Definition and general significance of ‘Internal’ in a legal context
The term “Internal” originates from English and literally means “internal,” “intra-company,” or “corporate internal.” In a legal context, the term “Internal” is centrally significant in various disciplines of business and corporate law, as well as in data protection, compliance, and IT security. It describes all processes, information, regulations, or documents that relate to the internal area of an organization, institution, or company, and are thus not intended for the public or for external third parties.
Legal relevance and applications of the term “Internal”
Internal processes and internal communication
In the legal environment, the term “Internal” is frequently used to distinguish various forms of company-internal communication and organizational structures.
Intra-company communication
The so-called “Internal Communications” include all types of messages, circulars, memos, or minutes that are exchanged within a company between its bodies, departments, or employees. The protection of this communication is regularly regulated by labor law, data protection law, or sanctions law provisions.
Internal guidelines and policies
The expression “Internal Policy” refers to internal instructions, rules of procedure, and codes of conduct issued by company management or appropriate bodies. These internal regulations are binding for a company’s employees but have no immediate external legal effect. However, they may become relevant in the context of labor law disputes or breaches of compliance regulations.
Confidentiality and protection of “internal” information
Confidentiality and non-disclosure obligations
A significant legal aspect of the term “Internal” arises in connection with the classification and protection of confidential information. Many companies use labels such as “Internal Use Only” to categorize information as internal and clarify that its disclosure to unauthorized parties—including within the company—is not permitted. Violations of this classification can be sanctioned on the basis of employment contracts, the Act on the Protection of Trade Secrets (GeschGehG), or specific legal provisions.
Trade secrets and internal data
Within the framework of trade secret protection as per the Act on the Protection of Trade Secrets (GeschGehG) “internal information” is protected as a trade secret, provided it is neither generally known nor accessible and is therefore of economic value to the company. Unauthorized access, use, or disclosure of this information may result in civil and criminal sanctions.
Compliance requirements and “Internal Controls”
Internal control systems (ICS)
The term “Internal Controls” plays a prominent role in compliance. Companies are required to establish internal control systems to prevent legal violations, particularly in the areas of corruption prevention, money laundering, and financial reporting. Regulations can be found, for example, in the German Stock Corporation Act (AktG), the Commercial Code (HGB), as well as international standards such as the Sarbanes-Oxley Act (SOX).
Internal investigations (Internal Investigations)
Companies are obligated to conduct internal investigations in the event of suspected legal violations. These may be initiated in cases of suspected embezzlement, corruption, or other legal offenses. The results of such internal investigations are often subject to special legal requirements with respect to documentation obligations, data protection, and the right to a fair procedure.
Data protection aspects of “Internal”
Internal processing of personal data
In European data protection law, particularly under the General Data Protection Regulation (GDPR), personal data is also processed within companies. A strict distinction is made between “internal” and “external” when it comes to the sharing and processing of data. Internal processing is subject to its own regulations to ensure data misuse is prevented and access rights are clearly defined.
Internal data protection guidelines
Companies are required to develop and implement internal data protection guidelines to document internal data flows and ensure compliance with data protection requirements. This includes mandatory work instructions, training, and technical measures.
IT-law dimension of “Internal”
“Internal Networks” and IT security
In the context of IT law, “Internal” often refers to internal networks (“Internal Networks”) or internal IT systems, which must be protected against unauthorized access through physical, organizational, and technical measures. Compliance with IT security laws, including the IT Security Act and requirements of the Federal Office for Information Security (BSI), is essential for the security of internal systems and data.
Classification of data and access management
The categorization of information as “Internal” is the basis for company-wide access management. In this way, permissions are controlled and documented, protection against data leakage (Data Leakage Prevention, DLP) is implemented, and proper handling of sensitive data is ensured.
Labor law and liability perspectives
Employee obligations when handling “internal” information
Employees are obligated to treat internal information accessed during the course of their work confidentially. Breaches of this duty can result in employment law consequences, up to and including summary dismissal and liability for damages.
Liability for the misuse of internal information
Companies and their employees may be held liable if internal information is unlawfully disclosed, used, or published. This involves civil, labor, and criminal liability rules, particularly in the case of breaches of business and trade secrets.
“Internal” in an international legal comparison
International customary practice and legal bases
The handling of internal information is similarly regulated internationally, although there are differences, particularly in details and enforcement. In Anglo-Saxon legal systems, such as US law, “Internal Policies” and “Internal Controls” are precisely defined and are often subject to criminal sanctions, for example under the Sarbanes-Oxley Act (SOX).
EU law and national differences
The European Union, through the GDPR and the GeschGehG, sets strict standards for the protection of internal information. Other jurisdictions, such as the UK Data Protection Act or the French Code du Travail, have their own specific requirements, adapted locally to address the handling of internal data and information.
Summary
The term “Internal” is widely and importantly applied in a legal context. It encompasses all intra-company processes, data, documents, and information flows, the use of which is regulated by special statutory, contractual, and organizational requirements. The protection, processing, and use of internal information are integral parts of modern corporate law, data protection, IT security, compliance, and labor law. Compliance with the relevant statutory and internal company provisions is essential for the lawful and secure operation of any organization.
