How to Conduct an Internal Investigation in Germany (2026): Privilege, Works Council, Dawn Raids, Data Protection and Reporting

Understanding how to conduct an internal investigation in Germany requires more than a generic compliance manual, it demands a jurisdiction-specific playbook that accounts for the distinctive legal constraints of German corporate law. From protecting attorney–client privilege and navigating works council co-determination rights under the Betriebsverfassungsgesetz (BetrVG), to responding to dawn raids, meeting GDPR breach-notification deadlines and aligning with the Lieferkettensorgfaltspflichtengesetz (LkSG) and the EU Corporate Sustainability Due Diligence Directive (CSDDD), German internal investigations sit at the intersection of multiple regulatory frameworks. This guide provides in-house counsel, heads of compliance and external advisors with a step-by-step operational framework, practical checklists and template references calibrated for the enforcement landscape of 2026.

Before diving into the five-phase process, keep these four core legal constraints front of mind throughout every stage of an internal investigation in Germany:

• Privilege. Germany does not recognise in-house legal privilege in the same way as common-law jurisdictions; structuring the probe through external counsel is critical.
• Works council (Betriebsrat). Co-determination rights under the BetrVG can apply to employee interviews and any resulting disciplinary measures.
• GDPR and BDSG. Personal data processed during the investigation must satisfy a lawful basis, and data breaches discovered during the probe trigger strict notification timelines.
• LkSG / CSDDD reporting. Supply-chain due-diligence obligations may independently require investigation and remediation, with their own reporting duties.

1. When to Open an Internal Investigation in Germany: Triggers and Intake

Knowing when to conduct an internal investigation is itself a threshold compliance question. Common triggers include whistleblower reports (increasingly channelled through the systems mandated by the EU Whistleblower Directive transposition in Germany), suspicious transaction alerts, audit findings, media reports, regulatory inquiries and complaints received via LkSG-mandated grievance mechanisms. Industry observers expect the volume of LkSG- and CSDDD-triggered investigations to rise through 2026 and 2027 as enforcement matures and the scope of covered companies expands under EU due-diligence requirements.

A structured risk matrix should assess three dimensions for every incoming report: legal severity (potential criminal liability, regulatory sanctions), commercial impact (contract exposure, licence risk) and reputational risk (public attention, stakeholder trust). Where the LkSG applies, the law itself requires companies to conduct a risk analysis and take appropriate preventive and remedial measures regarding identified human-rights and environmental risks in their supply chains, a legal duty that can independently mandate an internal investigation.

Intake Checklist

• Date and source. Record precisely when and how the allegation was received.
• Subject matter. Categorise (fraud, bribery, data breach, supply-chain harm, competition violation, other).
• Persons and entities involved. Identify employees, business units and any third parties mentioned.
• Preservation flag. Issue an immediate document-preservation instruction to relevant IT and business contacts.
• Materiality assessment. Apply the risk matrix above to determine scope and urgency.

When to Escalate to External Counsel

External counsel should be engaged early whenever potential criminal liability is identified, when the matter may involve senior management, when privilege preservation is essential for any foreseeable regulatory or litigation proceedings, or when the investigation has cross-border dimensions. Under German law, there is no general obligation to inform authorities before launching an internal investigation, but the decision to engage external counsel from the outset materially improves privilege protection, a point explored in the next section.

2. Planning and Scoping the Probe: How to Conduct an Internal Investigation That Preserves Privilege

The planning phase determines whether the investigation’s outputs will be defensible and, critically, whether key documents can be shielded from disclosure. This is where many internal investigations in Germany succeed or fail.

Appointing the Investigation Team and Privilege Implications

Germany’s approach to attorney–client privilege in internal investigations diverges significantly from the common-law model. In-house counsel communications are generally not protected from seizure by prosecutorial authorities. Documents prepared by or with external counsel (Rechtsanwälte) in connection with the provision of legal advice enjoy stronger protection. The practical consequence is clear: if privilege preservation is a priority, and it almost always is, external counsel should be appointed to lead the investigation, or at a minimum, to direct the collection and analysis of sensitive evidence. Work product generated under the instruction of external counsel and clearly labelled as privileged stands a substantially better chance of resisting compelled disclosure.

The investigation team will typically include external lead counsel, in-house legal and compliance liaisons, forensic IT specialists, and, where financial irregularities are suspected, forensic accountants. Define reporting lines in writing at the outset.

