HR Internal Investigations 2026

Last Updated February 04, 2026

Sweden

Law and Practice

Authors

Robert Stromberg
Malin Dunér

Advokatfirman Cederquist KB is a Swedish independent law firm that offers full service from its Stockholm office. It engages more than 120 lawyers and has developed non-exclusive relationships with firms globally to assist clients in cross-border matters. Concerning major international deals and transactions handled by the firm, it has acted as legal adviser in corporate acquisitions of Swedish companies on behalf of foreign corporations, investment banks and law firms, as well as in acquisitions of companies outside Sweden. Cederquist’s employment and investigations team, which consists of one partner, three senior associates and two associates, is responsible for a wide range of matters relating to labour law, such as employment protection, pensions, investigations and benefits. Cederquist is a member of L&E Global, an alliance of employers’ counsel worldwide providing cross-border labour and employment law services.

An HR internal investigation is typically preceded by complaints or other reports filed by employees, either orally or in writing. The forum for such complaints varies; it can be the employer’s whistle-blowing channel or other reporting channels, or a report can be made directly to HR, a manager or any other company representative. The nature of such complaints varies; typical matters are sexual harassment or harassment, bullying or victimisation, and other work environment-related issues such as stress or co-operation issues.

HR internal investigations can also be initiated in connection with an internal audit or equivalent, and/or due to suspicions of other crimes by employees (fraud, embezzlement, etc), other severe misconduct or violations of company policies (breach of authorisation procedures or the code of conduct, etc).

There are no laws stipulating that an employer must have legal bases in order to conduct an HR internal investigation. There are, however, some situations that trigger an obligation to initiate and conduct an investigation.

  • When receiving a whistle-blowing report, employers are required to handle and investigate it according to the obligations stipulated in the Swedish Whistleblowing Act (2021:890).
  • Under the Swedish Discrimination Act (2008:567), employers have a legal obligation to investigate sexual harassment or harassment related to a protected characteristic. Such an investigation is required when the employer becomes aware that an employee, intern or hired worker considers themselves to have been subject to harassment or sexual harassment, in connection with work, by someone who performs work or has an internship with the employer. Failure to conduct such an investigation implies an obligation to pay discrimination fees to the affected employees.
  • Employers are also responsible for the health, safety and well-being of their employees within the framework of the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority. Pursuant to this framework, employers are obliged to ensure that the employees are not affected by ill health or exposed to other safety risks. Therefore, they have an obligation to investigate cases of victimisation and bullying, for example. Such investigations shall include assessments of potential work environment risks and actions to prevent future similar incidents.
  • An internal investigation should also be conducted by employers if such an obligation is specified in internal policies or other procedures.

It is recommended that employers, at their own discretion, investigate all circumstances, irregularities or similar issues that may result in the employer having to impose labour law sanctions such as dismissal or termination. This enables them to take an informed decision on an appropriate labour law sanction (if any), and to defend and present evidence in any subsequent legal claims and/or disputes in court.

Under the Whistleblowing Act (2021:890), private as well as public employers with 50 or more employees are obligated to implement and maintain a whistle-blowing channel for oral and written reports about irregularities that have been observed in a work-related context, and which concern matters that are of public interest to disclose and/or concern violations of relevant Union acts. Specific procedures shall apply for such reporting, and for following up reports.

Any incoming whistle-blowing report shall be managed by an independent and impartial person or function. The identity of any reporting person is protected by statutory confidentiality provisions, but there is no statutory requirement that anonymous reports be permissible. In general, however, employers allow anonymous reporting. If the reporting person chooses to be anonymous, it may be difficult for the employer to follow-up on the report with the reporting person.

There are no legal rules stipulating who should be responsible for carrying out an HR internal investigation in Sweden. It should, however, be noted that whistle-blower reports made through the whistle-blowing channel should be handled by independent and impartial persons or functions that have been assigned to manage the channel in accordance with the Whistleblowing Act (2021:890).

As HR internal investigations should be conducted with discretion and objectivity, it is recommended that an unbiased company representative with adequate knowledge be appointed to conduct the investigation. This is typically an HR representative or equivalent, but could also be another appropriate representative depending on the circumstances at hand.

External counsels are generally recommended, especially in investigations that are complex, comprehensive or in any other way require an investigator with legal knowledge and experience. Other forms of external help could be required if the investigation necessitates expertise in accounting (ie, in case of suspicion of economic misconduct) or computer forensics (ie, if there is a need to investigate computers, emails, etc) to obtain evidence.

Furthermore, an external investigator should always be engaged if there is a risk that the objectivity of an internal investigator could be questioned. Employers are not prevented from engaging an employment lawyer that the company uses as an external investigator. The employment lawyer is also not prohibited from representing the employer in any disputes or other claims against the company that may occur after the investigation is conducted.

An investigation must always be carried out when the employer receives:

  • a whistle-blowing report within the scope of the Whistleblowing Act (2021:890);
  • information about an employee feeling harassed due to a protected characteristic, or being sexually harassed by a colleague or someone who performs work for the employer in accordance with the Discrimination Act (2008:567); or
  • information about potential victimisation or bullying leading to ill health at the workplace in accordance with the Work Environment Act (1977:1160) and the Planning and Organisation of the Work Environment Management (2023:2) provisions issued by the Swedish Work Environment Authority.

Generally, Swedish law does not prohibit HR internal investigations. However, if the investigation concerns suspected money laundering or financing of terrorist activities, the employer may be prohibited from alerting the suspect as to their suspicion, and thus from carrying out an internal investigation in accordance with the Money Laundering and Terrorist Financing Prevention Act (2017:630). In such cases, the employer must instead report their suspicions to the relevant authorities.

It is recommended that employers, at their own discretion, investigate all circumstances, irregularities or similar issues that may result in the employer having to impose labour law sanctions such as dismissal or termination. Such sanctions/measures require legal grounds to be permissible, and a well-conducted investigation should form the basis therefor. A well-conducted investigation may also constitute evidence in disputes or claims with the employees concerned.

A reporter that submits a reports through the employer’s whistle-blowing channel within the scope of the Whistleblowing Act (2021:890) is entitled to receive confirmation of receipt of the report within seven days, as well as information about any follow-up action within three months.

For reports made outside of the whistle-blowing channel, there is no explicit statutory right to be informed about an investigation. The reporter, should, however, be promptly informed as to whether the employer has initiated an investigation, as well as about the process going forward. The reporter should also be informed about the conclusion of the report as well as any measures taken, or that will be taken, as a result of the investigation. The person who is subject to the allegations – ie, the respondent – should be notified as soon as the allegations are substantiated.

Additionally, Regulation (EU) 2016/679 (the General Data Protection Regulation; GDPR) stipulates a general right to be informed of the collection and processing of personal data, including in connection with an investigation (Articles 12 and 13). However, such information will, in most cases, already have been provided to the employees through the employer’s privacy notice and, as such, no specific information needs to be provided to the reporter and/or the respondent in connection with an investigation.

There is rarely an obligation to report circumstances in connection with the opening of an internal HR investigation. However, there are certain situations where such an obligation may exist.

