specific legal provisions obligating companies to conduct an investigation. However, where there is reason to suspect a violation of law, other non-compliant business conduct or a breach of duty within the company, the management board has an obligation to investigate the suspicion to avoid their own liability under both corporate law and the law governing regulatory offences. Consequences as regards liability may result from the German Stock Corporation Act and the German Administrative Offences Act. Therefore, in practice, management has no discretion as to ‘whether’ to conduct an investigation, but it does have discretion as to ‘how’ the investigation is conducted (with internal resources only or with the help of outside counsel) and with regard to which measures are taken within the applicable legal framework.
Initiating an investigation
From a legal perspective, conducting an investigation could be regarded as a management task or might qualify as a specific instrument to supervise the company and its management. As a consequence, in many cases the question is whether it is the management board or the supervisory board that should be in charge (in a two-tier system) or whether the executive or non-executive directors should take the lead (in a one-tier system). However, as the saying goes, one should not put the fox in charge of the henhouse. In the event of a material involvement of management in the suspicious actions or alleged omissions, therefore, the task of setting up an investigation shifts to the supervisory board or the non-executive directors. At the time when an investigation is initiated, however, it is frequently not possible to say for sure whether the legal violations or infringements were limited to persons outside the board or not. Therefore, if an investigation is conducted within a company, it is necessary at the outset to be mindful of how a shift in responsibility from the management board to the supervisory board or from executive directors to non-executive directors might affect the investigation.
Sources of information
The main source of information in investigations is the company’s employees – in particular their personal recollection and knowledge of the case, and electronic data and other documents in their possession. It is, therefore, especially important to interview employees and review their data.
Other important sources of information for investigations are as follows.
- Any relevant business documents, files, working papers, project-related documents or emails associated with the purpose of the investigation.
- The company’s accounting data, which is usually accessed by the internal audit department during an investigation. It is very rare for an investigation to not include the accounts as part of the material under examination.
- Information from third parties, including suppliers, clients, business partners and competitors, that is provided in good faith and lawfully. Experience shows that very valuable information can come from third parties or people external to the company. It is best practice in compliance to have a whistleblower channel that is open to third parties and allows anonymised reporting.
- Freely accessible sources are also an important source of information for investigations. Public registries and courts are classic sources, but it is surprising how the internet and social media are gaining importance in investigations as a way of identifying wrongdoers or gathering information on suppliers’ or clients’ relationships with employees.
Specific legal provisions
In Germany, there are no specific legal provisions regarding the conduct and procedure of investigations. However, relevant legal provisions may be established in the near future, as the current coalition agreement explicitly provides for the introduction of legislation governing investigations, especially with regard to seizure of documents and searches.
Who should conduct the investigation?
Depending on the nature of the conduct in question and the scope of the investigation, a company has various options as to who should handle it. An investigation can be conducted by the company’s in-house counsel, the compliance department or the internal audit department or external experts (eg, legal counsel or auditors). Generally, it is advisable to engage external and specialised lawyers to conduct the investigation.
Particularly where sensitive measures are concerned, engaging outside legal counsel may allow the company to benefit, at least to a certain extent, from legal privilege and attorney work product confidentiality. As at the time of writing, neither audit nor forensics firms, nor in-house legal counsel enjoy legal privilege in Germany. With regard to external legal counsel, it is not conclusively clarified in Germany in which cases results of investigations (ie, investigation reports and interview minutes) are privileged and not subject to seizure by public authorities. However, investigations conducted by external legal counsel provide the best possible protection of legal privilege and confidentiality.
Roles of the compliance officer and the internal audit department
The compliance officer and the internal audit department play a key role in investigations. From the very beginning, when an investigation needs to be opened, the compliance and internal audit teams detect potential wrongdoings, internally uncover misconduct and operate the whistleblower channels. During the investigation, the importance of the role played by the compliance officer and the internal audit department not only rests in their ability to gather and analyse all types of evidence, but also in their experience in ensuring the investigation complies with the law and internal policies. Once the investigation is concluded, the compliance and internal audit teams are mainly responsible for guaranteeing the appropriate upstream reporting along the reporting lines and for ensuring that the decisions made in light of the investigation are implemented effectively.
