Compliance is a multi-layer and a multi-sector concept, which can be defined as the lawful and internal corporate adequate conduct of the employees of a company, and the company itself.
Thus, the process of closely examining job applicants, especially for C-level positions, prior to their appointment is crucial. However, these preliminary researches and internal investigations should not cross certain limits in order not to be classified as illegal or unethical.
Preliminary research and related limits
Preliminary research aims to confirm the information contained in the candidate's documentation, as well as to provide additional data regarding reputation, social status, contacts, etc. In this regard, the limitations imposed by the Personal Data Protection Act ("PDPA") should be taken into consideration. The employer may collect personal data about the applicant only if the type of personal data collected is connected to the target of processing and for a particular reason - i.e., hiring an applicant for a specific job. The employee must be aware of and consented to the conduct of this preliminary research (preferably in writing).
The origin of additional personal information collected could be social networking, online publications, blogs, forums or direct inquiries to former employers or educational institutions. While the information that is publicly available, both in social networks like LinkedIn and Twitter or online editions of newspapers, may be lawfully collected and processed, the issue related to Facebook is not that simple. In the event that the applicant has chosen to protect the information published in this social network by applying restrictive level settings (for example, visible only to his friends), the employer cannot legally collect such information. The employer must also comply with the prohibition on processing personal data that reveals racial or ethnic origin, religious or political beliefs, and health or sex life.
Immediately after taking the decision not to appoint a candidate, the employer is obliged to destroy the collected personal data. Preparation and storage of "black lists" of rejected candidates for the sole purpose of avoiding processing of subsequent application of these candidates is unlawful.
Even more delicate issue is for an employer to conduct internal investigations in case of suspected abuse. The internal investigation is a complicate process confronting employers with multiple factors: from processing the corresponding signal for abuse through making a decision to initiate an investigation and its coordination at management level, to planning of the investigation and its execution to effectively clarify the situation and administration of any financial and image effects. Proper integration of employees in this complex process is an integral prerequisite for both effective and "compliant" in-house investigation.
The role of employees in misuse detection
One of the most important resources which the employers rely on in disclosing internal misuse are the employees. Key factor is the insider knowledge of the staff about the network of suppliers and external consultants, which the company operates with. Therefore, analysis of the situation through the eyes of the employee helps to establish internal corporate policies, motivating employees to become a true corrective of abuses.
Generally, a "compliant" employee should report any detected offenses; however, the disclosure of abuse may put the employee at risk of losing his job or becoming subject to "settling a score". Development of the so-called whistleblowing system is one of the instruments used by the companies to look for an answer. The term originates from the English practice and means conscientious report of abuse. Such systems aim to provide confidential, secure and reliable processing of personal data of the employee who filed the signal and the signal itself. Whistleblowing systems may be established as internal corporate units or outsourced to external consultants.
There is no special legal framework for cases of whistleblowing in Bulgaria. However, upon establishment and maintenance of special whistleblowing systems, the PDPA should be observed. Proper implementation and operation of whistleblowing systems show that whether your employees are "compliant" depends on whether there are internal company conditions predisposing the "compliance" of employees.
Limits of the internal company investigations
It is questionable to what extent an employer may lawfully compel employees to participate and provide information when conducting internal investigations. As there is no explicit legislation in this area, employers would take on a very insecure road if they introduce such an obligation in the job descriptions of their employees or the internal work regulations.
Interrogation of employees is usual practice in internal investigations. Moreover, the rapid technological progress tempts employers to use alternative methods as "lie detectors". Employees can undergo a lie detector test only after having their written informed consent. It is difficult to prove, however, whether such consent is given voluntarily considering the fact that the relations employer-employee are based on hierarchical subordination. Using technologies like polygraph is a serious invasion of privacy of employees. In accordance with the labour law, the results of such test do not justify liability to disciplinary action or discharge from employment.
Common practice in internal investigations also includes review of employees' electronic correspondence. It should be taken into account that personal electronic communication is inviolable unless a court decision rules otherwise. At the same time, the employer has the right to read business emails without permission of the employees. However, upon using the office e-mail for the purposes of internal investigations, a balance between the interest of the employer and the right to privacy of employees should be sought. When the office mail contains correspondence of personal nature, the risk that the employer violates the constitutionally guaranteed rights of the employee by revealing personal information exists. If the employer is planning to examine the office email of employees in view of any internal corporate investigations, first it should explicitly prohibit the use of the email for personal purposes. Such a ban can be provided even in the internal rules of the employer or in a separate order.