  • The Work Environment Act (1977:1160) requires the reporting of serious workplace accidents and/or incidents. Specific examples include an employee who has been physically injured in the workplace, or who has attempted to harm themselves as a result of victimisation or bullying in the workplace. Such reports must be made to the Swedish Work Environment Authority.
  • For employers within the financial sector, there may be an obligation to report any issues relating to, for example, money laundering, to the Swedish Finance Police, as stipulated in the Money Laundering and Terrorist Financing Prevention Act (2017:630). There may also be further reporting obligations for public employers – eg, grievances in relation to healthcare. For information about police reports, see 8.4 Criminal Cases.
  • If, in connection with an internal investigation, a personal data breach has occurred – ie, a security incident that leads to unauthorised disclosure of or unauthorised access to personal data – there is an obligation for the employer (if they are the data controller) to report this to the Swedish Authority for Privacy Protection in accordance with the GDPR (Article 33).

The parties involved in an investigation may be asked to sign confidentiality agreements and non-disclosure agreements (NDAs), but they are not obligated to sign them. Such requests are not common in Sweden, and there is no sanction against such parties if they refuse. It is recommended that the parties involved be asked to exercise the utmost discretion and keep all information confidential in relation to the investigation. Employees are bound by a duty of loyalty, which means that they may not disclose confidential information from the business, and they shall adhere to their employer’s instructions.

It should be noted that an employee reporting any misconduct or other circumstances that give rise to the opening of an internal investigation generally has the option of remaining anonymous. Such anonymity is possible in relation to any accused individual, but not in relation to the investigator. It may, however, be difficult to maintain anonymity in practice, as statements can be directly linked to a reporting individual or witness. If employees refuse to participate for other, non-legitimate reasons, they should be informed of their obligation to follow their employer’s instructions; otherwise, it may constitute refusal to work.

It is possible, and in fact recommended, to conduct an initial investigation, for example to explore the substance of the allegations made, determine the process and format of the investigation, and assess whether it is necessary to take any other adequate investigatory measures. A preliminary investigation can also be used to assess compliance with certain time requirements, such as the requirement for urgency under the Discrimination Act (2008:567) or the requirement for confirmation of receipt and follow-up within a certain timeframe under the Whistleblowing Act (2021:890). The Employment Protection Act (1982:80) imposes requirements that any termination or summary dismissal may not be based solely on circumstances that were known to the employer more than two months before notice of termination or summary dismissal was given. A preliminary investigation or equivalent measure is generally conducted.

The persons interviewed within an HR internal investigation are typically:

  • the person making the allegations or who has been subject to misconduct – ie, the reporter;
  • any witnesses; and
  • the accused – ie, the respondent.

It is recommended that these persons be interviewed in the order laid out in the foregoing list. This is to ensure that the allegations presented to the respondent during his or her interview are as complete as possible.

An HR internal investigation should involve the smallest group of people possible to assert the principles of discretion and confidentiality. If several witnesses are identified, all of them should be interviewed as a general rule. However, if a larger number of witnesses are available, the witnesses should be determined with consideration of the aforementioned principles of discretion and confidentiality, together with an assessment of whether each individual witness can contribute further to the investigation in terms of evidence. It is, for example, not necessary to interview a witness regarding a circumstance that is indisputable, or for which sufficient evidence has already been obtained.

Employees are in general obligated to participate in an HR internal investigation conducted by their employer. However, they may refuse due to discomfort, fear of retaliation, etc. The actions recommended against employees who refuse to participate depend on who is refusing and why. For employees with a particularly legitimate reason for refusal, typically the reporter or a witness, it is recommended that the employer emphasise the purpose of the investigation, that the investigation will be conducted discreetly, and that the complainant and witnesses have the option of remaining anonymous in relation to the accused, but not in relation to the investigator. Such anonymity may, however, be difficult to maintain in practice, as statements can be directly linked to a complainant or witness. If there is any legal protection against retaliation, the employee should be informed about it.

If employees refuse to participate for non-legitimate reasons, they should be informed of their obligation to follow their employer’s instructions; otherwise, this may constitute refusal to work.

Swedish law does not explicitly stipulate the format for HR internal investigations – eg, regarding interviews or the collection of other forms of evidence. Employers should conduct internal HR investigations in the manner that is most suitable in each individual case. Any interview conducted must, however, comply with:

  • the rules regarding confidentiality and protection of reporting persons, as stipulated in the Whistleblowing Act (2021:890);
  • the health and safety regulations in the Work Environment Act (1977:1160) and the provisions regarding Planning and Organisation of the Work Environment Management (2023:2) issued by the Swedish Work Environment Authority; and
  • the procedure for processing personal data under the GDPR.

Further, the principles of objectivity, discretion and confidentiality should always be considered.

Interviews can be carried out remotely via digital platforms such as Teams, although interviews in person are, as a general rule, preferred and recommended.

There are no explicit rules regarding the number of interviewers, but for practical reasons, there should generally be two people conducting the interviews. This facilitates the taking of notes, asking of appropriate and adequate questions and, where necessary, avoidance of ambiguous or unclear statements, misunderstandings, etc. The latter can be facilitated by recording the interview; please see 3.10 Recording. Having more than two interviewers is typically not recommended, as the interviewee may perceive the situation as unbalanced and more uncomfortable than necessary, which could negatively affect the interview.

The persons conducting the interviews are typically the same as the investigators, and they should, in addition to being objective, possess adequate seniority, experience and knowledge of interview situations and the matter subject to investigation. Typically, it is also more appropriate for the person conducting interviews in highly sensitive cases, such as sexual harassment, to be of the same gender as the person who is alleged to have been subjected to improper behaviour.

Swedish law does not stipulate any direct prohibition against a neutral person participating in interviews in an HR internal investigation. If a neutral person is to participate for any reason, it is important to maintain the principles of discretion and confidentiality.

In general, there are no obstacles to interviewees bringing a support person or lawyer with them to the interview if they so wish. In the case of an interview with the reporter or another person subject to any misconduct, the presence of an unbiased support person can also be valuable, as it can help the interviewee feel more comfortable.

Normally, a respondent would not bring a lawyer or other legal representative unless they request this specifically. If the investigation is conducted by an external lawyer, he or she will encourage the respondent to bring legal representation as this is stipulated in the Swedish Bar Association’s Code of Conduct. It is important to ensure that an interviewee’s request to bring a support person or lawyer is not used to delay the investigation or otherwise negatively affect its efficiency.

It is recommended that the interviewers begin by introducing themselves and explaining their role, the purpose of the investigation, any investigative obligations on the part of the employer and the role of the interviewee in the investigation. If whistle-blowing rules apply, the employer’s obligations under the Whistleblowing Act (2021:890) regarding confidentiality, protection, reporting requirements, etc, may be mentioned.

Furthermore, the interviewee should be informed about the process going forward and how any potential follow-up will be disclosed to the individuals concerned. If an external lawyer is conducting the investigation or interviewing, the interviewee should be informed that the lawyer in question does not represent them, as this is stipulated in the Swedish Bar Association’s Code of Conduct. It may also be useful to provide information about practical details such as possible recording, signing of statements, etc. The interviewee should also be asked, or reminded, to exercise the utmost discretion regarding information they are already cognisant of or learn of via the investigation.

The GDPR stipulates a general right to be informed about the collection and processing of personal data, including in connection with the interview (Articles 12 and 13). However, such information is in most cases provided in advance through the employer’s privacy notice if the interviewee is an employee. If so, no specific information needs to be provided to the interviewee.

Employees are in general obligated to participate in interviews within the scope of internal investigations conducted by their employer. This falls within the employer’s right to lead and manage the work. It is normally not a problem to give an interviewee a short break during the interview and resume the interview thereafter. The employer’s responsibility for the work environment includes ensuring the well-being of their employees following the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority.

