HR Internal Investigations 2026

CGM Advogados is a full-service Brazilian law firm based in São Paulo, widely recognised for its expertise in assisting domestic and international clients across diverse industries. The firm’s labour and employment practice is highly experienced in conducting internal investigations into HR matters, including issues such as harassment, discrimination, fraud and workplace privacy. These investigations are handled with a focus on compliance and risk mitigation. Beyond investigations, the team provides comprehensive support at all stages of the employment relationship, including: guidance on employment matters, from hiring to termination; representation in judicial and administrative labour proceedings; negotiation of collective agreements with unions; advocacy before the Ministry of Labour and the Labour Prosecutor’s Office; development of benefit plans, incentive programmes and profit-sharing schemes; workplace diversity and inclusion initiatives; labour audits during mergers and acquisitions, aligning policies and benefits post-acquisition; and assistance with hiring foreign workers and expatriating Brazilian employees.

1. Opening an HR Internal Investigation

1.1 Circumstances

The submission of a complaint by an employee, former employee or even a third party through the company’s reporting channels typically gives rise to an HR internal investigation. These complaints most often relate to issues within the work environment, such as harassment, discrimination or fraud (“matters subject to HR internal investigations”).

HR internal investigations may also be initiated as a result of labour lawsuits filed by employees, investigations or audits conducted by competent authorities (such as the Labour Prosecutor's Office, Ministry of Labour and Employment, unions or tax authorities), due diligence processes or other situations where the company becomes aware of potential violations of laws or internal policies.

1.2 Bases

There are no legal requirements for conducting internal HR investigations, except for companies obligated to establish an Internal Commission for the Prevention of Accidents and Harassment (CIPA). According to Law 14.457/2022, these companies must have reporting channels to receive, monitor and investigate complaints involving sexual harassment or any other form of workplace violence.

However, from an organisational perspective, it is recommended that companies investigate complaints regarding alleged irregular, illegal, immoral, illicit, unsafe or fraudulent conduct brought to their attention. Such investigations help mitigate legal and reputational risks and enable the implementation of disciplinary actions and improvement measures.

It is worth noting that the applicable collective bargaining agreement covering employees’ contracts may include additional rules regarding HR internal investigations, which the company must follow.

Furthermore, if the HR internal investigation pertains to anti-corruption matters, the procedure must comply with the Brazilian Anti-Corruption Act, its associated decree and other relevant regulations.

For reference, the obligation for companies to establish a CIPA depends on the number of employees and the business’s risk level, as stipulated by a regulation of the Ministry of Labour and Employment.

1.3 Communication Channels

There are no specific requirements regarding the types of channels employees may use to report concerns.

However, companies required to establish a CIPA , financial institutions and organisations under the authority of the Central Bank of Brazil must provide a reporting channel that ensures the anonymity of the reporter for matters subject to HR internal investigations. The applicable laws for these companies and institutions do not specify further details about the types of reporting channels they must offer.

It is also worth noting that the collective bargaining agreements applicable to employees’ contracts may include additional rules regarding complaint reporting channels.

1.4 Responsibility

There are no specific rules governing who should conduct an HR internal investigation. Companies can decide whether the investigation is carried out internally (by members of compliance, HR, legal, the board or specialised investigation committees), externally (by law firms or consulting companies) or through a combination of internal and external resources.

For sensitive matters, it is advisable to engage external counsel to ensure legal privilege. This approach also enhances the confidence of witnesses and parties in the independence and impartiality of the investigation process, particularly when allegations involve high-level employees.

1.5 Obligation to Carry Out an HR Internal Investigation

There are no specific rules mandating when an HR internal investigation must be conducted, except for certain companies. Organisations required to establish a CIPA must have reporting channels and internal procedures for receiving, monitoring and investigating complaints involving sexual harassment or other forms of workplace violence. Similarly, financial institutions and organisations regulated by the Central Bank of Brazil are required to provide reporting channels to address potential legal violations, which include matters subject to HR internal investigations.

From an organisational perspective, it is recommended that companies investigate complaints regarding alleged irregular, illegal, immoral, unsafe or fraudulent conduct. Conducting such investigations helps mitigate legal and reputational risks while enabling the implementation of disciplinary actions and corrective measures.

Additionally, collective bargaining agreements applicable to employees’ contracts may include specific rules regarding internal investigations, which companies must comply with.

1.6 Prohibition on Carrying Out an HR Internal Investigation

Due to the lack of statutory rules governing HR internal investigations, unless there is any restriction in the internal rules of the company limiting the investigation, there are no circumstances in which an HR internal investigation may not be carried out (whether temporarily or at all) if the complaint is related to the workplace and company’s employees.

1.7 Other Cases

Except for the specific requirements outlined in 1. Opening an HR Internal Investigation mandating certain companies to establish reporting channels ‒ and the resulting obligation to investigate reports submitted through them ‒ legislation imposes no additional obligations or limitations on the circumstances warranting an HR internal investigation. Nevertheless, companies often choose to investigate irregular, illegal, immoral, unsafe or fraudulent conduct in the workplace, guided by their general duty to ensure a safe work environment and adherence to internal policies and codes of conduct.

2. Initial Steps

2.1 Communication to the Reporter and the Respondent

There is no legal requirement to notify the reporter as to whether an HR internal investigation will be opened. However, there is no legal restriction for the reporter to be informed if this is the case, provided that such disclosure is permitted under the company’s internal regulations or the applicable collective bargaining agreement.