In addition, it is important to highlight that the top-end corporate governance bodies do not always get involved in investigations to the same extent. In some cases, particularly in those with limited exposure, it is the compliance officer or the internal audit department that leads the investigation.
Mandatory legal requirements when conducting interviews with employees
Works council consent
Interviews with employees as part of an investigation into a specific case generally do not require the works council’s consent. Co-determination rights of the works council may be triggered if the employer selects the group of interviewees pursuant to abstract and general criteria (eg, as part of a preventive investigation) or conducts interviews based on standardised questionnaires or with the help of IT tools. Works agreements concluded with the works council can stipulate a specific process to be followed during the investigation and provide the works council with further rights.
Works council representatives in employee interviews
Statutory law provides for very limited cases in which a member of the works council can, upon the request of the employee, participate in an employee interview; that is, if the interview concerns the calculation and elements of the employee’s remuneration, performance appraisal or career development, or if the employee consults his or her personnel file. These conditions are usually not fulfilled in interviews as part of an investigation. Further rights of works council members to participate in interviews can be provided in works agreements. In practice, interviewees are frequently granted the right to be accompanied by a member of the works council to enhance their willingness to provide information.
Employees are obliged to participate in interviews conducted by their employer or lawyers representing their employer. They are obliged to provide full and true information on their employment duties (tasks and responsibilities, including supervision duties if these are part of their function), their conduct in the business, and impressions they gained in performing their duties, even if this means incriminating themselves or other employees. Under current employment law, a right to remain silent with regard to one’s employer does not exist. This might change in the future if the envisaged legislation on criminal liability of companies is introduced, which might give employees a right to remain silent to avoid incriminating themselves. In practice, employee interviews are sometimes organised according to criminal procedure standards to avoid having different standards with regard to obligations to testify (eg, if the employer cooperates closely with the prosecution authorities and provides them with interview minutes).
The right not to incriminate oneself
The constitutional right not to incriminate oneself only applies in criminal proceedings with regard to public authorities, not in investigations with regard to one’s employer or the corporate investigator. The conflict between the obligation to make truthful disclosure to one’s employer and the criminal procedural right to remain silent has to be resolved by the prosecutors. As the investigation is conducted by private individuals, the German Criminal Procedure Code and its provisions protecting the suspect in the course of criminal proceedings do not apply. However, with respect to the fair trial principle and the rule of law, there are – depending on the individual case – certain possibilities to instruct and inform the employees (eg, about possible consequences under labour law or the possibility to consult legal counsel). The guidelines drawn up by the Federal Chamber of Lawyers for this purpose may serve as points of reference in this area; however, they are not binding.
Cooperation of employees during the investigation
Measures to encourage employee cooperation
There are several measures intended to encourage employees to cooperate during an investigation, in particular various amnesty or leniency programmes. For example, the waiver of employment law measures, the waiver of assertion of claims for damages and the assumption of the costs for the employee’s legal counsel and a guarantee of confidentiality. On the other hand, it is not possible to protect employees against potential investigations by public authorities. Rewards for whistleblowers are not common in Germany.
Setting up an internal leniency programme for employees is more common practice in antitrust investigations than in white-collar investigations. Nevertheless, the option to offer a leniency programme always has to be considered carefully. In appropriate cases, tailor-made programmes can significantly accelerate the investigation and improve its results. For example, in antitrust cases it would be very difficult, if not impossible, for the company to fully clarify the facts and successfully apply to the authorities for leniency without the full cooperation of its employees. Collusive behaviour usually takes place in a covert way, leaving little trace in the company’s documents and data – all the more so with regard to employees who have received antitrust and compliance training and are therefore fully aware of the illegal nature of their behaviour. Their testimony constitutes the key evidence that the company needs to secure a substantial cooperation bonus with the competition authorities. The company therefore faces the dilemma that it most likely will not be able to minimise the risk of financial sanctions by filing for leniency unless it offers its employees internal leniency to ensure their full cooperation, even though they deliberately violated the law and the corporate compliance programme. Therefore, companies usually try to limit internal leniency to what is strictly necessary to get sufficient cooperation from employees and balance it with the need to protect the credibility of its compliance programme. If senior management is involved in the alleged wrongdoing, the granting of internal leniency might need approval from shareholders or the supervisory board.