If an interviewee, without legitimate reasons, refuses to resume the interview despite the employer’s instructions, the employer may draw reasonable conclusions from such refusal. If necessary, the employer may also take appropriate disciplinary measures against the employee.

Minutes or similar may be taken during interviews in an HR internal investigation. However, there are no formal requirements under Swedish law for such minutes to be taken, nor any stipulation that they should be taken by a specific person or signed by the participants. The need for formal minutes depends on the individual situation, but the interviewers’ own notes are normally sufficient as a basis for the investigation. If there are any unclear circumstances, an interviewee has made an unclear or ambiguous statement, or a confession has been made during the interview, it is recommended that the interviewee be asked to approve such statements afterwards. In general, it is advisable to take minutes during any interviews in an HR internal investigation.

Note that specific requirements regarding minutes and the signing thereof apply with regard to reports made orally within the framework of the Whistleblowing Act (2021:890).

Interviews may be recorded; indeed, this is a standard and practical procedure. The recording is normally used solely for the investigator’s own purposes and is not shared with anyone else. If the interview is to be recorded, the interviewee should be informed and asked to consent to this beforehand. If the interviewee does not consent to the recording, no recording should be made. Any recording and subsequent handling thereof must comply with the rules and principles of personal data processing under the GDPR; please see 7.1 Collecting Personal Data.

There may be other evidence that is deemed appropriate to gather within the scope of the investigation, depending on its nature. This may include written evidence such as email correspondence, text messages or internal chats. Such evidence can often be provided by the reporter or a witness. In other cases, it may be necessary to review the respondent’s email and retrieve evidence therein. Other possible fact-finding actions include reviewing the relevant internal regulations, code of conduct and other relevant policies or documents.

If the investigation concerns disloyal behaviour, such as competition with the employer’s business, misappropriation of trade secrets or other irregularities, it may be necessary to seek external expertise in computer forensics and/or engage an auditor to review the company’s accounts.

Any collection and processing of personal data, and the subsequent handling thereof, shall comply with the rules and principles of personal data processing under the GDPR; please see 7.1 Collecting Personal Data.

For reports that fall under the Whistleblowing Act (2021:890), the reporter is protected through confidentiality requirements, pursuant to which individuals involved in the follow-up of the report may not disclose the identity of the reporter unless such disclosure is necessary and proportional for the purposes of the follow-up. Additionally, employees who participate in such investigations are entitled to not be subjected to any retaliation related to the fact they have raised an alert or participated in an investigation. Examples of retaliatory actions include harassment, bullying, sidelining and related actions that may impact on career progression. A reporter that intentionally reports false information does not obtain protection as a whistle-blower.

Reporters that report violations of the Discrimination Act (2008:567), have been subject to harassment or sexual harassment and/or have participated in investigations are protected from retaliation by the employer. Employers who expose employees to, or fail to protect employees from, retaliation under the Whistleblowing Act or the Discrimination Act may be obligated to pay damages and/or discrimination compensation to the affected person.

Following the work environment responsibility stipulated in the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority, employers are responsible for the well-being of their employees, and are obliged to ensure that they are not affected by ill health or exposed to other safety risks. Thus, if the reporter’s health and safety is at risk, adequate and reasonable measures must be taken to protect them.

An internal HR investigation should be conducted with consideration of the principles of discretion and confidentiality in relation to the respondent, as well as any other individual involved. To ensure this, employers should:

  • limit the number of persons involved in the investigation;
  • continuously remind participants about the need for confidentiality and discretion – ie, to not discuss the investigation with anyone outside the group;
  • take precautions such as using code words, password-protected documents, careful email handling and discretion during physical meetings; and
  • comply with the rules and principles stipulated in the GDPR when processing personal data.

It is generally possible for the employer to ask the respondent to temporarily work remotely, or release them from work (with pay). Any such measures taken against the respondent during the investigation must be proportionate, considering the respondent’s potential to return to work without negative effects if they are found not guilty and/or if no other measures or sanctions are required. Any communication regarding why the respondent is not at work, etc, should be carefully considered in order to manage any risk of defamation, etc.

Employers are generally responsible for the health, safety and well-being of their employees within the framework of the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority.

Thus, employers are obliged to ensure that employees are not affected by ill health or exposed to other safety risks. If the respondent may pose a safety risk or otherwise expose other employees to a risk of ill health, or if there is a risk of evidence being destroyed or tampered with, or of witnesses being unduly influenced, employers are able to take temporary measures such as:

  • releasing the respondent from work (with pay);
  • issuing orders to work remotely;
  • not allowing participation in a meeting or work trip; and
  • not allowing contact with a certain colleague (or any colleague) while an investigation is ongoing, etc.

It is important that such measures are necessary and proportionate, and they should be in place for as short a period as possible.

Other permanent or more severe sanctions, such as warnings, redeployment or dismissal, shall be taken after the investigation has concluded and must comply with the Swedish Employment Protection Act (1982:80), as well as any applicable collective bargaining agreement.

An employer is obligated to take measures to prevent sexual harassment, harassment due to a protected characteristic, bullying and/or victimisation in the workplace. Additionally, according to the general responsibility to protect employees from ill health and other safety risks pursuant to the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority, there might be a need for measures to protect employees other than the reporter and the respondent. Employers are also obligated to protect employees who participate in reporting under the Whistleblowing Act (2021:890), or who have participated in investigations relating to harassment or sexual harassment under the Discrimination Act (2008:567). Failure to protect employees from ill health, safety risks or retaliation may lead to fines, or an obligation to pay damages and/or discrimination compensation.

With the exception of the formal rules governing whistle-blower reports – ie, protection of identity, reporting, confirmation of receipt, feedback etc, under the Whistleblowing Act (2021:890) – Swedish law does not impose any requirements for specific procedural guarantees in connection with employers conducting HR internal investigations. However, certain time limits must be adhered to, including in investigations of sexual harassment and harassment; under the Discrimination Act (2008:567), these must be initiated in a prompt manner, and failure to do so may imply an obligation to pay discrimination compensation.

If termination or summary dismissal is considered necessary following an investigation, such measures may not be based solely on circumstances that were known to the employer more than two months before notice of the dismissal or termination is given. When employers impose labour law sanctions, such as redeployment, termination or dismissal, the rules and processes stipulated in the Swedish Employment Protection Act (1982:80), the Co-Determination at the Work Place Act (1976:580) and the applicable collective bargaining agreement must be adhered to. If an employer fails to comply with these regulations, the termination or summary dismissal may be declared invalid, and the employer may have to pay economic as well as general damages for invalid termination or other violations of said regulations. Additionally, circumstances that would have provided legal grounds for termination may become unavailable due to preclusion or the statute of limitations.

For whistle-blowing reports, the Whistleblowing Act (2021:890) stipulates that it is mandatory for employers with 50 or more employees to document the whistle-blowing channels and related procedures in writing – ie, in a whistle-blowing policy.

Employers are further required to have guidelines and procedures for handling sexual harassment/harassment in a discrimination policy following the Discrimination Act (2008:567), as well as for handling victimisation and bullying (usually included in the mandatory work environment policy, as stipulated in the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority). These documents should contain procedures for employers investigating potential sexual harassment, victimisation and bullying (as well as ill health or accidents). A written discrimination policy is required for employers with 25 or more employees, and written documentation regarding the handling of victimisation and bullying is required for employers with ten or more employees.