There is no legal requirement to notify the respondent of the initiation of an HR internal investigation. However, such notification may be provided if stipulated by the company’s internal regulations or applicable collective bargaining agreement. This communication can occur at the start of the investigation or at any point during the investigation process.

2.2 Communication to Authorities

From an employment point of view, there is no legal requirement or recommendation to communicate the opening of an HR internal investigation to the authorities.

2.3 Confidentiality Agreements and NDAs

Parties involved in an HR internal investigation may be asked to sign NDAs. Such agreements are more commonly used in investigations involving sensitive topics. However, even without an NDA, there is a general obligation for parties to maintain the confidentiality of the investigation. In cases of a confidentiality breach, companies typically have the right to discipline employees who violate this obligation, particularly if internal policies explicitly state that participation in investigations and any related matters must remain confidential.

2.4 Preliminary Investigation and Scope-Setting

A preliminary investigation can be conducted to assess whether a full HR internal investigation is warranted. This typically involves reviewing the information provided by the reporter to determine the feasibility of proceeding. For instance, if a report is made anonymously without sufficient details ‒ such as the identity of the respondent or victim, the department/location or specific incidents (eg, “a manager is poorly treating their subordinates” without further context) ‒ the company may decide not to initiate a broader investigation due to the lack of actionable information.

3. Interviews and Fact-Finding

3.1 Interviewees

Typically, the reporter and any individuals who may have witnessed the conduct are interviewed as part of the process. The respondent is also interviewed if the report, interviews or documents provide elements suggesting the conduct occurred, or if the company’s internal regulations require it. There is no fixed minimum or maximum number of individuals who can be interviewed in relation to a complaint.

3.2 Participation

The participation of the interviewee in the investigation/interviews should be voluntary, and the employer cannot take any action to obligate the individual to participate in the investigation.

3.3 Format

Interviews of the HR internal investigation can be carried out remotely.

3.4 Interviewers

There is no fixed minimum or maximum number of interviewers, nor are there legal rules mandating specific characteristics such as gender, objectivity or seniority. However, in more sensitive investigations, it is recommended to have two interviewers, with their characteristics selected based on the nature of the investigation. For example, a female interviewer may be advisable in cases involving allegations of sexual harassment against a woman.

3.5 Neutral Party

The only situation in which a neutral third party should be present during interviews is when the interviewed person is underage or is mentally disabled. There is no right for the individuals to be accompanied by their attorneys, union members or any other third party unless the company’s internal regulations or the collective bargaining agreement require it.

3.6 Support Person and/or Lawyer

A minor or someone mentally disabled has the right to be represented by their parents or legal guardian in a meeting at work, and such a rule could be extended to the interview of an investigation. Aside from this, interviewees do not have the right to be accompanied by a support person during the interview, unless the company’s internal regulations or the collective bargaining agreement require it, or the company determines that the specific situation warrants it, in which case the support person must sign an NDA.

Unless so determined by the company’s internal regulation or collective bargaining agreement, interviewees do not have the right to be accompanied by a lawyer during the interview. Lawyers accompanying the interviewees in interviews is atypical.

3.7 Information

There is no statutory requirement specifying the information interviewers must provide to interviewees at the start or end of an interview.

However, it is strongly recommended that interviewers introduce themselves clearly, explain their role in the investigation ‒ emphasising that they represent the employer and not any individual ‒ and provide the following information to the interviewee before the interview begins:

the objective of the investigation, including a summary of the reported conduct without revealing the reporter's identity;
the reason the individual is being invited to participate in the interview (eg, as the reporter, a potential witness or the respondent);
the confidentiality of the process and the expectation that the interviewee will maintain confidentiality if they agree to participate;
assurance of non-retaliation for participating in the interview or co-operating with the investigation; and
information that participation in the interview is voluntary, and a request that the individual confirm whether they are willing to participate.

Additionally, interviewers should explain that, once the interviewee agrees to participate, any breach of confidentiality could result in disciplinary measures. At the conclusion of the interview, it is advisable to remind the interviewee of their ongoing duty of confidentiality.

3.8 Stopping the Interview

Since participation in the interviews is voluntary, the interviewer must stop the interview if requested by the interviewee. The interviewer should remain available to resume the interview at the interviewee’s request. The interviewer must emphasise that the obligation of confidentiality continues to apply even after the interview is concluded.

3.9 Minutes

There are no specific rules regarding taking minutes during interviews, but it is permitted and recommended for interviewers to take notes of the information provided by the interviewees.

These notes or minutes should be treated as internal records for preparing the final investigation report. Interviewees are not entitled to review or sign the minutes unless required by the company’s internal regulations.

In sensitive cases, it is advisable that only lawyers conduct the interviews and take notes to ensure the protection of attorney-client privilege over the content of the discussion and the notes or minutes.

3.10 Recording

If the interview is recorded, the recording can be transcribed and the material should be accessed only by those responsible for conducting the interviews. Its use should be limited to the preparation of the final investigation report. If internal company policy prohibits the recording of interviews, it is recommended to inform the interviewee of this restriction at the beginning of the conversation. The company may also request that the interviewee sign a statement confirming that the discussion is not being recorded. However, such a requirement is not legally enforceable, as Brazilian law allows individuals to record conversations in which they participate without notifying the other party.

