HomeIco

Home

 GlobalIco

Global

 ContactIco

Contact
en|lv

The Rödl & Partner website uses technical cookies and the cookie-free tracking technology Matomo to store anonymous and statistical data about the data flow of this website, with the aim of improving the operation of the Rödl & Partner website and making it even more user-friendly. If you do not agree to the analysis of your habits on this website using Matomo, no data will be collected. You have the opportunity to use this technology for analytics and statistical purposes by clicking here.

 You have the opportunity to agree or refuse the technical cookies used by the website, which help Rödl & Partner to compile statistical data about visits to this website. This choice can be made by clicking on the relevant button at the bottom of the banner. More detailed information about the privacy aspects of Rödl & Partner can be found here.
News Compliance is not a boxticking exercise − it is a core risk-management function

Compliance is not a boxticking exercise − it is a core risk-management function

Print Mail Rate-it

​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ ​​​​​​​​​​​​​​​​​​​published on 28 Januar​​ ​2026 | reading time approx. 5 minutes

​​​​​​​​​​

Why internal rules matter even when the law seems obvious.

“Everyone is presumed to know the law.” This fundamental principle − ignorantia legis non excusat − underpins all modern legal systems. In theory, it means that individuals and companies alike are responsible for complying with applicable laws, even if they are unaware of them. From this perspective, one might ask: why repeat legal prohibitions in internal policies at all, if the law is already clear? The answer lies not in formal compliance, but in risk allocation.

Employment Changes the Legal Equation

Employment relationships are not neutral contractual arrangements. Across the EU and EEA, they are governed by the assumption that the employee is the weaker party, while the employer bears a heightened duty of care. At the same time, employees are presumed to act in the name and in the interests of the employer. As a result, unlawful conduct by an employee may trigger civil, administrative or even criminal liability for the employer, particularly where authorities or courts conclude that the company failed to ensure adequate supervision, guidance or preventive measures.

This logic is firmly rooted in the long-established principles of culpa in eligendo (fault in selecting employees) and culpa in instruendo (fault in instructing, training and supervising them). In practice, this means that liability is often shifted from the individual employee to the company, while the employer’s theoretical right of recourse against the employee is frequently limited or illusory.

Why Liability Outcomes Are Inherently Unpredictable

In disputes involving employee misconduct, courts and authorities do not look at a single rule in isolation. 
Instead, they assess complex factual and organizational structures, including:
  1. how employees were instructed and trained,
  2. whether risks were foreseeable,
  3. how information flowed internally,
  4. whether escalation mechanisms existed and were used, and
  5. whether management exercised effective oversight.
Because these assessments are highly fact-specific, outcomes are often difficult to predict, particularly in 
cross-border EU/EEA contexts where multiple legal regimes, authorities and enforcement standards may 
intersect. What may appear to be a “clear case” on paper can quickly evolve into a high-stakes, multi-layered dispute with significant financial and reputational exposure.

Compliance as Prevention, Not Formality

Against this background, internal compliance rules serve a purpose that goes far beyond discipline or boxticking.
Well-designed internal policies and training programs perform three critical functions:
  1. Preventive – helping employees recognize legally sensitive situations before violations occur;
  2. Guidance-based – clearly defining expected conduct, decision-making paths and escalation channels;
  3. Evidentiary – demonstrating that the employer exercised due care, potentially limiting or excluding liability under culpa in instruendo.
Importantly, authorities increasingly ask not whether rules exist, but whether they are understood, implemented and applied in practice.

A Practical Reality Check

Experience shows that simply asking employees to “acknowledge” policies is rarely sufficient. Employees may overlook key provisions, misunderstand legal risks or fail to recognize red flags in real-life situations.
Just one real life example − a sales employee − aiming to meet commercial targets − coordinated pricing 
behavior with online retailers and facilitated the buy-out of parallel imports to maintain market prices. The 
employee did not perceive this as problematic. For the company, however, the consequences included serious competition law violations, reputational damage and multi-million-euro fines.

The lesson is clear: compliance is not about legal theory, but about operational awareness.

A Shared EU/EEA Logic − and a Clear Business Conclusion

While enforcement thresholds differ, the underlying principles − employer responsibility, heightened duties of care, and the relevance of culpa in eligendo / instruendo − are largely harmonized across the EU and EEA 
countries.

Where employee’s conduct can expose a company to fines (sometimes up to 10% of turnover), criminal 
sanctions or civil claims, investing in a living compliance system is not a cost burden, but a rational risk management decision. In most cases, prevention is significantly cheaper − and far more predictable − than defending complex disputes after the fact.

Each company should therefore assess its specific risk profile, identify areas requiring internal regulation and training, usually, internal policies should address employee conduct in key legal areas, including in particular: (i) personal data processing and privacy, (ii) cybersecurity, (iii) protection of confidential information, (iv) identification and protection of company know-how, (v) intellectual property created by employees and use of third-party IP (software, images, music, etc.), (vi) conflicts of interest, (vii) gifts, hospitality and other benefits, including anti-corruption aspects, (viii) competition law, fair commercial practices and comparative advertising, (ix) AML, KYC and export control compliance. Besides, the company must ensure that compliance mechanisms are not merely documented, but actively embedded in day-to-day operations. Because when things go wrong, it is not only the law that will be examined − but everything the company did, or failed to do, beforehand. 

Prevention is almost always less costly than dealing with the consequences.​​


​Author: Inese Kalnaja​, Senior Counsel | IP, Competition and Compliance​.​​

Contact

Contact Person Picture

Inese Kalnaja

Senior Associate, Latvian and European Trademark and Design Attorney

Send inquiry

RÖDL Newsletter                   IP, Privacy & Compliance
Skip Ribbon Commands
Skip to main content
Deutschland Weltweit Search Menu