Investigation Charter and Scope

A one-page investigation charter should record: the mandate and scope of the investigation, the identity and roles of the investigation team, the reporting line (typically to the supervisory board or audit committee where management is implicated), the applicable legal framework, anticipated timelines, and a clear statement that the investigation is conducted under the direction of external counsel for the purpose of legal advice.

Data Map and Preservation Order

Before any evidence is collected, map the data landscape: which systems store relevant emails, documents, messaging data and access logs? Issue a targeted preservation notice to custodians and IT administrators instructing them to suspend routine deletion policies for all potentially relevant data. The preservation order should be documented, acknowledged in writing and tracked to ensure compliance.

3. Works Council (Betriebsrat) Rules in Internal Investigations: Interviews, Co-Determination Traps and Documentation

The works council’s co-determination rights under the BetrVG represent one of the most distinctive, and frequently underestimated, constraints on how to conduct internal investigations in Germany. Getting this wrong can invalidate disciplinary measures, expose the company to injunctive actions and damage the credibility of the entire probe.

Several provisions of the BetrVG are directly relevant. Section 87 establishes co-determination rights concerning questions of order and conduct in the workplace. Section 94 requires works council consent before questionnaires or formal assessment guidelines are used. Section 99 governs consent requirements for personnel measures. Section 102 mandates that the works council must be consulted before any dismissal, a practical reality that means investigation findings feeding into termination decisions must be shared with the Betriebsrat before execution, within the scope prescribed by law.

Works Council Interview Checklist

Employee interviews are the backbone of most internal probes. In Germany, the following rules apply:

• Investigatory fact-finding vs disciplinary interviews. A purely voluntary, fact-finding interview may not trigger the same co-determination rights as a formal hearing linked to contemplated disciplinary action. However, the line is often blurred in practice, and prudent investigators treat most interviews as potentially triggering works council considerations.
• Right to have a works council member present. Employees may generally request that a works council member attend the interview. Where the interview relates to a matter that could lead to a disadvantage for the employee, this right is especially important.
• No obligation to self-incriminate. Employees are generally required to cooperate with employer inquiries relating to their duties, but they cannot be compelled to provide information that would expose them to criminal liability.
• Consent and documentation. Obtain informed consent for the interview where possible. Notes should be accurate, contemporaneous and minimised to the facts relevant to the investigation scope. Provide a clear explanation of the purpose of the interview.
• GDPR interplay. Interview records constitute personal data. The lawful basis for processing is typically the employer’s legitimate interest (Article 6(1)(f) GDPR) or necessity for compliance with a legal obligation (Article 6(1)(c) GDPR). Under the German BDSG, Section 26 (employee data processing) provides additional specificity.

For companies navigating the intersection of works council rights and German employment-law developments such as pay transparency obligations, consulting specialist employment counsel alongside the investigation team is advisable.

Documentation and Data Minimisation

Document every step of works council engagement: when the Betriebsrat was informed, what information was shared, and any objections raised. At the same time, apply GDPR data-minimisation principles: do not collect or retain more personal data than is necessary for the investigation’s stated purpose. Interview transcripts should be reviewed and redacted to remove irrelevant personal details before being filed in the investigation record.

4. Evidence Collection and Forensics in German Internal Investigations: Emails, Devices and Cloud Data

The evidence-gathering phase is where the internal investigation steps move from planning to execution. In Germany, the legal framework governing digital evidence collection is shaped by employment law, data protection rules and, potentially, criminal procedural law.

Evidence Preservation Steps

• Forensic imaging. Create bit-for-bit forensic copies of relevant hard drives, servers and mobile devices. Use write-blockers to prevent alteration. Document the chain of custody meticulously from the moment of collection.
• Email and messaging review. Collect emails, instant messages and collaboration-platform data (Teams, Slack) within the defined scope. Where the employer permits private use of corporate email, additional data-protection hurdles apply, in particular, the Telecommunications Act (Telekommunikationsgesetz) may restrict access.
• Cloud and SaaS data. Identify cloud-hosted data repositories (including offshore servers) and assess whether cross-border data transfers trigger additional GDPR safeguards.
• Physical evidence. Secure relevant paper records, access-badge logs and CCTV footage (where permissible under works council agreements and evolving data privacy laws).

Forensic Vendor Selection

When appointing an external forensic IT provider, confirm their ability to meet German court standards for evidence integrity, their GDPR compliance posture (they will typically act as a data processor), and whether they can provide expert testimony if the matter escalates to litigation or regulatory proceedings.