3.11 Other Fact-Finding

In addition to interviews, HR internal investigations often include the review of corporate emails, computer files, instant messaging tools and mobile phones. Since these are considered the employer’s property, such reviews are generally permitted. However, it is strongly recommended that employees are informed, through their employment agreements and company policies, that corporate equipment may be monitored by the employer.

Evidence used to reach a conclusion in the investigation should be preserved by the company. It is advisable to document the collection process and maintain a clear chain of custody, particularly in cases where the conduct could lead to criminal prosecution, such as fraud. The investigation report and evidence should be retained by the company or external attorneys for at least five years from the conclusion of the investigation.

The collection of evidence from personal devices or services ‒ such as personal mobile phones, laptops or personal email or instant messaging accounts ‒ is a more contentious issue. Such actions are particularly problematic if the owner of the equipment or service has not provided prior written authorisation.

4. Protection of the Parties During an HR Internal Investigation

4.1 Protection of the Reporter

As a general rule, employers are not expected to take specific measures to protect the reporter, as the entire investigation process is typically conducted confidentially.

However, depending on the nature of the issue under investigation, the employer may implement exceptional measures to safeguard the reporter. These could include reassigning the reporter to a different work sector, permitting remote work, granting holiday or paid leave, or arranging private transportation to and from work. While there is no legal obligation to take such steps, these measures should be carefully evaluated on a case-by-case basis, guided by the employer’s general duty to maintain a safe and healthy work environment and prevent retaliation.

There are no adverse legal consequences for employers who adopt measures to protect the reporter. Conversely, failure to provide reasonable protection in cases of serious complaints could expose the employer to significant risks. These may include labour lawsuits filed by the reporter seeking compensation for pain and suffering, supported by evidence of harm caused by the employer’s failure to take appropriate protective measures.

4.2 Protection of the Respondent

As a general rule, employers are not expected to take specific measures to protect the respondent, as the entire investigation process is typically conducted confidentially.

However, depending on the nature of the issue under investigation, the employer may implement exceptional measures to safeguard the respondent. These could include reassigning the reporter to a different work sector, permitting remote work, granting holiday or paid leave, or arranging private transportation to and from work. While there is no legal obligation to take such steps, these measures should be carefully evaluated on a case-by-case basis, guided by the employer’s general duty to maintain a safe and healthy work environment and prevent retaliation.

There are no adverse legal consequences for employers who adopt measures to protect the respondent. Conversely, failure to provide reasonable protection in cases of serious complaints could expose the employer to significant risks. These may include labour lawsuits filed by the reporter seeking compensation for pain and suffering, supported by evidence of harm caused by the employer’s failure to take appropriate protective measures, such as if there is a breach of confidentiality about the investigation and the respondent is exposed as being accused of misconduct before their peers during the investigation, and no misconduct is evidenced.

4.3 Measures Against the Respondent

Disciplinary measures against the respondent may be applied by the employer before the conclusion of an HR internal investigation if the misconduct is unrelated to the investigation or if the respondent attempts to obstruct or jeopardise the investigation process.

However, it is generally advisable to wait until the investigation is completed before taking disciplinary action related to the matter under investigation.

4.4 Protection of Other Employees

As a general rule, employers are not expected to take specific measures to protect the other employees co-operating with the investigation, as the entire investigation process is typically conducted confidentially.

However, depending on the nature of the issue under investigation, the employer may implement exceptional measures to safeguard such individuals. These could include reassigning the reporter to a different work sector, permitting remote work, granting holiday or paid leave, or arranging private transportation to and from work. While there is no legal obligation to take such steps, these measures should be carefully evaluated on a case-by-case basis, guided by the employer’s general duty to maintain a safe and healthy work environment and prevent retaliation.

There are no adverse legal consequences for employers who adopt measures to protect any person that contributes to the investigation. Conversely, failure to provide reasonable protection in cases of serious complaints could expose the employer to significant risks. These may include labour lawsuits filed by the individual seeking compensation for pain and suffering, supported by evidence of harm caused by the employer’s failure to take appropriate protective measures.

5. Procedural Requirements and Proof

5.1 Requirements

There are no statutory procedural requirements for conducting HR internal investigations, and companies typically establish their own procedures through internal policies. For guidance on best practices, refer to section 3. Interviews and Fact-Finding. However, failure to adhere to voluntary guarantees or best practices may weaken the company’s defence if the investigation or any event related to it is challenged in court by any person involved in the investigation.

Although uncommon, collective bargaining agreements applicable to employees’ contracts may include specific rules governing HR internal investigations. In such cases, non-compliance with these obligations can result in penalties for breaching the terms of the collective bargaining agreement.

5.2 Internal Regulations

Because there are no statutory procedural requirements that must be put in place in the investigation, procedural requirements, if any, will derive from the employer’s internal regulations. Failure to comply with such voluntary internal regulations can weaken the company’s defence if the investigation or any event related to it is challenged in court by any person involved in the investigation.

5.3 Burden and Degree of Proof

Rules on burden of proof do not apply to HR internal investigations since it is a more inquisitive process than an adversarial one.

However, in the case of a legal dispute arising from the result of the investigation and disciplinary measures applied by the company, the company will have the burden of proof to demonstrate the validity of measures taken against the plaintiff. Usually, terminations for cause resulting from an investigation trigger the filing of labour lawsuits against the employer.