Data protection requirements for conducting investigations
Electronic devices and data
As far as personal data is concerned, privacy rules and data protection laws restrict investigations. The law provides for a balancing test between the legitimate interests of the company in sourcing the personal data and the privacy interest of the employee. According to this, a review of electronic devices or electronic data is only permitted if statutory law allows the review of personal data and the company’s interests prevail. According to German law, initial suspicion of a criminal offence, which is documented, constitutes a valid legal reason to review personal data. Further, the balancing decision must also be documented. The scope of the review in terms of subjects and data must be limited to what is strictly necessary for the purposes of the investigation. Furthermore, the review or use of personal data must be adequate and proportionate when it comes to achieving the intended results in the investigation. In cases where employees are allowed to use their email accounts and devices for private purposes, all private emails and documents must be screened out as the first step of the investigation and left unreviewed.
Sharing information internally
The company can use personal data for sharing information without obtaining prior consent from the data subject if it is necessary to safeguard legitimate interests of the data recipient, provided that there is no overriding interest of the data subjects in having their data excluded from the data transfer.
If the data recipient is situated outside the EU, one must establish that the country has been recognised by the EU Commission as having an adequate level of data protection. Otherwise, additional safeguards must be applied (eg, by entering into a data protection agreement on the basis of the EU model clauses).
Sharing information externally
With regard to authorities in Germany and other EU member states, the company is entitled to share personal data if it is either obligated under statutory law to disclose the data in question or if it has at least a legitimate interest in sharing the data in question that is not overridden by conflicting interests of the data subject. Data transfers to public authorities in non-EU member states that have not been recognised by the EU Commission as having an adequate level of data protection are permissible only if an exception pursuant to article 49 of the General Data Protection Regulation applies (eg, if the transfer is necessary for the exercise or defence of legal claims).
Electronic data in civil lawsuits
The disclosure of personal data for the purposes of a civil law suit is permissible under the same prerequisites that apply to the sharing of data with public authorities.
Dealing with public authorities during investigations
Informing public authorities
There is no legal requirement to inform public authorities about a planned or ongoing investigation. However, particularly in cases where public authorities have already initiated proceedings against the company, it is advisable to inform the relevant authorities and coordinate the investigation (especially interviews with employees) with them to ensure that official investigations are not jeopardised and avoid negative consequences for the company.
Disclosure and self-reporting
Management and the company are generally not obliged to disclose and self-report suspected corporate compliance violations to public authorities. However, a reporting obligation can exist in the following cases, inter alia:
- serious criminal offences (eg, robbery and blackmail by using force against a person or threats of imminent danger to life or limb, but not in cases of typical compliance violations like bribery, fraud, embezzlement and abuse of trust);
- factual circumstances that indicate that the assets or property connected with a transaction or business relationship are the product of money laundering; and
- where a taxpayer realises after the fact (before the period for assessment has elapsed) that a tax return submitted by or for him or her is incorrect or incomplete.
In Germany, there is no legislation that expressly address the attorney–client privilege and the protection of documents created in the course of investigations. However, according to current draft bills, legislation of this kind may be introduced in the future.
In the meantime, whether such documents can be seized has to be assessed based on the provisions of the Criminal Procedure Code and the relevant – inconsistent – case law. Generally, whether work products of investigations are subject to seizure has not been established for certain. As a rough guide, the following may apply.
- If proceedings are initiated against the company or if the company becomes involved in criminal proceedings before the investigation opens, the work products are probably not subject to seizure (however, in practice, the prosecution often orders the participation of the company at a very late stage of the proceedings).
