Employee data protection in the event of criminal offenses

von Carolin

If an employee is suspected of committing a crime, this presents a company with major challenges. Important points must also be observed in internal investigations with regard to employee data protection.

Detection of criminal offenses

In any company it can happen that employees are suspected of committing a crime. The facts are seldom so clear that the employee walks out of the office with the computer under his arm and is caught red-handed.

Often there is only a suspicion against an employee in the room. However, the known information would not be sufficient to justify legal action or to finally prove the innocence of the employee.

Processing of personal data

In order to gain clarity on how to proceed in such a situation, it may be necessary to conduct internal investigations against employees. Nowadays, there are hardly any cases in which the processing of personal data of the respective employee plays no role.

A good example of this is working time fraud. In order to come to a decision under labor law, at least the record of the alleged hours worked must be viewed. In addition, data from the locking system and video surveillance or the use of a detective may be evaluated.

Requirements for a lawful investigation

But is this type of data processing even permissible with regard to employee data protection?

Section 26 (1) sentence 2 provides a framework for balancing the employer’s interest in a complete clarification of the facts and the maintenance of the employee’s right to informational self-determination in such cases. The processing of personal data is therefore always permissible if:

  • There is a suspicion of having committed a criminal offense or other serious misconduct.
  • This suspicion is based on actual evidence, which must be documented before the investigation.
  • The processing is necessary to uncover the criminal offense or serious misconduct.
  • And the data processing is not disproportionate to the reason for the processing.


Overall, it can be said that investigations are only allowed if facts justify suspicion and the specific investigative acts are not disproportionate to the suspected act of the employee. Therefore, the more serious the suspected act, the more profoundly one can investigate.


Do you have any questions on this subject? Call us on 08505 919 27-0 or fill out our contact form. We are happy to help!


Carolin verfügt als geprüfte kaufmännische Betriebswirtin über mehrjährige Berufserfahrung im Bereich Datenschutz und behält den Blick fürs Ganze. Ihre Erfahrungen aus dem kaufmännischen Bereich verknüpft sie bereichernd mit ihrer Qualifikation als TÜV-zertifizierte Datenschutzbeauftragte. Die praktische Umsetzung der DSGVO, individuelle Lösungsansätze für Unternehmen sowie Datenschutz im Gesundheitswesen sind ihre Spezialgebiete. Ihre Tätigkeitsschwerpunkte liegen in der Erstellung von Konzepten, Prozessoptimierungen sowie der praxisnahen und lösungsorientierten Umsetzung des Datenschutzes in Unternehmen.