There is no statutory degree of proof, but since the employer will have the burden of evidence to support its decisions, it must be confident that the evidence is strong enough to persuade a judge. Usually, a preponderance of evidence is sufficient in employment-related matters, but ideally the evidence should be beyond a reasonable doubt, especially if the disciplinary measure involves terminating the employment agreement for cause based on allegations of dishonesty or sexual harassment.

6. Conclusion and Outcome of an HR Internal Investigation

6.1 Deciding to End an HR Internal Investigation

There are no rules governing when an HR internal investigation may be ended. However, it is recommended that the investigation has a reasonable and justified duration because, as a rule, possible disciplinary measures, including a termination of employment agreement for cause of the respondent and others involved, should be processed by the company immediately after the company becomes aware of the employees’ misconduct or concludes the investigation. Taking an unreasonable length of time to conclusion the investigation can harm the company’s ability to terminate the employment agreement for cause, even if the misconduct has been established.

6.2 Procedure for Ending an HR Internal Investigation

There are no rules governing procedures that must be followed once the decision to end an HR internal investigation is made.

Normally, and unless the internal policy governs otherwise, the investigation ends with the drafting and delivery of the written report to the individual(s) that will act based on its findings.

6.3 Conclusion

There are no rules governing the form that the conclusion of the investigation must take, but the standard procedure is to issue a written report.

6.4 Reports

There are no rules governing the requirements of information that must be included in the written report. It is advisable that this document contains the following information:

a summary or transcription of the accusation presented by the reporter with a clear determination of the scope of the investigation;
an executive summary of the conclusions, informing whether each of the investigated conducts is substantiated or not;
the methodology, including a description of each of the investigative steps (interview, review of communications and documents, etc); and
a detailed description of the findings, preserving the anonymity of the witnesses where possible.

Recommendations of disciplinary measures (if applicable) and other actions to be taken by the company as next steps are often included, unless otherwise determined in the employer’s internal regulations.

The report should contain facts, avoiding speculation or generalisations, and be written in clear, accessible language for an audience unfamiliar with legal terminology. Any legal opinions should be contained in a separate, confidential document.

6.5 Information

Unless mandated by internal rules, the company is not obligated – and is strongly recommended not ‒ to share the outcome of an HR internal investigation or the corresponding final report with the reporter, respondent or interviewees. In practice, companies typically refrain from sharing the written report or any detailed findings, providing only general updates on the investigation’s status (eg, pending or closed).

6.6 Communications to Authorities

From an employment perspective, there is no legal requirement or recommendation to voluntarily report the conclusion of an HR internal investigation to the authorities.

However, if the investigation involves a potential crime or regulatory violation, the company should carefully weigh the pros and cons of notifying the police or relevant authorities, such as the Office of the Comptroller General (CGU) or the Administrative Council for Economic Defence (CADE). In certain cases, such communication may lead to the cancellation of the state’s punitive claim in the criminal sphere or a reduction of fines in the administrative sphere.

6.7 Other Communications

The company is not required or advised to disclose the HR internal investigation to parties who will not be responsible for the decision regarding any actions to be taken by the company as a result of the investigation.

6.8 Disciplinary Measures

If the allegations in the complaint are substantiated, the company may choose to impose disciplinary measures on the individuals involved, depending on the severity of the misconduct. Possible actions include issuing written warnings, suspensions or terminating employment agreements for cause.

Alternatively, the company may opt for termination without cause, which requires statutory severance payments, provided the individual is not protected against termination and termination for cause is deemed inconvenient.

Additional measures may involve reviewing policies, updating operational protocols, or introducing new or revised training programmes.

Case law establishes that disciplinary measures must be applied promptly after the company becomes aware of the misconduct or, following an investigation, concludes that misconduct occurred. As such, it is recommended that HR internal investigations are conducted within a reasonable and justifiable timeframe. Failure to do so may result in the disciplinary measure being invalidated by a labour judge in the event of a legal dispute.

6.9 Other Measures

It is common for employers to take additional measures regardless of whether the allegations in the complaint are substantiated. These actions may include reviewing policies, updating operational protocols, or implementing new or revised training on topics related to the complaint, such as harassment.

Mediation is generally not applicable in HR internal investigations in Brazil.

7. Data Protection

7.1 Collecting Personal Data

From a data protection perspective, employers are permitted to collect personal data for the purpose of an HR internal investigation, provided they have a lawful basis for processing such data under the Brazilian General Data Protection Law (LGPD). Lawful bases include the data subject’s consent, compliance with a legal or regulatory obligation, performance of contracts or pre-contractual steps at the data subject’s request, regular exercise of rights and legitimate interests.

Stricter requirements apply if the processing involves sensitive data, such as information on racial or ethnic origin, religion, political opinions, trade union or organisational membership, health, sexual orientation, genetic data or biometric data related to an individual. In these cases, legitimate interest cannot be used as a basis for processing.

All processing of personal data must adhere to the general principles and requirements of the LGPD, as summarised in section 7.2 Specific Rules.

7.2 Specific Rules

The LGPD is Brazil’s primary privacy legislation and applies to:

data processing activities conducted in Brazil;
processing of data collected in Brazil or related to individuals located in Brazil; and
data processing activities aimed at offering goods or services to individuals in Brazil.

Although the LGPD does not provide specific guidelines for internal investigations in private organisations, its general principles and requirements apply to any personal data processing for such purposes.