Employers may set their own internal requirements for investigations, as long as these requirements meet the minimum level set by legislation and comply with the general principles of objectivity, discretion and confidentiality, as well as with the rules on data processing stipulated in the GDPR. It is, however, recommended that these internal rules be reviewed to avoid them being inadequate or otherwise unfit or unnecessarily burdensome when conducting internal HR investigations.

Non-compliance with internal rules or regulations implemented on a voluntary basis can cause the employer to become liable for non-compliance with statutory rules and regulations. Consequently, it is important to ensure that internal rules and/or regulations are aligned with statutory requirements.

The burden of proof depends on the circumstances that are to be proven. The burden of proof generally lies with the person making any allegations or claims. Thus, employers are, for example, responsible for proving that an employee has committed sexual harassment if it is to be used as a reason for termination – ie, to prove that there are objective reasons to terminate the employment. The employer must be able to prove that a circumstance has happened through the evidence that emerged during the investigation.

There are no explicit rules regarding when an investigation should be concluded. However, the Whistleblowing Act (2021:890), for example, requires that the reporting person be informed of the follow-up of a report within three months thereof. Furthermore, the Discrimination Act (2008:567) requires that an investigation be conducted in an urgent manner.

In general, an investigation should be concluded when sufficient and adequate evidence has been obtained to allow conclusions to be made. The general requirement of urgency should always be taken into account with regard to those involved.

Apart from the rules on reporting back to the reporter within three months, as set out in the Whistleblowing Act (2021:890), there are no procedural rules on concluding an HR investigation. However, it is common practice, and recommended, to report back to the reporter and the respondent with a summary of the investigation’s findings and any measures that will be taken as a result. It may also be advisable to report back to any witnesses that the investigation has been concluded and thank them for their participation, but no further details should be given to them in view of the requirements of discretion and confidentiality.

There are generally no explicit rules governing the form of any conclusions drawn from the internal HR investigation. For investigations of sexual harassment or harassment following the Discrimination Act (2008:567), it is recommended that the investigation be documented in writing, and the investigator is obligated to conclude whether sexual harassment or harassment has occurred or not.

For other HR internal investigations, it is generally preferred, and recommended, to draft written reports as these have practical benefits, such as in reporting back to company stakeholders or serving as evidence in case of legal claims.

There are no rules governing the content of reports in Sweden. The structure of a report depends on the circumstances of the individual case, but in general its format should be based on the purpose/subject of the investigation and its scope, whether highly sensitive information is being handled and who the recipient of the report is. If, for example, the report concerns a crime or other complex subject, or involves extensive evidence, it will usually be more comprehensive than a report that concerns sexual harassment or victimisation.

If a written report is to be used, it is generally recommended that it contains the following:

  • a description of the scope of the investigation and its background;
  • a description of how the investigation was conducted – ie, the methodology followed;
  • a summary of the interviews and other factual findings, such as written evidence and the documents reviewed;
  • conclusions; and
  • the recommended measures going forward (if any).

Referring to 6.2 Procedure for Ending an HR Internal Investigation, the reporter and respondent should be provided with the result of the investigation. Due to the principles of discretion and confidentiality, it is generally not advisable to provide the reporter and/or the respondent with an entire written report. Instead, they should be provided with an oral or written summary of the findings, the conclusions and the measures recommended going forward (if any).

Typically, private employers are not obliged to report the results of an internal HR investigation to the Swedish authorities. However, if the results of the investigation reveal, for example, crimes relating to money laundering, these must be reported to the Finance Police and Swedish Financial Supervisory Authority, as stipulated in the Money Laundering and Terrorist Financing Prevention Act (2017:630), and any severe cases of ill health or workplace accidents must be reported to the Swedish Work Environment Authority in accordance with the Swedish Work Environment Act (1977:1160). Public employers may be subject to reporting obligations, for example with respect to grievances related to healthcare. For information about police reports, see 8.4 Criminal Cases.

Given the principles of discretion and confidentiality in relation to the parties involved in the investigation, the conclusion and result of an HR internal investigation should not be shared with a wider group of individuals than necessary. There may, however, be reason to report the outcome, or the existence, of an investigation to parties other than the reporter and the respondent. Such persons may be witnesses; it may be necessary to provide more detailed information, particularly in cases where these individuals have been seriously impacted by the circumstances and need further support from, for example, occupational health services.

Depending on the internal guidelines, responsibility and reporting channels, it may be appropriate to report to other responsible parties within the company, such as the board of directors or other stakeholders.

When communicating any conclusions regarding the investigation, it is of the utmost importance to assess any such communication beforehand, with consideration of the risk of criminal charges for defamation.

If an internal investigation concludes that an employee has behaved inappropriately or otherwise violated his or her obligations towards the employer, the following measures may typically be taken:

  • issuance of a written warning;
  • redeployment;
  • termination (with notice) due to personal reasons; or
  • summary dismissal.

If dismissal or termination of employment is to be effected, such measure cannot be based solely on circumstances known to the employer more than two months before the dismissal, as stipulated in the Swedish Employment Protection Act (1982:80). However, one aggravating circumstance falling within the stipulated two-month period is sufficient for other, older, circumstances to be permissible as grounds for termination or summary dismissal. Taking any of the measures listed in the foregoing, with the exception of written warnings, requires compliance with the applicable rules in the Employment Protection Act or the applicable collective bargaining agreements.

While not a disciplinary measure, note that an employer may initiate legal proceedings to claim damages if the internal investigation concluded that the respondent was guilty of disloyal behaviour (eg, engaging in competition with the employer’s business, misappropriating trade secrets or perpetuating theft, fraud or similar actions).

In addition to potential measures directed at a respondent, there may be reason to take a variety of other measures depending on the circumstances of the individual case.

  • If there are difficulties with co-operation, mediation should be undertaken to resolve the problems. Even reorganisation measures can be considered if deemed necessary to mitigate any issues.
  • If the investigation has identified a lack of knowledge in areas where the employer is obliged to ensure a certain level of competence, such as with respect to anti-discrimination and the work environment, measures to improve knowledge may be taken, as well as team-building initiatives.
  • If the employer has found, during the course of the investigation, that the applicable policies, etc, may be insufficient or otherwise inadequate, it is recommended that these be reviewed and, where appropriate, updated.

Swedish employers may generally collect personal data within the framework of an internal HR investigation, provided that this is done in accordance with the rules and principles applicable under the GDPR and the Swedish Act regarding Supplementary Provisions to the GDPR (2018:218).

Rules and basic principles to particularly consider include, inter alia, the following.

  • Having a legal ground for data processing. For HR internal investigations, this could be a legal obligation – eg, an obligation to investigate under the Whistleblowing Act (2021:890) or the Discrimination Act (2008:567). Otherwise, a legal ground may be found through a legitimate interest assessment – ie, balancing the interest of the employer to process an employee’s data to investigate something with the employee’s interests and rights.
  • Observing the principle of data minimisation – ie, not collecting and processing more personal data than is necessary for the given purpose.
  • Ensuring that the collected and processed personal data is accurate.
  • Erasing or anonymising personal data as soon as it is no longer needed. Routines and procedures for such erasure should be established.
  • Ensuring that the data is well protected by taking appropriate security measures.
  • Assessing whether it is permissible for the personal data to be transferred to a third country.