Evidence Type Quick-Reference Table

For a broader perspective on investigative techniques, including the role of computer forensics in white-collar crime investigations, see our companion guide.

5. Dawn Raids and Unannounced Inspections in Germany: What Should You Do in a Dawn Raid?

Dawn raids, unannounced on-site inspections by prosecutorial authorities, the Federal Cartel Office (Bundeskartellamt), BaFin, or EU Commission officials, can occur without prior warning and create immediate, high-stakes pressure on in-house teams. Knowing what to do in a dawn raid before it happens is the only way to manage the risk effectively.

Immediate Response Checklist

• Do not obstruct. Obstructing a lawful search can constitute a criminal offence. Instruct all staff to cooperate politely but not to volunteer information beyond what is legally required.
• Verify authority. Request and photocopy the search warrant or inspection order. Check the scope: which premises, which documents, which time period?
• Contact external counsel immediately. The single most important call. External counsel should be on-site as quickly as possible to oversee the process and assert privilege where applicable.
• Assign a shadow team. Designate at least one employee to accompany each inspector at all times. Their role is to observe, take notes on every document inspected or seized, and ensure the scope of the warrant is not exceeded.
• Quarantine IT access. Inform IT immediately. Do not delete, move or alter any data, but restrict ongoing auto-deletion processes if possible (with counsel’s approval).
• Preserve a complete record. Log every document seized or copied, the identity of each inspector, the rooms accessed and any statements made. Photograph sealed evidence bags where possible.

Dawn-Raid Escalation Matrix

Prepare this matrix in advance and ensure it is accessible at all reception desks and security posts:

• T+0 minutes: Reception confirms identity, requests and copies warrant, contacts General Counsel / Head of Compliance.
• T+5 minutes: General Counsel contacts external counsel (pre-agreed emergency hotline).
• T+10 minutes: Shadow team members deployed; IT notified to freeze auto-deletion routines.
• T+15 minutes: Board / supervisory board notified per escalation protocol.
• Ongoing: External counsel reviews warrant scope on arrival; privilege claims asserted in real time; comprehensive log maintained.

6. Data Protection and Breach Notifications During Internal Investigations in Germany: GDPR Timelines and BDSG Requirements

Internal investigations frequently uncover personal data breaches, or generate data-protection compliance obligations of their own. Understanding Germany’s data breach notification rules is essential for every investigation team.

Under Article 33 of the GDPR, a data controller that becomes aware of a personal data breach must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours. In Germany, the competent authority will typically be the data protection authority of the Land (Landesdatenschutzbehörde) in which the controller is headquartered, or the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for telecommunications and postal-service providers and federal public bodies.

Practical 0–72 Hour Timeline

• Hour 0: Breach identified, document the nature of the breach, categories and approximate number of data subjects affected, and likely consequences.
• Hours 0–24: Assess whether the breach is likely to result in a risk to the rights and freedoms of individuals. If no risk, document the assessment (a notification may not be required). If risk exists, begin preparing the notification.
• Hours 24–48: Prepare the notification to the supervisory authority, including: description of the breach, categories and number of data subjects, likely consequences, and measures taken or proposed to mitigate.
• Hours 48–72: Submit notification to the competent supervisory authority. If full information is not yet available, a phased notification is permitted, but the initial submission must be made within the 72-hour window.
• Following notification: Assess whether the breach is likely to result in a high risk to affected individuals. If so, Article 34 GDPR requires direct notification to data subjects without undue delay.

Data Minimisation and Lawful Basis for Processing Investigation Evidence

The investigation itself involves processing personal data, interview records, emails, HR files and forensic images. The lawful basis will most commonly be the legitimate interest of the controller in investigating suspected misconduct (Article 6(1)(f) GDPR), or compliance with a legal obligation (Article 6(1)(c) GDPR) where, for example, the LkSG or anti-money-laundering rules mandate investigation. Under the BDSG, Section 26 permits the processing of employee data where necessary for the purpose of the employment relationship, including for investigating criminal offences, provided there is a documented factual basis for the suspicion and the processing is proportionate.

Practical guidance from the BfDI emphasises that companies must document their data-protection impact assessment where large-scale processing of employee data is involved, and that data collected for the investigation must not be repurposed for unrelated HR decisions.