Companies must ensure compliance with the LGPD by:

providing a privacy notice to data subjects in a clear, appropriate and visible manner;
processing only the personal data necessary for the investigation;
establishing a lawful basis for processing personal data (particularly sensitive data);
adopting technical and administrative security measures to protect personal data;
maintaining records of the relevant processing activities; and
meeting all other obligations set out in the LGPD.

7.3 Access

Under the LGPD, data subjects have the right to easily access information about the processing of their personal data. This information must be provided in a clear, appropriate and visible manner, typically through a privacy policy or notice. Data subjects also have the right to request confirmation of the existence of processing activities and access to their personal data, among other rights.

The confirmation of data processing or access to personal data must be provided by the controller upon the data subject’s request either:

immediately, in a simplified format; or
within 15 days, in a clear and complete declaration specifying details such as the data’s origin and the purpose of its processing.

When granting access to data, the employer may tailor its response to safeguard the company’s commercial or industrial secrets that could otherwise be disclosed.

The exercise of data subject’s rights is not yet fully regulated by Brazil’s National Data Protection Agency (ANPD), though it remains a priority topic. Additional requirements or limitations may arise as new regulations are implemented.

7.4 AI

The use of AI in internal investigations in Brazil remains uncommon. However, as AI adoption continues to grow, its application in such processes may become more frequent, raising important considerations regarding data protection and compliance with the LGPD. Although there is no specific provision in Brazilian law regulating the use of AI, it is essential that any processing through AI tools complies with LGPD requirements. This includes ensuring robust security measures so that data imputed into AI systems remains confidential and that the tool operates in a closed and controlled environment, preventing the use of the imputed data for AI training purposes. Additionally, there must be a clear and legitimate purpose for the processing, transparency provided to data subjects, and safeguards to prevent discriminatory outcomes.

Contractual safeguards with AI vendors are also important to ensure compliance with LGPD, including auditability and clear allocation of responsibilities. Conducting a Data Protection Impact Assessment (DPIA) when using AI in internal investigations may also be advisable, depending on the kind of data or legal basis involved. These measures not only help mitigate legal and reputational risks but also demonstrate accountability, strengthen governance, and build trust with stakeholders by ensuring that AI-driven processes remain secure, transparent, and aligned with data protection principles.

When using AI, the company must bear in mind that, under the LGPD, data subjects also have the right to request a review of decisions made solely on the basis of automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer, or credit profile, or other aspects of their personality – which might be the case regarding certain AI platforms/tools.

Finally, it is essential to ensure transparency throughout every stage of the process, particularly when using AI. Furthermore, it is advisable to implement human review during the workflow and, most importantly, at the final stage, to guarantee that the outcome does not contain bias, which can occur with automated systems. This practice reinforces trust and integrity, ensuring that decisions are fair and aligned with the organisation’s ethical principles.

8. Special Cases

8.1 Whistle-Blowing

In Brazil, whistle-blowing is addressed in the Brazilian Anti-Corruption Act, but there is no legal definition of a whistle-blower. From an employment point of view, the is no statutory protection guaranteed to the whistle-blower, but internal policies of the companies or applicable collective bargaining agreements can provide such protections.

8.2 Sexual Harassment and/or Violence

There is no specific legal protection for reporting sexual harassment and/or violence, but internal company policies or applicable collective bargaining agreements can provide such protections.

Since September 2022, companies required to establish a CIPA must implement an internal policy outlining the procedure for receiving and monitoring complaints related to sexual harassment and other forms of workplace violence. They must also provide a reporting channel that safeguards the reporter’s identity, should they wish to remain anonymous.

From a criminal perspective, sexual harassment is defined as: “Coercing someone with the intent of obtaining sexual advantage or favour, exploiting the perpetrator’s position as a hierarchical superior or authority inherent to their role, position or function.” Another crime is defined as: “Engaging in a lewd act with someone without their consent, with the intent to satisfy one’s own lust or that of a third party.”

However, not all conduct classified as sexual harassment under internal regulations meets these legal definitions. Employers should exercise caution when labelling misconduct of a sexual nature as “sexual harassment” to avoid the risk of civil or criminal liability for slander.

8.3 Other Forms of Discrimination and/or Harassment Including Bullying and/or Mobbing

Companies required to have a CIPA must maintain an internal policy outlining the procedure for receiving and monitoring complaints involving sexual harassment and any other violence in the workplace, and a reporting channel that protects the reporter’s identity should they wish to remain anonymous.

Also, employment law prohibits the adoption of any discriminatory or restrictive practices for the purpose of access to employment or if its continuity is prohibited on grounds of sex, origin, race, colour, marital status, family situation, disability, professional rehabilitation or age.

Racial, sexual orientation, religious and disability discrimination is also classified as a crime by law or case law.

There is no specific legal protection for allegations concerning bullying and/or mobbing, but they are usually deemed as types of harassment.

8.4 Criminal Cases

The employer is not legally required to communicate with the relevant authorities if the allegation is also criminal in nature. The employer may only be obliged to provide information to the authorities if required to do so by means of a written request by the relevant authority.

8.5 Multi-Jurisdictional HR Internal Investigations

There are no special procedures that an employer should follow in HR internal investigations that are multi-jurisdictional.

However, although there are no legal restrictions on foreign employers conducting HR internal investigations in their jurisdiction or on employers in their jurisdiction conducting HR internal investigations abroad, it is recommended that investigations involving employees based in Brazil are conducted locally and in the native language to ensure that the investigation complies with Brazilian legislation and case law. If this is not possible, it is recommended that there is an interpreter in the interview to avoid any miscommunication or inaccuracies in fact-finding, and that the presence of the interpreter be noted in the final investigation report.