The GDPR generally prohibits the processing of personal data that is deemed sensitive (special categories of personal data). This includes information about trade union membership, health, sexual orientation etc, and personal data relating to criminal convictions and offences. Such data may, as an exception, be processed by an employer when necessary to establish, assert or defend legal claims – ie, in the context of a dispute/litigation. Other rules and principles in the GDPR must, however, be complied with.

For the processing of personal data related to the follow-up of a report, additional rules under the Swedish Whistleblowing Act (2021:890) must be considered:

  • personal data may only be processed if necessary for follow-up, to enable the implementation of measures required in accordance with the information provided in the case and to enable reports to be used as evidence in legal proceedings or any other lawfully permissible manner; and
  • personal data in a whistle-blowing channel may only be accessed, on a need-to-know basis, by independent and impartial persons or functions assigned to manage the whistle-blowing channel.

There are a number of obligations to consider when collecting and/or processing personal data for an HR internal investigation.

  • The individuals involved, for whom personal data processing is needed, have the right to be informed that their data is being collected, and of the purpose thereof and how the data will be used. This information must be provided at the time of data collection at the latest. Such information is normally already provided through the employer’s privacy notice. It is therefore generally recommended that such privacy notice encompass the collection of personal data in connection with internal investigations.
  • The individual must also be informed about their rights to access personal data, have personal data rectified or erased, limit the processing of personal data, port personal data, object to the processing of personal data and not be subject to automatic decision-making.
  • Following the principle of storage limitation, personal data relating to an investigation should generally be retained for the duration of any applicable statute of limitation connected to claims by individuals. Under the Whistleblowing Act (2021:890), personal data stored following an investigation should be erased two years after closure of the case.

Individuals whose personal data is collected as part of the investigation have the right to access this data, and other information, by submitting a request. Such information may include:

  • a copy of the processed personal data;
  • information about the purpose and categories of processed personal data;
  • the receivers of the data in; and
  • the period over which it is anticipated that the personal data will be stored, etc.

There is also a right to information concerning whether the personal data has been subject to any automatic decision-making (see 7.4 AI).

It is often sufficient to provide the individual with a summary of all the processed personal data. There may be circumstances in which information should not be disclosed, for example due to provisions in other legislation or because disclosure of the information would be detrimental to others (including the employer due to an ongoing dispute). In certain cases, the employer may also refuse to provide a copy of the data, for example if the data subject makes unfounded or unreasonable requests (such as several access requests in a short period of time).

It is not common for AI to be used in connection with internal investigations. However, it may potentially be used in the review of written evidence or in forensic investigations. Given the rapid development of AI, there is reason to believe that its use in internal investigations will increase. Any such usage will, however, be dependent on the limitations set out in the new AI Directive (2024/1689), as well as in the GDPR.

The AI Directive regulates the development and use of AI in the EU based on the level of risk the systems impose. It prohibits certain particularly harmful applications and imposes strict limits on high-risk AI – eg, for recruitment or monitoring of performance. The AI Directive thus imposes restrictions on the use of AI in HR internal investigations, which would in general be deemed high-risk AI.

When processing personal data using AI, the rules and principles of the GDPR must be complied with. AI can be used for various forms of automatic decision-making, but the GDPR generally prohibits such decision-making. There are exceptions, however – eg, in the case of explicit consent from the individual – but it is generally not recommended to base personal data processing on consent, as it may be withdrawn by the individual. In the case of data processing in connection with automated decision-making, the individual has the right to be informed that such decision-making is taking place, and to receive an explanation of the decision taken.

Sweden has implemented the EU Whistleblower Directive (2019/1937) through the Whistleblowing Act (2021:890). It protects whistle-blowers – ie, reporting persons who, in a work-related context, have obtained or acquired information about irregularities and report it. For classification as a whistle-blower, one must be an employee, job seeker, intern, self-employed person performing work, working shareholder or similar, or a person who has previously been active in the business. The reporting shall be made in a work-related context and shall concern information about irregularities that are in the public interest to disclose, or irregularities that violate certain Union acts. Irregularities that may be in the public interest to disclose need to be assessed on a case-by-case basis but may, for example, include human rights violations, corruption, misuse of public funds, violations of official regulations or violations of competition law.

The Act provides protection against obstructive measures and retaliation, as well as immunity from liability for breach of confidentiality. An employer may not obstruct or attempt to obstruct reporting, nor take retaliatory measures against a reporting person. In addition, an employer cannot take retaliatory measures against someone who has turned to their employee organisation for consultation regarding reporting, or obstruct or attempt to obstruct consultation with said organisation. An employer who violates these prohibitions is liable to pay damages.

Sexual harassment is a form of discrimination defined by the Discrimination Act (2008:567) as behaviour of a sexual nature that violates someone’s dignity. Employees, job applicants and interns or hired workers who report violations of the Act, have been subject to harassment based on a protected characteristic or sexual harassment and/or have participated in such investigations are protected from reprisals by the employer.

The Discrimination Act (2008:567) stipulates that the following are protected characteristics: gender, gender identity or expression, ethnicity, religion or other belief, disability, sexual orientation and age. Discrimination can take the form of:

  • direct discrimination;
  • indirect discrimination;
  • sexual harassment;
  • harassment, which is defined as behaviour that violates someone’s dignity and is related to any of the protected characteristics;
  • inadequate accessibility; and
  • instructions to discriminate.

Regarding the protection of a person making allegations of harassment or other forms of discrimination, see 8.2 Sexual Harassment and/or Violence.

The Work Environment Authority’s provision regarding Planning and Organisation of the Work Environment Management (2023:2) defines victimisation and bullying as actions directed at one or more employees in an offensive manner that may lead to ill health or exclusion from the work community. Swedish legislation does not provide protection for employees bringing forward allegations concerning victimisation and bullying.

There are no procedures that an employer must follow if an allegation subject to an investigation may be criminal. There are, however, several aspects that should be taken into account when conducting an investigation where there is suspicion that some form of crime has been committed.

There may be a risk that evidence might be destroyed if the employer’s investigation and suspicions are disclosed to the respondent. In such cases, it is advisable to await any measure that could enable disclosure until the police have secured evidence, especially as the police have better resources at their disposal to do so. It is, however, important that the pace of the employer’s own investigation be maintained until it is completed. The investigation may also be of use to the police, or be used in connection with insurance claims or other liability issues, such as auditor liability. Please note that if the crimes concern money laundering, for example, disclosure to any suspect is prohibited, as stipulated in the Money Laundering and Terrorist Financing Prevention Act (2017:630).

There is no general duty for employers to file a police report, unless there is a legal obligation to do so – eg, if the matter arises within the financial or healthcare sector. It is, however, generally recommended that a police report be filed, as is encouraging and assisting employees in filing a police report if they have been the victim of a crime.

It should further be noted that the GDPR stipulates that personal data relating to criminal offences, as well as suspicions thereof, may as a general rule not be processed unless such processing is required under applicable statutory provisions, or is necessary to establish or defend a legal claim or fulfil a legal obligation.

When handling investigations that may involve crimes or suspicions thereof, it is important to review and evaluate, or prevent the disclosure of, any communication that may constitute defamation. It should further be noted that employers are responsible for the well-being of their employees within the framework of their occupational health and safety responsibilities under the Swedish Work Environment Act (1977:1160) and the provisions issued by the Swedish Work Environment Authority. Therefore, employers are obliged to ensure that the employees are not exposed to danger in connection with the investigation of crimes.

