Internal investigations in Croatia must not violate employee "dignity" and personal data protections 

Croatia

Whistleblower series: Croatia

With the passage of the Croatian Act on the Protection of Persons Reporting Irregularities, which came into force before the 2019 release of the EU's Whistleblowing Directive, Croatia established itself as a pioneer in corporate internal investigations - or at least it might look like that at first sight.

But this law, based on early proposals for the EU's Whistleblowing Directive, has been criticised for being vague in key areas, which has created some uncertainty surrounding the legal foundations for conducting internal investigations in the Croatian business community. Furthermore, when conducting in-house inquiries, companies must ensure that they do not violate national laws protecting employee "dignity" and personal data.

Employee dignity

Croatia protects the "dignity" of employees by virtue of the law. Applicable to all companies employing 20 employees or more, the central feature of these regulations is the appointment of an official authorised to receive and act on alleged violations of workers' dignity. This official – together with the employer himself – is obliged to investigate all allegations within eight days after receiving evidence of violation of employee dignity and must implement all "necessary and appropriate measures" to stop further harassment, particularly if it is workplace harassment of a sexual or bullying nature.

Necessary and appropriate measures

An employer is under no obligation to consult the union or works council when appointing an official for protection of employee dignity.

The employer, however, is obliged to move expeditiously to ensure a safe and secure working environment, which, depending on each individual case, may entail – in cases of harassment – changing the work schedule and hours of employees in order to separate the victim and the alleged perpetrator while the investigation is ongoing. A position change of this kind is unlikely to include a demotion where an employee receives a lower salary since Croatian law requires employee consent before this can occur.

Croatian law affords employees other rights that an employer should keep in mind. After information to an employer that his rights have been violated, a Croatian employee can also file a complaint with the courts if he believes that his employer is not doing enough to stop workplace harassment.

Called the "Eight Plus Eight" rule, an employee has eight days to petition for a court action should a company fail to act within the eight-day deadline after a complaint has been filed.

An employee can also refuse to continue work until protection is guaranteed provided that he asks for protection from the competent court within the next eight days. He is also entitled to be paid while off the job. If – in the end – it is proven that the misconduct charge was unfounded, the company is entitled to be reimbursed with salaries paid to these employees, and any accompanying interests.

Employee protections

As in all EU countries, Croatian workers enjoy the protection of their personal data. Any internal investigation launched by a company must ensure the confidentiality of employee information. Companies can be fined between EUR 4,133 and EUR 8,000 and responsible individuals within the companies between EUR 533 and EUR 800 for violations.

As for the individuals filing misconduct allegations, the Croatian Act on the Protection of Persons Reporting Irregularities offers Whistleblowers certain safeguards although critics argue that this law – drafted before the passage of the EU's 2019 Whistleblowing directive – is vague on key points.

Although the law applies to employers in both the public and private sector, it is not clear how the regulations apply to smaller firms of under 50 people. Although not obliged to do so by law, companies of less than 50 people may choose to have an internal investigation system, but the law is unclear on whether or not they must adhere to the Act.

It is also not clear how the law applies to large foreign-owned companies whose local offices may have less than 50 employees.

The law does regulate a reporting chain for corporate misconduct: internal reporting (within the company), external reporting (to outside authorities) and public disclosure (through media reporting).

According to the law, a company employing 50 or more employees must draft and implement procedures for receiving allegations of misconduct and responding to them. It must also designate a commissioner and a deputy who are responsible for receiving these reports and leading any investigations.

This may be problematic for some companies since – according to Croatian labour law – employees cannot be forced into accepting this position. Hence, filling this post is not always easy, but if a company fails to do so, it is liable to receive penalties from the competent authorities.

Once the commissioner's position is filled, he and his deputy are responsible for receiving reports of misconduct, examining the cases, taking immediate action to protect the Whistleblower (i.e. the person filing the report), and referring the charge to the competent authorities should the company prove unable to resolve the issue internally.

In this regard, the law also contains a notable inconsistency. According to the Act, a company cannot interfere with the work of its duly appointed investigations commissioner. Yet if a commissioner fails to respond to a report in a timely and responsible manner, the company is liable.