CGM Advogados

Av Brigadeiro Faria Lima 1663
5th/13th Floors
CEP 01452 001
São Paulo
Brazil

+55 11239 48900

patricia.barboza@cgmlaw.com.br www.cgmlaw.com.br

Trends and Developments

Authors

From Psychosocial Risk to Data Protection: The New Agenda for Internal Investigations for 2026

Executive summary

Internal investigations have become a strategic pillar of prevention and corporate governance, playing a decisive role in preserving institutional values and strengthening organisational culture.

In 2026, two trends will gain relevance in Brazil in the field of internal investigations.

The first trend is the expansion of the role of internal investigations as an essential mechanism for the prevention and remediation of psychosocial risks, driven by recent changes to Regulatory Standard No 1 (NR-1), issued by the Ministry of Labour and Employment (MTE), which is expected to come into effect for companies on 26 May 2026.

The second trend refers to the impacts of the General Data Protection Law (LGPD) on the conduct of these investigations, especially in view of the growing use of technologies such as recording of interviews, automated transcription of their content, and the use of AI tools for the analysis and preparation of relevant documents.

Although they may seem distinct at first glance, these trends converge toward a common goal: protecting employees in the workplace and data by ensuring ethical, secure, and transparent investigations.

This article explores the challenges and opportunities of this integration, presenting best practices, strategic recommendations, and perspectives for companies seeking to align compliance, mental health, and privacy in an increasingly complex corporate environment.

Introduction

Internal investigations have undergone a significant transformation in recent years. From essentially reactive instruments, triggered only by allegations or suspicions of irregularities, they have evolved into strategic corporate governance mechanisms capable of anticipating risks and strengthening organisational culture and values.

This change reflects a global trend: companies treating internal investigations not merely as an investigation process, but as a tool for prevention and integrated risk management.

In 2026, two trends stand out in the Brazilian and international landscape, each with significant impacts on how organisations conduct their internal investigations.

The first concerns the expansion of the role of these investigations in the prevention and remediation of psychosocial risks in the workplace, driven by recent changes to NR-1 of the MTE, which is expected to come into effect for companies on 26 May 2026.

This rule reinforces companies’ responsibility to identify and mitigate factors that affect the mental and emotional health of workers, such as bullying, burnout, and psychological violence. In this context, internal investigations are no longer just a corrective mechanism but have become part of a preventive strategy aimed at promoting safer and healthier work environments.

The second trend is related to the impacts of the LGPD on the conduct of internal investigations.

With the growing use of technologies such as interview recording and transcription, AI tools, and automated analysis systems, new challenges arise: how to ensure compliance with principles such as purpose, necessity, data minimisation and non-discrimination without compromising investigative efficiency?

In addition, issues such as valid consent, information security, and algorithmic transparency become central to avoiding regulatory risks and preserving employee trust.

Although these two themes may seem disconnected at first glance, they both converge on the same axis: the need to balance investigative efficiency with comprehensive protection, whether of workers’ mental health or of the privacy and personal data involved in the process.

This intersection reveals a contemporary challenge for companies: structuring internal investigations that are robust, ethical, and compliant with labour and data protection regulations, without compromising agility and credibility.

In the following sections, the authors will explore how these trends are shaping internal investigation practices, the challenges they pose, and the best practices that can guide organisations towards a more integrated, preventive, and secure model.

Overview of Internal Investigations

Internal investigations have evolved from a reactive mechanism, triggered only in response to reports or suspicions of irregularities, to a strategic corporate governance tool.

This transformation accompanies a global movement that values risk prevention, transparency, and social responsibility as pillars of business management.

Traditionally, internal investigations were conducted to ascertain facts after illegal conduct or ethical violations had occurred. Today, organisations recognise that anticipating risks is more efficient and less costly than remedying damage. This paradigm shift is directly linked to the expansion of regulatory and social expectations of companies.

In the global context, internal investigations play an essential role in integrity programmes, ensuring compliance with national and international legislation. They reflect companies’ commitment to ethical practices and respect for human rights, as well as reducing reputational and financial impacts in crisis situations.

The way a company conducts its investigations reflects its commitment to ethical practices and respect for human rights, which is of paramount importance from an ESG, organisational culture and crisis management perspective.

It should not be forgotten that well-structured investigations reduce reputational and financial impacts.

In Brazil, this movement will gain momentum in 2026 in the face of stricter labour rules, such as changes to NR-1, which require active management of psychosocial risks, and ongoing enforcement of data protection requirements under the LGPD, which imposes parameters for the collection and processing of personal information.

Added to this is the pressure for transparency, driven by stakeholders and regulatory bodies.

This landscape sets the stage for the two trends that will be explored in the following sections: the use of internal investigations as a tool for preventing psychosocial risks, and the impacts of the LGPD and technology on the conduct of these investigations.

First Trend: Internal Investigations and Psychosocial Risk Prevention

With the recent changes to NR-1 of the MTE, Brazilian companies face both a new challenge and a new opportunity: integrating psychosocial risk management into their compliance and governance practices. Mental health care at work is no longer a peripheral issue but has become a regulatory and reputational imperative.

Brazilian law requires organisations to adopt a structured process for Occupational Risk Management (GRO), which involves identifying and assessing hazards, classifying risks, eliminating or reducing threats, implementing preventive measures, and continuously monitoring controls.