There are no specific requirements under Swedish law in the event of an investigation involving several jurisdictions, nor are there any restrictions on foreign employers conducting investigations in Sweden or on Swedish employers conducting investigations abroad.

However, there may be less direct requirements or circumstances to consider, such as:

  • assessment of which jurisdiction’s law applies;
  • compliance with the local employment laws and statutes of limitation;
  • obligations to involve trade unions or work councils;
  • consideration of local rules in relation to obtaining evidence;
  • the local approach to legal professional privilege;
  • compliance with rules in regard to the processing of personal data, and more specifically whether it is permissible to transfer personal data to a third country; and
  • any mandatory requirements in relation to filing reports or notifications to any local authority.
Advokatfirman Cederquist KB

Hovslagargatan 3
111 49 Stockholm
Sweden

+46 8 522 065 00

+46 8 522 067 00

advokat@cederquist.se www.cederquist.se/sv/eng/
Author Business Card

Trends and Developments


Authors

Jenny Welander Wadström
Björn Johansson Heigis
Andreas Hallbeck
Säde Märgel

Roschier is a leading law firm in the Nordic region with offices in Finland and Sweden. A dedicated team of nine lawyers in Helsinki and ten lawyers in Stockholm specialises in employment matters, including HR internal investigations and associated crisis management and dispute resolution. They work seamlessly with corporate investigation and compliance lawyers across the firm’s practices, assisting employers with complex investigations into suspected harassment, inappropriate behaviour and workplace non-compliance, as well as suspected white-collar crime and corporate misconduct, ensuring compliance with legal and other requirements. Roschier’s approach combines legal expertise with practical experience to resolve sensitive workplace issues and compliance matters. The teams collaborate closely with management, legal teams and HR professionals across various industries to deliver business-minded solutions and mitigate workplace risks and corporate liability. Recent work highlights include assisting companies with sensitive internal investigations into harassment, misconduct and compliance breaches, often involving complex cross-border issues and implementation of remedial measures to reduce organisational risk and liability.

Introduction

HR investigations, often referred to as internal investigations in Sweden, have gained heightened importance in the country as corporations grapple with expanding regulatory frameworks and rising expectations around compliance, governance and workplace culture. Internal investigations in Sweden are not governed by any single comprehensive statute but instead sit at the intersection of different regulations, legal principles, procedural law concepts and best practices. This multi-layered context creates both opportunities and constraints for companies when structuring and conducting investigations.

Two themes that are currently in the spotlight are the practical implications of the Swedish Whistleblower Act and the role of data protection legislation in shaping and constraining investigative practices. There has been a marked increase in the use of external investigators, especially in investigations concerning sensitive misconduct allegations or corporate misconduct in areas that can entail significant corporate liability. External counsel and other consultants are now frequently engaged to ensure impartiality, manage regulatory risk and assist in reconciling demands arising from applicable whistle-blowing legislation, data protection legislation and other relevant legislation such as labour law.

Finally, the role of attorney-client privilege is receiving greater attention. For both domestic and multinational corporations with a presence in Sweden, understanding when investigative materials may be protected – and when they may be subject to mandatory disclosure in regulatory or legal proceedings – has become a central consideration in structuring investigations. These topics are addressed below.

The Whistleblower Act and Its Practical Implications, Including Interactions With Labour Law

Legislative framework and scope

The Swedish Whistleblower Act (Sw. Lag (2021:890) om skydd för personer som rapporterar om missförhållanden) implements the EU Whistleblower Directive and is the central Swedish statute governing protection for individuals who report irregularities in a work related context. The Whistleblower Act applies to reports of irregularities that constitute breaches of certain areas of EU law, and other irregularities that are of public interest. The protection against obstruction of reporting, and against retaliatory measures, afforded under the legislation extends to a wide group of reporting persons, including employees, directors, job applicants, volunteers, trainees, contractors and operationally active shareholders. The protection also extends to any person who previously belonged to any of these categories and gained knowledge about irregularities while holding such position.

The Whistleblower Act is structured into chapters addressing, among other things, conditions for protection, the processing of personal data, documentation and confidentiality. It includes detailed rules for mandatory internal reporting channels and follow up procedures for in-scope companies. Supervision is assigned to the Swedish Work Environment Authority (Sw. Arbetsmiljöverket), which oversees compliance with the requirements on internal reporting channels and procedures.

The Whistleblower Act entered into force on 17 December 2021, with a phased implementation of the obligations to establish internal whistle-blowing functions depending on the size of organisations. All private and public entities with 50 or more employees are now required to have internal reporting channels and procedures in place that comply with the Whistleblower Act.

Internal reporting channels and procedural requirements

For companies that are in scope, the most visible practical impact of the Whistleblower Act has been the requirement to establish internal reporting channels that satisfy specific criteria. These channels must allow written and verbal (including physical) reporting, ensure confidentiality and be designed so that only authorised persons or units have access to the reports and take certain follow-up measures. Employers must acknowledge receipt of a report within seven days (subject to limited exceptions) and provide feedback on follow up measures within three months.

The Whistleblower Act further contains specific rules on documentation, preservation and deletion of reports, which interact with General Data Protection Regulation (GDPR) requirements in relation to storage limitations and data processing minimisation.

In practice, these obligations have prompted many companies to:

  • adopt formal whistle-blowing policies and procedures;
  • designate specific individuals or units responsible for receiving and following up on reports;
  • implement case management systems or external whistle-blowing platforms; and
  • integrate whistle-blowing processes with existing compliance and policy frameworks.

Impartiality, independence and governance

The Whistleblower Act requires that individuals or units responsible for handling whistle-blower reports be independent and impartial. In practice, these independency and impartiality requirements affect who may conduct interviews, review documents and ultimately assess the factual and legal conclusions. While the Whistleblower Act does not prescribe a specific investigative method, the combination of impartiality expectations, potential retaliation claims and reputational concerns has contributed to an increasingly formalised investigation culture. Companies are now more likely to document scoping decisions, maintain detailed interview notes and separate fact finding from decision-making within the organisation.

Interaction with labour law

HR matters that are reported in an organisation typically do not fall within the framework of the Whistleblower Act, as they are typically not considered to be of a public interest. However, internal investigations triggered by whistle-blower reports still intersect with labour law rules, regarding for example employers’ responsibility to ensure a good work environment and the right of employers to dismiss employees under certain circumstances.

An employer must consider how an internal investigation affects the work environment and the well-being of its employees, and take measures to account for how the associated processes can place significant pressure on an accused person, as well as on witnesses and whistle-blowers.

Furthermore, employment legislation limits the actions an employer can take against an employee whose conduct is being investigated. In general, an employer cannot transfer an employee to another department or place them on garden leave based merely on unverified allegations of misconduct made in a whistle-blowing report.

The Swedish Employment Protection Act (Sw. Lag (1982:80) om anställningsskydd) prohibits employers from dismissing an employee without objective reasons for doing so, except for those in top managerial positions. This protects employees from being dismissed based on mere allegations in a whistle-blower report of misconduct. However, where it is established that an employee has engaged in misconduct that is sufficiently serious to reach the threshold for objective reasons for dismissal – for which the employer has the burden of proof – the employer may dismiss the employee. By contrast, managing directors and other employees in managerial positions can generally be dismissed by employers, provided that the terms of the employment agreement are met.

