Internal investigations in Turkey subject to litany of laws including data protection

Whistleblower series: Turkey

Despite lacking a central law dictating internal investigations, Turkish companies still must adhere to clearly defined regulations contained in a list of other legislation when responding to suspected wrongdoing in their organisations. These laws include the Labour Law, Code of Obligations, Penal Code and Turkish Data Protection Law.

Experts warn that a company's failure to know the implications of these various laws and codes when conducting internal inquiries can result in serious legal and financial risks. But companies can diminish these risks by being aware of the regulatory environment and implementing policies and procedures that follow the letter of these laws.

First and foremost, a company can reduce the risks of investigating malfeasance by doing everything possible to prevent it from happening in the first place. This includes drafting and distributing an employee Code of Conduct that defines inappropriate behaviour and clearly states the penalties for exercising it.

This code and the sanctions that can be handed out for violations should also be included in employment contracts.

Other than that, companies can further protect themselves by setting down procedures and systems for responding to possible abuse in the workplace. The most important step in this direction is to identify who in the organisation will respond should allegations of wrongdoing surface. In short, a business must identify its team of investigators and establish a policy regarding third-party advisors, who may be needed to lend expertise if the alleged abuse is in a specialised area such as taxes and accounting.

These in-house investigators should receive training on how to do their jobs, particularly when it comes to technical procedures such as evidence collection.

Furthermore, a company should also set down the exact investigative tools that should be employed in an inquiry, such as employee interviews, the scanning of electronic communications and audits of financial records.

Strict protocols protecting the confidentiality of whistleblowers, witnesses and suspects should also be established. Guarding the identity of the employees involved in an inquiry not only reduces the risk of injury to their careers and reputation, it also insulates the company from future court action.

Other considerations when preparing for an internal investigation: companies should insure that collecting evidence from computers, smartphones and electronic devices do not violate Turkish data-protection laws. When harvesting evidence from electronic devices that may contain an employee's personal information, a company should take great care to use all the privacy-data tools at its disposal, such as following all privacy protocols as dictated by law, issuing search notices and gaining written consent notices before any scans or searches are carried out.

The procedures described above should be fully in place before any investigation is launched. Once an internal inquiry is underway, however, a company should consider the following points to be high priority.

First and foremost, an ongoing internal investigation should protect any whistleblower who exposed or reported abuse by keeping his identity secret and making sure he is not the target of reprisals.

When gathering evidence, strict rules of evidence management should be maintained. For example, when employees are being questioned, written minutes should be produced, verified by the interviewees and signed.

If third-party experts have been hired to assist in the investigation, they should adhere to the same rules of evidence collection and exercise the same discipline.

Time is of the essence in any investigation. Inquiries should be launched as soon as management is made aware of any abuse and investigators should do everything possible to expedite their work. Whereas there is not a specific time restriction for an employer to take action against non-severe breaches, it is important to note that once a serious wrongdoing (i.e. a wrongdoing that gives the employee cause for termination) is established, a company has six (6) days to inform the employee and issue a formal notice of termination. At the same time, it should be noted that in case of serious wrongdoing, the limitation period is one (1) year from the date the act was committed..

All judgments should be based on a careful examination of all the evidence collected, and should include the expert advice of any third-party advisors brought onboard. Penalties against employees should reflect the sanctions that have already been set down in the company's policies and procedures and the employee's employment contract. And penalties must be issued in a timely manner. Where a serious wrongdoing is in question, as mentioned above the companies have six (6) days to hand down a termination after such wrongdoing is discovered. Again, the limitation period is one (1) year from the date on which the act was committed. If a company violates this deadline, the employee has grounds to contest the penalty, no matter how convincing the evidence against him is.

What are the options for sanctions in Turkey? For non-severe breaches, an employee can receive a formal warning, which should be issued in writing and clearly document the actions for which the warning has been issued. Also, an employee can have his pay docked, but deductions cannot exceed two-days salary and the existence of this penalty as company policy should be clearly stated in the worker's employment contract.

Lastly, if an employee's misconduct has resulted in material loss to the employer, the company can also seek damages.

But even when wrongdoing has been proven and a penalty issued, the investigation is not over. In the aftermath, companies should take great care to ensure the continued protection of whistleblowers, guarding their anonymity and making sure they receive no internal reprisals (e.g. harassment, demotion, termination).

Furthermore, data privacy must continue to be protected. Strict adherence to data-protection laws protects companies from both administrative fines of between EUR 750 and EUR 150,000 and criminal prosecution. It also protects its staff from criminal prosecution since serious violation of data rules can bring criminal sentences of between one and five years in jail.

Also, criminal liability towards representatives of a company may arise if such company fails to notify Turkish judicial authorities about any criminal violations their internal investigations have uncovered.

As stated at the beginning of this article, employee training, including a clear articulation of the company's Code of Conduct, can do much to prevent wrongdoing from taking place. Companies can also protect themselves by putting in place whistleblowing procedures and ensuring that all personnel know what to do if they spot abuse.

Companies can also protect themselves by establishing risk-analysis systems that offer early warning of any high-risk behaviour or activities. Such systems include multi-layered approval procedures, such as joint signature protocols, which may render some forms of wrongdoing (particularly in the financial area) virtually impossible.

Based on the current legal environment, companies can also install internal controls, such as electronic monitoring, in the workplace to both influence behaviour and provide early warning of any problems. But again, while Turkish labor courts have been more relaxed and employer friendly on this issue, all electronic supervision must adhere to Turkey's data protection laws.

In the end, after an investigation has been completed, management and the investigation teams should conduct a postmortem of the inquiry, evaluate what procedures worked and what practices fell short, and implement any reforms deemed necessary.

For more information on conducting internal investigations in Turkey, contact your regular CMS advisor or local CMS experts Dr. Döne Yalçın, Sinan Abra and Inci Alaloglu-Cetin.