- Some regional courts have confirmed that documents are protected against seizure if criminal proceedings have not yet been opened against the company, but are likely to be in the near future. According to the German Constitutional Court, it is not imperative – with respect to the German Constitution – to guarantee the protection of documents against seizure in cases where criminal proceedings are only foreseeable. However, the court finds it acceptable to confirm protection against seizure where objective criteria suggest that the company may become involved in the criminal proceeding. However, the details of the criteria that must be applied for this are unclear. Moreover, in practice they are interpreted very restrictively, so that the vast majority of relevant court rulings result in documents from an investigation being seized.
- In all other cases, the prevailing opinion has it that work products of investigations are subject to seizure.
Strategies to de facto limit searches and seizures
The most effective method of de facto limiting searches and seizures is to cooperate with the authorities and establish a relationship of trust. Within the scope of cooperation, the company can, for example, offer to conduct an investigation and share the results (or at least some of them) with the authorities. If the authorities ask for specific documents, these can be selected and voluntarily handed over to the authorities.
Cooperation with public authorities
German antitrust law provides guidelines as to how cooperation by the defendant will be considered by the investigation authority in its decision. No other areas of the law provide for comparable rules. Thus, the extent to which cooperation is rewarded in the setting of the amount of a fine is a matter for the discretion of the investigating body – or, later on, the deciding court.
In practice, when determining the amount of a regulatory fine or issuing an order for confiscation, German public prosecutors usually take into account a company’s cooperation with the authorities in the form of an investigation of the facts and a subsequent disclosure of the findings. For companies that cooperate, the sanction is regularly significantly lower. According to a recent Federal Court of Justice judgment, the authorities have to consider the efficiency of the compliance management system in place in the company and its efforts to optimise this and remedy existing shortcomings in the aftermath of a compliance violation as mitigating factors when calculating a fine.
Only antitrust authorities restrict access to their files for such interested third parties, whereas prosecution authorities and authorities in administrative offence investigations are obliged to provide access to the files for anybody who can claim a ‘legal interest’ (eg, as a victim of the offence).
Disclosure of critical information in case of a settlement
Under German procedural rules, a settlement only occurs in the form of a ‘negotiated’ order issued by the public prosecution authorities or the courts. The order will focus on the fine and on the disgorgement of profits. A settlement in the form of a deferred prosecution agreement or a non-prosecution agreement is currently not possible.
New laws (eg, the Anti-Money Laundering Act and laws regulating the financial industries) provide for disclosure rules and a ‘naming-and-shaming’ approach if an administrative fine is imposed. However, in the field of criminal convictions, disclosure of this kind is limited by data protection laws and sometimes it can be negotiated with the authorities that the settlement and the issue remain confidential.
In corruption and antitrust proceedings, inter alia, fines can be entered in public procurement registers, even if they were imposed as part of a settlement. This may also provide information on the procedure to those entitled to inspect the registers.
Draft bill for introducing corporate criminal liability in Germany (Corporate Sanctioning Act)
The Grand Coalition had already agreed in the coalition agreement of 12 March 2018 on an amendment of the laws governing the sanctioning of companies in order to ensure ‘that white collar crime is effectively prosecuted and appropriately sanctioned’. However, the legislative process is not yet complete. It is possible that the Corporate Sanctioning Act could be enacted and promulgated in summer 2020. Pursuant to the current draft bill, the new law would then enter into force on the first day of the quarter two years after the promulgation. According to the explanatory memorandum, this two-year period is meant to give the companies sufficient time to adjust to the new provisions. In particular, companies should be able to examine their internal procedures and take any (further) compliance measures that are necessary.
The Corporate Sanctioning Act will introduce corporate criminal liability for business-related criminal offences. It will significantly change the landscape for compliance and internal investigations in Germany. The Corporate Sanctioning Act is intended to enhance enforcement against corporations for business-related crimes, facilitate appropriate punishment of criminal offences related to corporations, promote internal investigations and incentivise investment in compliance.