Suspensions, reductions in compensation or other forms of disciplinary action are, in general, unlawful under Swedish employment law. Hence, the main actions an employer can take in response to the reporting of an employee’s unacceptable behaviour are to issue a warning that the behaviour may constitute grounds for dismissal or dismiss the employee (with or without notice, depending on the severity of the misconduct). Redeployment is, however, a suitable alternative to dismissal in some situations. In addition, offering garden leave with full benefits on a voluntary basis is permitted. However, if imposed without the employee’s consent or without strong justification, it could – in the worst-case scenario – be considered an unlawful termination of employment.

Supervision and recent case law

Supervision of the obligations under the Whistleblower Act rests with the Swedish Work Environment Authority. The supervision can encompass whether a company has established compliant internal channels and adopted appropriate policies. It can also relate to the adequacy of follow-up measures, including questions of timeliness, impartiality, sharing of information and documentation.

In June of 2025, a first ruling was issued by the Labor Court concerning the Whistleblower Act (which in 2021 replaced a previous statute regarding whistle-blowing). An employee claimed to have been subjected to retaliatory measures upon reporting irregularities within the employer’s business. While the reporting was made before the Whistleblower Act came into effect, the Labor Court referred to preparatory works of the Whistleblower Act and concluded that it applied as the alleged retaliation took place after it came into force and replaced the previous statute. The Labor Court assessed whether the reported irregularities were of public interest and thus were covered by the Whistleblower Act. It found that irregularities are not of public interest if they are not serious enough, and that the Whistleblower Act does generally not cover personal conflicts such as that reported. The reporting person was not considered to have proven that the irregularities were of public interest and, consequently, the alleged retaliatory acts were not covered by the Whistleblower Act.

As case law and supervisory practice develop, what constitutes a public interest is expected to become clearer. Further, other expectations under the Whistleblower Act are likely to become more granular, including in relation to how investigations are to be structured, and how applied procedures comply with the Whistleblowing Act’s demands and data protection requirements.

Data Protection Considerations

The Swedish Authority for Privacy Protection and the significance of data protection regulations

Data protection is a defining feature of Swedish internal investigations. The GDPR applies to investigative activity that involves the processing of personal data. The Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) acts as Sweden’s supervisory authority for data protection matters and is tasked with monitoring compliance, conducting inspections, issuing enforcement decisions and providing guidance.

The authority’s focus areas for inspections and guidance in 2025 were, among others, the processing of employees’ personal data, including monitoring of employees/use of new technology for such monitoring and providing guidance relating to employers’ options for carrying out background checks. The use of AI was also mentioned as a focus area. These focus areas may indicate increased enforcement risk in relation to not only how employers process employees’ personal data in connection with internal investigations, but also how AI is used.

Background checks

Conducting background checks has for a long time been a common feature in employers’ internal investigations. However, conducting background checks in the absence of a legal obligation to do so is a legally complex issue in Sweden.

Background checks are often carried out using specialised databases offered by private companies that make extensive information about individuals, including criminal convictions, addresses and income, easily searchable. Companies maintain and publish such databases by relying on the extensive right to access public documents and making the retrieval and categorisation of such information in a searchable database possible. Historically, these databases have also – under certain circumstances – been exempt from the GDPR due to special constitutional protection, which has made the publication of personal data possible without the restrictions stipulated in the GDPR.

Organisations have widely relied on these databases to conduct cost-efficient and informal – or more extensive and formal – background checks. However, a recent judgment from the Swedish Supreme Court restricts the possibility of constitutionally protected databases making personal data available to their customers or the general public, due to potential infringements of the GDPR when the retrieved personal data is processed further by users of the databases.

While the issue of the availability of personal data needed to conduct background checks is evolving due to recent case law, the general principles regarding employees’ processing of personal data in the context of background checks under the GDPR remain intact.

Due to the legal complexity of background checks, and the recognised need to carry out such checks on the labour market, the Swedish government recently initiated a government enquiry to examine the need to regulate the practice of conducting background checks, and to present legislative proposals.

Legal basis, transparency and purpose limitation

A recurring issue in internal investigations is the identification of a legal basis for processing personal data – eg, reviewing employees’ emails in the context of an internal investigation. Consent is generally not considered an appropriate legal basis for an employer’s processing of employees’ personal data due to the imbalance in power between the employer and the employee. Instead, the legality of such processing often needs to be subject to a legitimate interest assessment in accordance with the GDPR.

Additionally, the employer must comply with its transparency requirements under the GDPR, including informing about the processing of personal data in the context of any internal investigations. For example, where employers intend to access employees’ email accounts or logs, the employers must have communicated that such actions may take place – eg, through internal policies, IT guidelines or privacy notices.

Other general data protection requirements, such as data minimisation, must also be considered when conducting the actual review to avoid unnecessary processing of personal data. The review should be limited to what is necessary, for example by defining relevant keywords, time periods and parties involved in the communication. Furthermore, detailed documentation of the steps taken to ensure privacy to the extent possible should be maintained in order to demonstrate compliance with data protection legislation.

In addition, processing of personal data must be tied to specific, explicit purposes. If data were originally collected for one purpose (for example, routine HR administration), the employer must assess whether subsequent use of such data for investigative purposes is compatible with that original purpose, or whether a new legal basis is required. This purpose limitation requirement can complicate efforts to reuse existing datasets in investigative contexts.

Documentation, retention and access control

Internal investigations generate a wide range of documentation, including initial reports, scoping decisions, interview notes, correspondence, and draft and final reports. The GDPR requires that personal data contained in these materials be retained only for as long as necessary for the purposes for which they were collected. In practice, employers often align retention periods for investigative files with limitation periods for potential employment disputes, subject to case-by-case assessments.

The security of personal data processing is another key element. Access controls and other technical and organisational security measures are necessary to avoid integrity risks and ensure compliance. The sensitive nature of the personal data that is often processed in connection with an investigation requires particular attention in this respect. For example, controls that limit access to personal data to those people who have a legitimate need for such data (such as investigators and relevant HR or legal personnel) should be implemented. The Whistleblower Act adds an additional layer of requirements by imposing statutory confidentiality obligations regarding the identity of the reporting person and the other individuals involved.

For multinational organisations operating in Sweden, cross-border transfers of personal data present further complexities. Transfers of investigation-related personal data to countries outside the EU/European Economic Area (EEA) must comply with the GDPR’s rules on international transfers, typically requiring standard contractual clauses, data transfer impact assessments and other appropriate safeguards.

Increased Use of External Investigators

Drivers of engaging external support

Swedish employers are increasingly turning to external investigators – typically external law firms or other consultants – to handle all or part of internal investigations. Several factors explain this trend.

First, the Whistleblower Act’s emphasis on independence and impartiality has prompted organisations to consider whether internal resources can be perceived as sufficiently neutral, particularly where allegations concern senior management, key personnel or individuals close to those who would ordinarily conduct investigations. External investigators may be viewed as better placed to avoid conflicts of interest, and to give assurance that the process is unbiased.

Second, the growing complexity of legal and regulatory requirements – spanning whistle-blower protections, the GDPR, labour law, discrimination law, sanctions and sector-specific regulations – together with increased fines that corporations may be liable to pay, drives demand for specialised expertise. External counsel with expertise in Swedish employment and data protection law and other relevant areas, and with cross-border investigation experience where needed, can help structure investigations that withstand scrutiny from courts, regulators, the media and other stakeholders.