Frequently asked questions
Who is legally authorized to issue internal guidelines in a company?
The authority to legally issue internal guidelines typically lies with the company bodies authorized to manage the company, generally the executive board (for AG, KGaA), managing directors (for GmbH, UG), or sole proprietors. This follows from the principle of corporate representation and the right to issue instructions to employees (§ 106 GewO). In group structures, this can also be delegated to management bodies or specific departments via internal rules of procedure, provided this is explicitly stipulated. However, under the Works Constitution Act, participation and co-determination rights of the works council per §§ 87 ff. BetrVG may be affected, such as in matters of working hours, data protection, or codes of conduct. It should be noted that internal guidelines only have legal effect if they are based on a valid employment or service law basis (e.g., employment contract, works agreement, collective bargaining agreement) or are covered by the right of direction. In an international context, country-specific employment and corporate law provisions must also be observed.
Are internal instructions legally binding?
Internal instructions—often also referred to as internal specifications, directives, or policies—are fundamentally legally binding for the addressees, usually the employees, within the scope provided by law, employment contract, or collective agreement. The basis is the employer’s right of direction under § 106 GewO, which allows the employer to determine the content, place, and time of work performance at its reasonable discretion. However, the binding effect does not extend beyond the limits of legal provisions or contractual regulations; unlawful, immoral, or discriminatory internal instructions are not effective. Furthermore, internal instructions may be subject to co-determination by the works council under the Works Constitution Act. Employee violations may, depending on severity, result in employment consequences such as warnings or terminations, while company bodies may be liable for breaches of compliance obligations or statutory duties due to improper internal management.
What legal limits exist regarding the content of internal regulations?
The legal permissibility of internal rules is particularly limited by higher-ranking legal sources. These include the Basic Law, in particular personal rights and the principle of equal treatment, the General Equal Treatment Act (AGG), labor protection laws (Protection Against Dismissal Act, Working Hours Act), data protection law (GDPR, BDSG), collective regulations (collective agreement, works agreement), and if applicable, country-specific laws. The regulations must not establish inadmissible discrimination or surveillance and must observe the principle of proportionality. In particular, data protection provisions must be strictly observed when regulating IT use, communication, or video surveillance; such measures must be transparent and may only be taken within the scope of the law. Violations can render the internal regulation invalid and may give rise to claims for damages by affected individuals or fines.
How long are internal guidelines legally binding?
The validity of internal guidelines is generally tied to the continued existence of the issuing organization or employment relationship and can be ended by a clause in the guideline itself or by amendment, repeal, or replacement by new rules. Without explicit limitation or repeal, internal guidelines remain in effect until revoked or in case of a significant change in actual or legal circumstances. When the employment relationship of the affected employee ends, the guideline ceases to be binding for them. Deviations may arise if the guideline is part of a works agreement or collective bargaining agreement and has continuing legal effect (e.g. post-effect of a works agreement under § 77 para. 6 BetrVG). If legally invalid or in violation of higher-ranking law, the binding effect also expires.
What are the legal consequences of violating internal regulations?
Violations by employees against internal regulations can lead to various employment law sanctions, including warnings, transfers, changes of contract, and in extreme cases also extraordinary or ordinary termination. The basis for this is the breach of contractual ancillary duties. Repeated or serious violations can also result in employer claims for damages against the employee, such as in cases of intentional compliance breaches. Members of management and executives have heightened monitoring and organizational duties: If they violate internal rules and this causes damage to third parties (e.g. data protection violations), liability risks may arise externally (towards business partners, authorities, affected parties). Under § 93 AktG and § 43 GmbHG, personal liability for organizational fault may also arise. Additionally, official sanctions or fines can result from violations of the law.
Is notification of internal regulations to all addressees legally required?
For the effectiveness and validity of internal regulations, proper notification to the relevant person groups is legally required. Only in this way can it be ensured that compliance can reasonably be expected from the addressees, which follows from the employment law transparency requirement and § 307 BGB (in the case of general terms and conditions). In practice, this necessitates verifiable notification, e.g., by email, intranet publication, notice, or personal delivery. If suitable notification is lacking, the employee can plead ignorance, which may preclude disciplinary action. In compliance, companies are also obliged to fulfill documentation and information duties to minimize liability risks in cases of organizational fault.
Can internal guidelines be enforced in court?
Internal guidelines have immediate legal effect only if they form part of an employment contract or binding collective regulation (works agreement, collective agreement). In these cases, compliance is also enforceable in court; claims (for injunction, warnings, protection against dismissal, etc.) may be asserted. Pure organizational instructions not expressly anchored in the employment contract can generally only be enforced within the scope of contractual ancillary duties and as a specification of the employer’s right of direction. In disputes, labor courts review the lawfulness, appropriateness, and proportionality of such internal regulations. In civil law, claims for breach of internal regulations can only be derived if they are contractually agreed or explicitly referenced through appropriate clauses.
