Corruption and other illegal practices have always been a major concern for international corporations doing business in Ukraine.
Such corporations often initiate comprehensive internal investigations to confirm compliance by key personnel and the company as a whole with anticorruption requirements, including the Foreign Corrupt Practices Act (FCPA), trade regulations and restrictions, and relevant internal regulations. A common problem during such investigations is maintaining the right balance between the scope of the information which needs to be reviewed and the privacy of the employee.
In Ukraine an employer must receive prior written consent from the employee to process any of that employee’s personal data. Under normal circumstances, this does not create any problems, since employees usually provide a broad consent to process their personal data for the employment purposes on the first day of employment.
The situation is different with internal investigations. Lawyers and employees within a company’s compliance department usually require a very broad scope of information, including corporate and personal email correspondence and correspondence performed via electronic devices, along with various documents, notes, and contracts. In some cases, moreover, this information must be transferred to third parties, such as the compliance department of the parent company, external consultants, or state authorities. The consent which employees provide on their first day of employment rarely covers processing such a broad scope of information for such a specific purpose. Therefore, the employer has to obtain a new, broader consent from the employee when an investigation is pending, which can be quite difficult – or downright impossible – if the employee has something to hide.
To avoid this situation, we recommend asking each key employee to sign a very broad consent to process his or her personal data as early as possible, well before an internal investigation is even on the agenda – preferably on the first day of employment. This consent must expressly allow the employer to process corporate and private correspondence, correspondence through corporate devices, and any documents, notes, files, archives, and operations of the employee, to store such information, and to transfer it abroad. Such consent should also indicate that the employee’s personal information may be processed by the employer, its affiliates, external consultants, and state authorities for the purpose of internal or external investigations.
It is very important to remember that in Ukraine the analysis of correspondence requires the consent of all parties to the correspondence. In practice, it is almost impossible to obtain all necessary consents. To mitigate possible risks, we recommend that the analysis be structured in a way that will keep the number of potential violations to a minimum. One way to do that is to cypher the personal details of the correspondence, starting with replacing the name of each party to the correspondence with a specific code prior to analyzing it, which will allow the analysis to be made without violating the privacy of the parties. After the analysis is completed and the employer has determined the scope of the correspondence which may be relevant to the investigation, the employer may then request the names of the parties to the correspondence and their consent to analyze it.
Another common problem during internal investigations is that Ukrainian law prohibits the transfer of personal data to countries which do not provide a sufficient level of personal data protection. The USA is one such country. Therefore, the transfer of personal data of Ukrainian citizens to the USA is, formally, prohibited. At the same time, state authorities, working in cooperation with the American Chamber of Commerce in Ukraine, have reached an agreement to work around this restriction. To transfer an employee’s personal data from Ukraine to the USA, a Ukrainian company must enter into a personal-data transfer agreement with the US company. Such agreement provides for a broad set of undertakings on the part of the US company to ensure the safety of the personal data to be transferred. Having such an agreement does not entirely remove the risks which can arise from the transfer of personal data from Ukraine to the USA, but it definitely mitigates them.
Currently, internal investigations in Ukraine are associated with many difficulties and require careful structuring to avoid exposure to administrative, civil, or criminal liability. At the same time, the most recent draft of the new labor code permits an employer to use technical means to control compliance of employees with their labor duties, subject only to the prior notification of the employees. If passed, it will be a substantial improvement for employers who wish to conduct internal investigations in Ukraine.