Although the law encourages misconduct reports to be resolved internally, external reporting channels, such as the ombudsman, or public exposure (i.e. direct appeals to media) is recommended if the issue at hand concerns a threat to health, life and safety; if there is a threat of significant damage; if there is a risk that evidence may be destroyed; if the company in question has no working internal-reporting system; if the Whistleblower is no longer affiliated with the company he intends to file a report about; or if irregularities and concerns exist regarding the company's internal reporting system.

The problems with these regulations are obvious. Although Croatian law urges Whistleblowers to act in good faith, providing individuals with a legal license to take misconduct charges to the media creates the risk of disgruntled employees using this opportunity to bring false charges against a company in the press.

Non-compliance with this Act can lead to fines of between EUR 133 and EUR 6,666 for employers; between EUR 133 and EUR 4,000 for competent officials within the companies; between EUR 400 and EUR 4,000 for malicious Whistleblowers issuing false reports; and between EUR 400 and EUR 4,000 for other competent persons and their deputies.

Conducting internal Investigations

If a company receives a report or uncovers evidence of misconduct, it is obliged to investigate. When investigating its employees, companies must take care when managing personal data. Under Croatian law, employee personal data can only be processed when there is a valid reason to do so. To this end, companies of 20 employees and larger are required to draft employment by-laws that specify exactly the employee data that will be processed in this situation, particularly in regard to sharing this data with third parties. Companies with 20 people or more are also required to appoint a data protection commissioner, who must be privy to (and in some situations oversee) any personal data collection connected to an investigation.

In addition, no piece of employee personal data can be processed without the permission of the company's works council provided that the employer has adopted the employment bylaw regulating the processing of employee personal data and that the works council has granted its consent. Note that the works council will not have to give its prior consent for each specific processing activity, which is an additional reason for drafting the employment bylaw in as much detail as possible.

In terms of the investigation itself, it can be conducted only by the employer or a person specifically authorised by the employer. If the investigation is conducted by a third party, the employer should issue specific authorisation to perform data processing activities to an external provider prior to the commencement of the audit or investigation.

It is extremely important to determine if there is sufficient legal basis to conduct an investigation (i.e. to process employee data), such as indications of harassment, the breach of a non-compete clause, commission of a crime or the disclosure of trade secrets. And to determine whether the basis for the inquiry is legitimate, the purpose of the investigation should be clearly identified and it should be considered if there are alternatives to the processing of employee data. In short, it should be judged whether the allegations brought forward entail sufficient risk to the company's legitimate interests to warrant the processing of employee data.

Not only should a company conduct a "legitimate interest assessment", this test needs to be clearly documented for later reference.

Performing this assessment will help define the detailed purpose and objective of the investigation, which from a legal point of view must be followed at all costs.

With a clear purpose established, an investigation strategy that is the least intrusive regarding the processing of employee data needs to be determined. What investigation techniques can be employed? Options include conducting interviews of employees, including both the target of the investigation and witnesses, inspecting employee communications, such as scanning emails, etc.

From a data protection point of view, the interview process is the least intrusive, if conducted lawfully. This means that interviewers must only ask questions directly pertinent to the objective of the investigation; and interviews themselves cannot be recorded either by audio or video unless the interview subjects give their explicit consent.

Scanning emails is more problematic from a data protection point of view. Employers can only inspect business email accounts and where possible should restrict their searches to email logs (i.e. when and to whom emails were sent). Only if the email log raises high suspicions that inappropriate communications took place can an employer read the "context" of the email.

Lastly, for companies that are part of international corporate groups, rules apply to the transfer of investigation data to other offices outside of Croatia. Such transfers are not forbidden, but when doing so all EU General Data Protection Regulation (GDPR) tenets must be followed.

Also note that companies can protect themselves by implementing bylaws in areas in which misconduct most often occurs. To protect trade secrets, ensure that all sensitive business information is labeled as such in a proper way and that any intelligence is closely guarded. Employment contracts should include sharply defined non-compete clauses and all obligations associated with these clauses must be fulfilled. And companies must establish a definite time period for the storage of employee personal data (e.g. archived emails) and ensure that data is not retained after this deadline.

In conclusion, despite vagaries in the current legislation, Croatia-based companies can employ internal investigations to protect themselves against risks. But care must be taken when drafting bylaws for these procedures and carrying them out.