Internal compliance investigations are now part of everyday life at many companies. If allegations are made against employees, external law firms or internal investigators are often called in to examine the facts of the case and record their findings in a report. But what happens if an affected employee wants to know what information has been collected about them? Can they request the full report or at least receive a copy of it? The Munich Higher Labor Court (LAG) dealt with precisely this question and established important guidelines on the right to information under data protection law in accordance with the GDPR (LAG Munich June 12, 2025 – 2 SLa 70/25).

The background

A senior manager had been working for her employer since 2015. While she was on parental leave, an ombudswoman received complaints about her management behavior (intimidating, disrespectful). The company then conducted an internal compliance investigation. The final report produced in the process also served as the basis for the employer’s intention to dismiss the employee. The employee then demanded that the employer hand over a copy of the compliance report or at least allow her to inspect it.

What are compliance investigations and internal investigations?

Compliance investigations, also known as internal investigations, are a company’s internal investigations into suspected breaches of regulations. This can involve a wide variety of allegations, such as discrimination, abuse of power, corruption, fraud or breaches of internal guidelines. The investigations are often based on information from a whistleblower system or internal complaints. At the end, there is usually a written report that summarizes the facts, evaluates statements and contains legal assessments. These reports almost always contain personal data – both about the accused person and about witnesses or whistleblowers.

The right to information under the GDPR

According to Art. 15 of the General Data Protection Regulation (GDPR), every person has the right to know whether and which personal data about them is being processed. In principle, this also includes the right to receive a copy of this personal data. In practice, this right has increasingly been used by employees to request full compliance reports, particularly when they want to defend themselves against measures under employment law such as warnings or dismissals.

The Munich Higher Labor Court has now clarified that this right to information has limits. The decisive factor is not the document as such, but the content: only the personal data of the data subject is protected, not the entire report as a unit. The purpose of the right of access is to provide data subjects with an overview of the data concerning them. To this end, it is generally sufficient if the contents are communicated to them or made available for inspection. A right to complete copies only exists if mere inspection is not sufficient to effectively protect the rights of the data subject.

In the present case, however, the court held that it was sufficient for the plaintiff to be given access to the report. In this way, she was able to understand what information was available about her and for what purpose it was being used. In the opinion of the court, the plaintiff did not sufficiently explain why a copy of the entire report was necessary for the exercise of her rights.

Furthermore, the employer’s objection that the compliance report and its contents were protected as business secrets was not convincing. A type of “concealed personnel file” is not permitted under employment law. Information that is part of the personnel file in terms of content cannot be shielded from the employee concerned as a business secret.

Redactions to protect whistleblowers and witnesses

However, the right to information must be restricted if the rights and interests of third parties are affected. The employer may therefore redact certain passages in the report. This is particularly necessary if the persons who provided information or testified as witnesses would otherwise be recognizable. If they have been promised anonymity, the employer must keep this promise. The employer may therefore only include the part of the report in the personnel file that does not reveal the identity of these persons.

The employer is also not required to show legal assessments from the law firm that conducted the investigation. According to the court, these assessments are not part of the employee’s personnel file because they are not directly related to her employment relationship.

The following was also important for the court: Compliance investigations only work if whistleblowers and witnesses are not afraid of consequences. This is why all information that allows conclusions to be drawn about other persons may be made unrecognizable. However, the employer cannot simply invoke the protection of other persons in order not to disclose anything at all. They must check exactly which parts can be shown and which must be blacked out in order to protect the rights of all parties involved.

Significance for practice in companies

For companies, the ruling means that they should review their internal processes. Compliance reports should be clearly structured and separate personal data from legal assessments as clearly as possible. This makes it easier to comply with requests for information at a later date without unnecessarily disclosing sensitive information. At the same time, the ruling shows that employers are not obliged to publish internal investigation reports in full, which strengthens the functionality of compliance systems.

Effects for employees and those affected

The ruling is also important for employees. It confirms that they have a right to transparency and are entitled to know what personal data about them has been processed as part of a compliance investigation. At the same time, they must accept that this right does not extend as far as receiving complete internal reports. Anyone requesting access should therefore state specifically what information concerns them and why it is relevant to them.

Key message: Clearer limits to the GDPR right to information

The ruling of the Munich Higher Labor Court thus creates more legal certainty in the area of conflict between data protection, labor law and compliance. It strengthens employees’ right to information, but sets clear limits on the right to copies of internal investigation reports. Companies must create transparency, but are allowed to protect sensitive internal documents and the interests of whistleblowers. The following applies to both sides: the right to information under Art. 15 GDPR is an important instrument – but not a free pass for unrestricted access to documents.

Read also: Employment law meets data protection – What employers and employees should know | Judgment in full text: LAG Munich, June 12, 2025 – 2 SLa 70/25