Third, reputational risk has become a major consideration. Allegations of criminal activities, financial misconduct or ethical breaches within companies can attract significant public and media attention, especially for publicly listed companies or in sectors with a public mandate or high visibility. Engaging external investigators can be perceived to signal seriousness and transparency, even where the underlying legal obligations do not strictly require it.

Typical mandates and scope

The mandates given to external investigators in Sweden vary. In some cases, an external counsel or other consultant is asked to conduct a fully independent investigation, including scoping, document review, interviews and preparation of a factual report with or without legal analysis. In other cases, the mandate is more circumscribed – for example, is limited to certain interviews, an assessment of the sufficiency of an internal inquiry or advice on legal risks and the next steps to take in view of an investigation’s findings.

A common pattern is the separation of roles between external fact finders and legal advisers on the one hand and internal decision-makers on the other hand. External counsel may be tasked with establishing a factual record and a legal analysis, while decisions on disciplinary measures, organisational or policy changes and whether to report to the authorities remain with the company. This approach preserves the company’s ultimate responsibility for employment-related and other decisions while benefitting from external expertise and independence.

Developments in methodology

As it has become more common to engage external support to conduct internal investigations, Swedish best practices for internal investigations have increasingly aligned with international standards. Typical features include:

  • written investigation plans setting out the scope, methodology and timelines;
  • early identification of legal and data protection issues, including cross-border aspects and potential disclosure obligations (eg, for publicly listed companies, where the information can be considered price-sensitive);
  • structured interview protocols, with clear information provided to interviewees about purpose, confidentiality and data processing;
  • systematic approaches to evidence review, including digital evidence handling; and
  • clear distinction between fact finding and legal or policy analysis in investigative reports.

These developments reflect both market expectations and the influence of external guidance, such as the global investigation frameworks used by multinational companies and international law firms. They also respond to the increased likelihood that investigative processes will be scrutinised in subsequent disputes, including employment litigation or administrative or criminal proceedings.

Relationship with attorney-client privilege

Companies frequently engage attorneys who are members of the Swedish Bar Association (Sw. advokater) as external investigators, in part because of the application of attorney-client privilege to communications and work products. As discussed further below, attorney-client privilege in Sweden attaches to external attorneys, not to in-house counsel or other external advisers, and its scope is shaped by Bar ethical rules and procedural law. This makes the choice between external attorney assistance and non-attorney investigators a strategic decision, particularly in investigations that may lead to criminal complaints or regulatory inquiries where a company may be requested to disclose investigative materials.

Attorney-client privilege in internal investigations

Foundations of attorney-client privilege in Sweden

Attorney-client privilege in Sweden (Sw. advokatsekretess) is grounded in the Swedish Bar Association’s ethical rules, and in the provisions of Swedish procedural law that protect the confidentiality of correspondence between a client and an external attorney. It generally applies in the same manner in civil, criminal, regulatory and investigatory contexts. An attorney who is a member of the Swedish Bar Association has a duty to ensure the confidentiality of any correspondence they have had with their client as well as any knowledge they have gained during the course of the engagement. Matters that are subject to the attorney’s duty of confidentiality are also subject to attorney-client privilege.

Privilege is regarded as a core element of the legal system, allowing clients to communicate confidentially with external attorneys. Communications with other advisers, including unregulated legal service providers or consultants, or with in-house counsel, do not enjoy the same protection.

Scope and limits of protection, and steps to take to ensure privilege

Swedish procedural law establishes the following core elements of attorney-client privilege:

  • it is prohibited to take testimony from an attorney or their associates regarding matters that are subject to attorney-client privilege, or to seize documents from the attorney or their client that can be assumed to pertain to these matters, unless the client expressly waives the privilege; and
  • neither an attorney nor their client is obliged to produce a document that is subject to attorney-client privilege in legal proceedings (and the attorney is not permitted to do so unless the client has waived the privilege).

However, these prohibitions on taking testimony and seizing documents, and the exemption from the duty to produce documents, do not apply where the evidence sought concerns a serious crime that carries a minimum penalty of two years’ imprisonment.

In the context of an internal investigation, attorney-client privilege can extend to materials such as correspondence, notes from witness interviews, legal advice provided by the attorney and investigation reports. It may also apply to other documents provided to the attorney in connection with the engagement.

To ensure attorney-client privilege over sensitive parts of an internal investigation where an external attorney is engaged, it is advisable to avoid communicating on sensitive matters internally – via email, for example – without copying in an attorney. It is also advisable to label documents “privileged and confidential” (although that is not in itself sufficient or required for privilege) and establish a procedure for securely retaining privileged documents and correspondence.

Cross-border dimensions

Multinational companies operating in Sweden may have to navigate divergent privilege regimes across jurisdictions. While communications with Swedish external attorneys is privileged under Swedish law, the same communications may receive different treatment in foreign courts or regulatory proceedings. Conversely, advice obtained from foreign external counsel may or may not be recognised as privileged under Swedish procedural rules, depending on the status of the foreign counsel. From a Swedish perspective, correspondence with external counsel authorised as the equivalent of an attorney in a state within the EU, EEA or Switzerland is protected by attorney-client privilege, provided that the external counsel practices law in Sweden.

These cross-border complexities can be particularly relevant in investigations with potential implications in multiple jurisdictions, such as alleged cross-border corruption. In such cases, companies often co-ordinate closely between Swedish and foreign external counsel to design an investigative structure that maximises protection where possible while enabling effective fact finding and reporting.

Roschier

Brunkebergstorg 2 | Visit
SE-111 51 Stockholm
PO Box 7358
SE-103 90 Stockholm
Sweden

+46 8 553 190 00

+46 8 553 190 01

jenny.wadstrom@roschier.com www.roschier.com/
Author Business Card

Law and Practice

Authors

Robert Stromberg
Malin Dunér

Advokatfirman Cederquist KB is a Swedish independent law firm that offers full service from its Stockholm office. It engages more than 120 lawyers and has developed non-exclusive relationships with firms globally to assist clients in cross-border matters. Concerning major international deals and transactions handled by the firm, it has acted as legal adviser in corporate acquisitions of Swedish companies on behalf of foreign corporations, investment banks and law firms, as well as in acquisitions of companies outside Sweden. Cederquist’s employment and investigations team, which consists of one partner, three senior associates and two associates, is responsible for a wide range of matters relating to labour law, such as employment protection, pensions, investigations and benefits. Cederquist is a member of L&E Global, an alliance of employers’ counsel worldwide providing cross-border labour and employment law services.

Trends and Developments

Authors

Jenny Welander Wadström
Björn Johansson Heigis
Andreas Hallbeck
Säde Märgel

Roschier is a leading law firm in the Nordic region with offices in Finland and Sweden. A dedicated team of nine lawyers in Helsinki and ten lawyers in Stockholm specialises in employment matters, including HR internal investigations and associated crisis management and dispute resolution. They work seamlessly with corporate investigation and compliance lawyers across the firm’s practices, assisting employers with complex investigations into suspected harassment, inappropriate behaviour and workplace non-compliance, as well as suspected white-collar crime and corporate misconduct, ensuring compliance with legal and other requirements. Roschier’s approach combines legal expertise with practical experience to resolve sensitive workplace issues and compliance matters. The teams collaborate closely with management, legal teams and HR professionals across various industries to deliver business-minded solutions and mitigate workplace risks and corporate liability. Recent work highlights include assisting companies with sensitive internal investigations into harassment, misconduct and compliance breaches, often involving complex cross-border issues and implementation of remedial measures to reduce organisational risk and liability.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.