SWEDEN Law and Practice Contributed by: Robert Stromberg and Malin Dunér, Advokatfirman Cederquist KB
2.3 Confidentiality Agreements and NDAs The parties involved in an investigation may be asked to sign confidentiality agreements and non-disclosure agreements (NDAs), but they are not obligated to sign them. Such requests are not common in Sweden, and there is no sanction against such parties if they refuse. It is recommended that the parties involved be asked to exercise the utmost discretion and keep all information confidential in relation to the investiga - tion. Employees are bound by a duty of loyalty, which means that they may not disclose confidential infor - mation from the business, and they shall adhere to their employer’s instructions. It should be noted that an employee reporting any misconduct or other circumstances that give rise to the opening of an internal investigation generally has the option of remaining anonymous. Such anonymity is possible in relation to any accused individual, but not in relation to the investigator. It may, however, be difficult to maintain anonymity in practice, as state - ments can be directly linked to a reporting individual or witness. If employees refuse to participate for other, non-legitimate reasons, they should be informed of their obligation to follow their employer’s instructions; otherwise, it may constitute refusal to work. 2.4 Preliminary Investigation and Scope- Setting It is possible, and in fact recommended, to conduct an initial investigation, for example to explore the sub - stance of the allegations made, determine the process and format of the investigation, and assess whether it is necessary to take any other adequate investiga - tory measures. A preliminary investigation can also be used to assess compliance with certain time require - ments, such as the requirement for urgency under the Discrimination Act (2008:567) or the requirement for confirmation of receipt and follow-up within a certain timeframe under the Whistleblowing Act (2021:890). The Employment Protection Act (1982:80) imposes requirements that any termination or summary dis - missal may not be based solely on circumstances that were known to the employer more than two months before notice of termination or summary dismissal was given. A preliminary investigation or equivalent measure is generally conducted.
allegations – ie, the respondent – should be notified as soon as the allegations are substantiated. Additionally, Regulation (EU) 2016/679 (the General Data Protection Regulation; GDPR) stipulates a gen - eral right to be informed of the collection and process - ing of personal data, including in connection with an investigation (Articles 12 and 13). However, such infor - mation will, in most cases, already have been provid - ed to the employees through the employer’s privacy notice and, as such, no specific information needs to be provided to the reporter and/or the respondent in connection with an investigation. 2.2 Communication to Authorities There is rarely an obligation to report circumstances in connection with the opening of an internal HR inves - tigation. However, there are certain situations where such an obligation may exist. • The Work Environment Act (1977:1160) requires the reporting of serious workplace accidents and/or incidents. Specific examples include an employee who has been physically injured in the workplace, or who has attempted to harm themselves as a result of victimisation or bullying in the workplace. Such reports must be made to the Swedish Work Environment Authority. • For employers within the financial sector, there may be an obligation to report any issues relating to, for example, money laundering, to the Swed - ish Finance Police, as stipulated in the Money Laundering and Terrorist Financing Prevention Act (2017:630). There may also be further reporting obligations for public employers – eg, grievances in relation to healthcare. For information about police reports, see 8.4 Criminal Cases . • If, in connection with an internal investigation, a personal data breach has occurred – ie, a security incident that leads to unauthorised disclosure of or unauthorised access to personal data – there is an obligation for the employer (if they are the data controller) to report this to the Swedish Author - ity for Privacy Protection in accordance with the GDPR (Article 33).
361 CHAMBERS.COM
Powered by FlippingBook