Stand: April 2026. Conducting an internal investigation in Germany is considerably more complex than in the United States or the United Kingdom. Three areas in particular create obstacles that international companies frequently underestimate: data protection law, labour law — and the near-total absence of legal privilege.
No Legal Privilege for Corporate Counsel in Germany
This is arguably the most critical difference from common law systems. German law does not recognise broad legal privilege. The German Code of Criminal Procedure protects communications only between an individual defendant and their defence counsel (Strafverteidiger). Legal advice or work product prepared by external counsel for corporate clients is generally not protected from seizure.
In-house lawyers receive no privilege at all under German law. When prosecutors execute a search warrant, internal legal memoranda and counsel opinions may be subject to seizure.
Key implication: In cross-border investigations, it is essential to assess which jurisdiction’s privilege rules apply before generating any written work product. Documents created under US or UK attorney-client privilege may receive greater protection.
GDPR Constraints on Data Collection
Before reviewing employee emails, devices or communications, companies must conduct a prior assessment of the legal admissibility under the GDPR and the German Federal Data Protection Act. The collection of personal data during an internal investigation is permissible only if:
- there are concrete factual indications supporting a suspicion that an employee committed a criminal offence within the employment relationship;
- processing is necessary to investigate the offence; and
- the employer’s legitimate interests prevail in the individual case.
Employees whose data is processed must generally be informed — unless notification would jeopardise the investigation (which is frequently the case). Data minimisation applies throughout: as little personal data as possible should be processed.
Where personal data is transferred to external advisers or counsel, a data processing agreement must be in place. Transfers outside the European Union require a valid legal basis under the GDPR, such as Standard Contractual Clauses.
Labour Law: Works Councils and the Two-Week Rule
Where a works council (Betriebsrat) has been established, it must be involved in the investigation process — particularly where measures affecting employees are contemplated. This significantly constrains the pace and scope of an investigation.
If the investigation leads to a conclusion that employment termination is justified, the employer must act within a strict two-week deadline after gaining knowledge of the relevant facts. Missing this deadline renders the termination ineffective.
Coordination With Authorities
German corporate management is legally obliged to investigate any reasonable suspicion of non-compliance and to take proportionate remedial measures. Where public prosecutors or regulators are involved, it is often advisable to coordinate the internal investigation with the authorities. While there is no obligation for authorities to cooperate, coordination is common — and in some cases expected.
Voluntary cooperation may result in suspension of administrative fine proceedings against the company, though it does not eliminate the risk of individual criminal liability for employees.
Practical Checklist for Cross-Border Investigations in Germany
- Assess privilege risks before generating any written work product
- Conduct a GDPR assessment before reviewing employee data
- Notify or consult the works council where required
- Establish a data processing agreement with external counsel
- Identify the two-week termination deadline early
- Consider whether MLAT procedures are needed for cross-border data transfers