It is possible that details of the draft bill could still be amended in the course of the legislative process. Nonetheless, the essential key points of the draft bill will most likely remain as they are as follows.
- The range of fines for companies will be increased considerably from the present maximum of €10 million to up to 10 per cent of the group’s global turnover. However, there is apparently still no determination system with specific criteria (eg, like in antitrust law the amount of the turnover achieved from the infringement) to guide the procedure of assessing fines within this very broad framework of sanctions. An additional disgorgement or confiscation would still be possible.
- In future, the principle of mandatory prosecution will apply for investigations of companies. Unlike the present law on administrative offences, if a reasonable suspicion of company-related criminal offences exists, the investigating authorities will no longer have any discretion to decide whether to initiate an investigation of a company.
- The draft states in its explanatory memorandum that the results of internal investigations can be seized in any case if the company has not (yet) been accused of an offence by the investigating authorities, pulverising legal privilege to a large extent in the context of internal investigation.
- The draft bill provides for a reduction in penalties imposed on companies if it has initiated internal investigations. However, to qualify for such reduction, the internal investigation must meet the following criteria:
- the internal investigations must make a ‘material contribution’ to clarifying the corporate misconduct;
- the internal investigations must be ‘independent’ and not conducted by the company’s defence counsel;
- the company must cooperate ‘continuously and unrestrictedly’ with the prosecuting authorities;
- the results of the internal investigations, the essential documents and the final report on the internal investigations ‘must be disclosed’ to the prosecuting authorities;
- the internal investigations must be conducted in compliance with fair trial principles, in particular:
- before being interviewed, employees must be informed that the information they provide may be used against them in criminal proceedings;
- interviewees must be given the right to retain their own lawyer or have a member of the works council present during the interviews and be informed of this right before being interviewed; and
- interviewees must have the right to refuse giving evidence if the response to such questions would otherwise expose them or their relatives to prosecution for a criminal or regulatory offence, and the interviewees must be informed of this right; and
- the internal investigations must be conducted in compliance with the applicable laws (in particular complying with GDPR requirements) and documented appropriately. However, the new law will not require companies to voluntarily self-report corporate misconduct, although of course self-reporting – as already practiced today – will result in significant credits when setting the fine.
- Under the draft bill, the prosecution offices will take preventive compliance measures into consideration when deciding which sanctions are appropriate. There are basically two sanctioning procedures: a fine and a warning. The previously discussed possibility of liquidating a company, however, is not to be included in the new law any more.
- Warning the corporation, while reserving the right to impose penalties, will only apply if it is expected to be sufficient to avoid any future corporate misconduct. Pursuant to the draft, this will in particular be of interest if the criminal offence in question was an ‘outlier’ (according to the explanatory memorandum of the draft) and the corporation is taking, or has taken, compliance measures to avoid similar misconduct in the future.
- Following the US, UK and France, the draft bill will introduce the position of a ‘compliance monitor’ in order to enable ‘deferred prosecution’. The court orders the corporation to pay the reserved financial penalty if a corporate crime is committed during the reservation period and thus the expectations of the reservation were not met, or if the corporation grossly or persistently violated conditions and instructions.
- If a criminal offence is committed outside of Germany, German prosecution authorities will have jurisdiction, provided that the corporation has its registered office in Germany, the misconduct would be considered a criminal offence under German law and under local law. The new law will not introduce a ‘long-arm jurisdiction’ as established under the US FCPA or the UK Bribery Act, since its scope will be limited to corporations with registered offices in Germany.
- The draft bill will also address the issue of double jeopardy. It provides that German authorities have to take the penalties imposed by foreign prosecuting authorities into account when setting a penalty to avoid double jeopardy. This is a welcome provision given that the principle of ‘ne bis in idem’ is not applied outside the EU. Against the background of increasing international cooperation between prosecution authorities, this would be a highly appreciated provision.
- In the future, final decisions on imposing penalties or fines on corporations are to be entered into a register kept by Germany’s Federal Ministry of Justice. However, only public authorities and courts are set to receive unlimited access to the register, and only upon express request.