7. Reporting to Authorities and Remediation: When and How to Self-Report

One of the most consequential decisions in any internal investigation in Germany is whether and when to report findings to external authorities. There is no blanket statutory obligation to self-report the results of an internal probe to the public prosecutor, and a company is not required to inform authorities before launching an investigation. However, several sector-specific and offence-specific reporting obligations apply:

• Public prosecutor. Self-reporting is voluntary in most cases, but can be strategically beneficial, early cooperation may be considered a mitigating factor in sentencing. Conversely, failure to report can elevate risk if the matter later becomes public.
• BaFin. Financial institutions and regulated entities face mandatory reporting obligations for certain types of misconduct, including money-laundering suspicions and significant regulatory breaches.
• Bundeskartellamt / EU Commission. For competition-law violations, leniency programmes offer substantial incentives for early self-reporting, including potential full immunity from fines for the first applicant.
• LkSG enforcement authority (BAFA). Under the LkSG, companies must fulfil specific due-diligence and reporting obligations regarding human-rights and environmental risks. While the law does not require “self-reporting” of individual incidents in the traditional sense, it mandates risk analysis, preventive measures and annual public reporting.

The risks and benefits of voluntary disclosure should be assessed on a case-by-case basis by external counsel, weighing factors such as the severity of the conduct, the likelihood of detection by authorities, the availability of leniency programmes, and reputational exposure. For comparative perspectives on corporate investigation practices in other jurisdictions, our cross-border guides may also be helpful.

8. Final Reporting, Discipline and Follow-Up in German Internal Investigations

Writing the Investigation Report

The investigation report is the central deliverable. In Germany, best practice is to prepare two versions:

• Privileged report. Prepared by or at the direction of external counsel, containing legal analysis, legal conclusions and attorney–client communications. Clearly labelled “Privileged and Confidential, Prepared for the Purpose of Legal Advice.”
• Factual summary. A separate document summarising factual findings without privileged legal analysis, suitable for sharing with the works council (where required for disciplinary consultation under Section 102 BetrVG), regulators or, if the decision is made to self-report, prosecutorial authorities.

Disciplinary Steps and Works Council Consultation

Before any disciplinary action, including warnings, transfers, or terminations, the works council must be consulted in accordance with Section 102 BetrVG. The consultation must include the reasons for the proposed measure. A dismissal carried out without proper works council consultation is void under German law.

Remediation, Monitoring and Document Retention

Close the investigation with a documented remediation plan: root-cause analysis, control improvements, training, and monitoring commitments. Retain investigation records for a period consistent with applicable limitation periods, typically five to ten years depending on the nature of the underlying conduct. All retained documents should be classified by privilege status and stored securely with access restricted to authorised personnel.

Reporting Obligations and Timelines by Entity Type

Conclusion

Running a defensible internal investigation in Germany in 2026 means mastering five interlocking disciplines: privilege architecture, works council co-determination, forensic evidence handling, GDPR and BDSG data-protection compliance, and strategic engagement with regulatory authorities. The internal investigation steps outlined in this guide, from intake through reporting and remediation, provide a structured framework, but every investigation carries unique risk and jurisdictional nuance. Engage specialist external counsel early, document every decision, and treat works council rights and data-protection obligations not as obstacles but as integral components of a credible and legally sustainable process. For guidance tailored to your specific matter, consult a qualified German regulatory and investigations specialist.

Appendix: Downloadable Templates

• Investigation Charter (one-pager). Template recording mandate, scope, team, reporting line, legal framework and privilege designation.
• Employee Interview Consent Form. GDPR-compliant consent and information notice for investigatory interviews, including purpose limitation and data-subject rights.
• Dawn-Raid Response One-Pager. Laminated checklist for reception and security: verify warrant, contact counsel, deploy shadow teams, quarantine IT, log all seized items.
• Data Breach Notification Template (GDPR fields). Pre-populated form covering Article 33 notification requirements: breach description, data-subject categories, likely consequences and mitigation measures.
• Works Council Notice Template. Draft notification to the Betriebsrat for consultation prior to disciplinary measures arising from investigation findings, aligned with Section 102 BetrVG.

Sources

1. General Data Protection Regulation (GDPR), official text (EUR‑Lex)
2. Bundesdatenschutzgesetz (BDSG) / BfDI guidance
3. Lieferkettensorgfaltspflichtengesetz (LkSG), Gesetze im Internet
4. Works Constitution Act (Betriebsverfassungsgesetz, BetrVG)
5. European Commission, Corporate Sustainability Due Diligence (CSDDD)
6. ICLG, Corporate Investigations: Germany (Jan 2026)
7. Baker McKenzie Resource Hub, Privilege & Investigations (Germany)
8. CMS, Internal Investigations (Germany)