The update to NR-1 reinforces the need to consider psychosocial risk factors, such as work overload, harassment and deficiencies in work organisation, which can significantly impact the physical, psychological and social health of workers, including by contributing to stress, burnout and depression.

These factors must be incorporated into the dynamics of the GRO – ie, the process of hazard identification, risk assessment, and implementation of preventive measures.

The new legal text introduced the definition of probability by type of risk, including psychosocial factors within the item addressing ergonomic factors. To assess the probability of injuries or harm resulting from these factors, it is necessary to consider the demands of the work activity and the effectiveness of preventive measures.

This assessment does not consist of measuring individual symptoms or biological signs but rather analysing working conditions and identifying which aspects act as stressors capable of causing damage to health.

In addition, practices must incorporate the ergonomic guidelines set out in Regulatory Standard No 17 (NR-17) of MTE, covering work organisation, furniture, transport of materials, use of machinery, and comfort conditions.

The rule requires companies to adopt a process of continuous improvement in health and safety, which may be supported by internationally recognised approaches, such as the PDCA (Plan, Do, Check, Act) cycle.

Effective management of psychosocial risks is not only a legal requirement in Brazil, but also a practice aligned with global health and safety rules, essential for promoting well-being, productivity and organisational sustainability.

It is worth noting that the current wording of NR-1, in force until 25 May 2026, already determines the management of all occupational risks, including psychosocial ones. However, the new wording, expected to be effective from 26 May 2026, reinforces and places greater emphasis on this obligation, highlighting the importance of mental health and well-being in the workplace.

In this scenario, internal investigations take on a strategic role: not only to investigate illegal conduct, but also to act as a preventive tool to identify signs of harassment, burnout, and psychological violence before they turn into crises. This change requires clear protocols, trained teams, and an approach that combines technical rigour with human sensitivity.

The changes in NR-1 consolidated the obligation for companies to adopt measures to identify, assess, and mitigate psychosocial risks in the workplace, including moral and sexual harassment, burnout, chronic stress, psychological violence, and discrimination.

The rule reinforces that the management of these risks must be integrated into occupational health and safety programmes, in addition to requiring a close look at people and work dynamics, with a systematic and preventive approach.

Innovative companies already use internal investigations to map vulnerabilities before they turn into crises, through:

monitoring reporting channels, by analysing patterns in reports brought to the company’s attention (including anonymously) to identify critical areas;
behavioural audits, conducted through periodic interviews with teams to assess the organisational climate; and
proactive interviews with leaders and employees, promoting a preventive approach with leaders and employees to detect signs of harassment and work overload, for example.

These actions allow the organisation to act quickly, avoiding damage to workers’ mental health, psychosocial risks and reputational risks.

The implementation of this preventive approach poses significant challenges, such as:

guaranteeing impartiality and confidentiality, and ensuring that internal investigations are not perceived by employees as persecution or excessive control and that they are not used as a tool for retaliation;
integrating strategic areas such as human resources, compliance and legal; and
training teams to deal with emotional aspects and manage sensitive communications effectively.

Good practices include creating clear protocols for investigating complaints, formalised in robust internal policies, establishing organisational climate indicators, and offering psychological support to those involved.

In general, when trained internal or external consultants participate in a compliance investigation, at the end of the process, recommendations for improvements are presented that aim to promote a healthier and safer work environment, in addition to preventing new irregularities.

Among the most common recommendations are:

reviewing internal policies and codes of conduct;
conducting training on ethics, respect, and harassment prevention;
adopting more accessible and secure reporting channels;
strengthening internal communication and transparency in processes; and
making adjustments to the organisational structure or work processes to reduce psychosocial risk factors, such as overload, lack of clarity of roles, or toxic environments.

These actions can and should be integrated into the GRO provided for in NR-1, especially regarding the identification, assessment, and control of work-related psychosocial risk factors.

By aligning compliance recommendations with the requirements of NR-1, the company strengthens its organisational culture, reduces legal and reputational risks, and contributes to a more ethical, safe and healthy work environment.

It is also worth noting that these investigations often result in disciplinary measures being taken against employees who have acted contrary to the company’s ethical values and principles.

The management of psychosocial risk factors provided for in NR-1 and internal compliance investigations are therefore complementary processes.

While the GRO acts in prevention and continuous monitoring, compliance investigations respond to specific situations, promoting correction and improvement.

Integrating these practices strengthens organisational culture, reduces legal and reputational risks, and contributes to a safer, healthier and more ethical work environment.

In the coming years, technological and cultural developments are expected in this field, with the use of analytics and AI to identify behaviour patterns and risk signals in large volumes of data (such as feedback, internal surveys, etc), integration of investigations with ESG programmes, reinforcing corporate social responsibility, and greater regulatory requirements for transparent reporting on preventive and corrective measures.

This trend positions internal investigations as pillars of mental health management at work, aligning compliance, well-being, and corporate reputation.

Second Trend: LGPD and Technological Impacts on Internal Investigations

The digital revolution has reached internal investigations and brought with it complex regulatory risks.

Interview recordings, automated transcripts, and AI tools promise speed and accuracy, but they also raise critical questions about privacy, security, and compliance with the LGPD.

How can investigative efficiency be balanced with personal data protection? This is the question that will guide corporate practices in the coming years.

Companies that fail to adopt robust policies and ethical technology risk severe sanctions and reputational damage, while those that anticipate these issues will be at the forefront of digital governance.

The LGPD imposes a new paradigm for conducting internal investigations, requiring compliance with the principles of purpose, with data used strictly for fact-finding; necessity and minimisation, with the collection of only essential data; and transparency, through clear communication about data processing to employees and other data subjects.

As companies deal with critical information that may include personal data (including sensitive data), such as statements, interview records, and behavioural data, it is essential to define the legal basis for processing. Depending on the circumstances, this may include compliance with legal obligations, legitimate interest, contract performance or other specific legal basis.

With the digitisation of investigations, specific challenges arise, such as:

the recording of interviews, which, depending on the case, may require the explicit consent of the person under investigation, and in any event demands strong security measures, such as secure storage and access control;
the use of AI for transcription and analysis, which can generate risks of leakage and bias, compromising the impartiality of the investigation and the non-discrimination principle established by the LGPD; and
the sharing of data with third parties (consultancies, law firms, etc), which requires robust contractual clauses and supplier auditing.

To mitigate regulatory and reputational risks, it is recommended to adopt clear internal policies on data collection, processing and disposal, including:

anonymisation of data whenever possible;
periodic auditing of technological tools;
proper recording of the relevant activities in the companies’ records of data processing activities (RoPA);
training of teams on LGPD and information security; and
specific channels to enable data subjects to exercise their rights.

Companies that are part of a multinational group or that use global tools or platforms, such as transcription software, must ensure that data is processed on servers in countries with an adequate level of protection or transferred abroad based on a valid mechanism, such as the Brazilian Standard Contractual Clauses, in accordance with the LGPD and the guidelines of the National Data Protection Agency (ANPD).

The future points to increasing integration between technology and compliance, including:

AI applied to evidence screening in a context of big data analysis to identify patterns;
regulatory pressure for algorithmic transparency, with the requirement for explainability of automated decisions; and
greater oversight by the ANPD over data and information collection and storage practices in internal investigations.

Companies that fail to adapt risk severe penalties and damage to their reputation. On the other hand, those that invest in data governance and ethical technology will be better prepared to conduct agile, secure and compliant investigations.

Convergence of Trends: An Integrated Model for Secure and Efficient Internal Investigations

When prevention and privacy meet, a new paradigm for internal investigations is born.

At first glance, the prevention of psychosocial risks and the protection of personal data seem to address different realities: one focused on the mental health and well-being of workers, the other on privacy and information security.

However, both share an essential point: the need to conduct internal investigations in an ethical, transparent, and balanced manner, ensuring that the pursuit of efficiency does not compromise fundamental rights. The common thread between these two fronts is comprehensive protection.

This means ensuring the dignity of the individual, whether by avoiding practices such as harassment and psychological violence, or by preventing the misuse of personal data. It also involves strengthening organisational trust, as investigations conducted in accordance with labour and regulatory rules increase the company’s credibility. In addition, practices that reconcile mental health and privacy reinforce social and environmental commitments, aligning with governance and ESG guidelines.

Integrating these areas, however, is not simple. Regulatory complexity requires clear protocols and multidisciplinary teams to reconcile the requirements of NR-1 and LGPD, for example.

The use of technology, although an ally in prevention and analysis, carries risks such as algorithmic biases and information leaks.

Added to this is the cultural challenge: investigations must not be perceived as instruments of excessive surveillance, which could undermine internal trust.

To address these obstacles, some strategic recommendations are essential.

It is necessary to create unified policies that integrate occupational health, compliance, and data protection, in addition to establishing interdisciplinary committees involving areas such as HR, legal, compliance, and IT.

The adoption of ethical technology is another critical point, ensuring audited tools with algorithmic explainability and robust security.

Finally, transparent communication with employees about the objectives, limits, and guarantees of investigations is essential to maintaining trust.

Looking ahead, companies that manage to align these two fronts will be better prepared to face emerging risks and meet regulatory requirements.

The trend is for internal investigations to cease to be merely a corrective mechanism and become established as a strategic pillar, capable of promoting healthy, safe and reliable work environments.

Conclusion

Internal investigations are moving away from being a purely corrective resource to becoming an essential pillar of corporate governance.

In 2026, two regulatory and cultural forces will shape this scenario: the need to prevent and remedy psychosocial risks, driven by the requirements of NR-1 of the MTE, and the obligation to ensure compliance with the LGPD in view of the increasing use of technology in investigations.

These trends, although distinct, converge towards the same goal: protecting employees in the workplace and data, preserving organisational trust and the integrity of operations.

Companies that manage to integrate these fronts (mental health and privacy) will be better prepared to face emerging risks, meet social expectations, and strictly comply with legal rules.

The challenge is clear: how to conduct internal investigations that are agile, ethical, and secure, without compromising fundamental rights? The answer lies in robust policies, audited technology, trained teams, and a corporate culture based on transparency and respect.

In the coming years, the trend is for internal investigations to take on a strategic role, not only to investigate irregularities, but also to promote healthy, safe and reliable work environments. Investing in integrated governance, prevention and data protection is not just a legal obligation; it is a competitive advantage and a commitment to sustainable labour relations.

CGM Advogados

Av Brigadeiro Faria Lima 1663
5th/13th Floors
CEP 01452 001
São Paulo
Brazil

+55 11239 48900

patricia.barboza@cgmlaw.com.br www.cgmlaw.com.br

Law and Practice

Authors

Trends and Developments

Authors