Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

EU Whistleblowing Directive - Spain

Implementation of the EU Whistleblowing Directive in Spain.

17 October 2023

Publication

Existing whistleblower protection

In Spain, whistleblower protection was considered to be limited with fragmented sectoral rules until the approval of Law 2/2023 (BOE of 21 February 2023) regulating the protection of persons who report regulatory infringements and the fight against corruption.

On 16 February 2023, more than a year late, Law 2/2023 which transposes Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, also known as the Whistleblowing Directive, was approved in Spain.

The law aims to provide adequate protection against retaliation for individuals who report violations or non-compliance by companies with European and Spanish regulations, and to promote a culture of information or communication as a mechanism to prevent and detect threats to the public interest.

Law 2/2023 came into force on 13 March 2023, but gives a period of 3 months for organisations with 250 or more employees to comply, and until 1 December 2023 for companies with between 50 and 250 employees (companies with less than 50 employees are not in scope to implement the measures of the law, unless they fall within the scope of financial services).

Therefore, companies with more than 250 employees must have an internal reporting system in place no later than three months after the entry into force of the law, i.e. by 13 June 2023. However, in-scope companies with less than 250 workers have until 1 December 2023 to comply.

The way companies adapt to the new Law requirements varies depending on whether or not they have a group policy. In cases where a company has an international policy that they wish to maintain as much as possible, companies are drafting an annex to the international policy, which is applicable to Spain and which regulates the particularities required by Spanish law. The implementation of the policy, together with the annex, and the appointment of a person responsible for the system in Spain, must be ratified by a decision of the governing body (board of directors or sole administrator) of the local entity. In the case of a local branch, the decision must be adopted by the governing body of the entity which opened the branch.

Scope

The law will protect individuals who report

  1. Any act or omission which may constitute an infringement of European Union law, provided that:
  • They fall within the scope of the European Union acts listed in the Annex to the Whistleblowing Directive.
  • Affect the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU); or
  • Have an impact on the internal market, as provided for in EU law, including infringements of EU competition and State aid rules, as well as infringements of various tax rules.
  1. Acts or omissions that may constitute a serious or very serious criminal or administrative offence in Spain. This includes offences involving financial loss to the Treasury and Social Security.

With regard to the personal scope of application, the law shall apply to whistleblowers working in the private or public sector who have obtained information on offences in an employment or professional context, including in any case:

  • Persons having the status of public employees or employees.
  • Self-employees.
  • Shareholders and persons belonging to the administrative, management or supervisory body of a company, including non-executive members.

Protection is also extended to all those who have professional or employment ties with entities in both the public and private sectors, those who have already terminated their professional relationship, volunteers, trainees or trainees in training and people who participate in selection processes. The protection of the law is also extended to persons providing assistance to whistleblowers, to persons in their entourage who may suffer reprisals, as well as to legal persons owned by the whistleblower.

Entities concerned

The entities required to implement an internal information system are the following:

  1. Individuals or entities in the private sector with 50 or more employees.

  2. Entities in the private sector that fall within the scope of the European Union acts on financial services, products and markets, prevention of money laundering or terrorist financing, transport security and environmental protection referred to in parts I.B and II of the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 shall be governed by their specific regulations, regardless of the number of employees they have. In these cases, the law shall apply to the extent that it is not regulated by their specific regulations. Legal entities that, despite not having their domicile in Spain, carry out activities in Spain through branches or agents or through the provision of services without a permanent establishment, will be considered to be included.

  3. Political parties, trade unions, employers' organisations and foundations set up by them, insofar as they receive or manage public funds.

Likewise, all public sector entities are obliged to implement.

Internal reporting system

The Law classifies the complaints reporting system into two types, an internal system and an external system.

Priority should be given to the internal system to be put in place by the entities under the law. In the case of companies, their management shall be responsible for its implementation after consultation with the legal representatives of the employees. The management of the entities shall also designate a person responsible for the management of the system and approve an information management procedure with the following minimum content:

  1. Identification of the internal reposting system(s).

  2. Inclusion of clear and accessible information on external reporting systems.

  3. Sending an acknowledgement of receipt of the communication to the informant, within seven calendar days of receipt, unless this could jeopardise the confidentiality of the communication.

  4. Determination of the maximum time limit for responding to the investigation, which may not exceed three months from receipt of the communication, except in cases of particular complexity requiring an extension of the time limit, in which case it may be extended by up to a maximum of three additional months.

  5. Provision for the possibility to maintain communication with the informant and, if deemed necessary, to ask the informant for additional information.

  6. Establishment of the right of the person concerned to be informed of the acts or omissions attributed to him or her, and to be heard at any time.

  7. Guarantee of confidentiality when the communication is sent through non-established reporting channels or to members of the personnel not responsible for its processing, who shall have been trained in this matter and warned of the classification as a very serious infringement of its violation and, likewise, the establishment of the obligation of the recipient of the communication to immediately forward it to the person responsible for the management of the system.

  8. Respect the presumption of innocence and the honour of the persons concerned.

  9. Comply with the provisions on the protection of personal data.

  10. Ensure that information is immediately forwarded to the Public Prosecutor's Office if the facts may indicate the existence of a criminal offence. If the facts concern the financial interests of the European Union, the information shall be forwarded to the European Public Prosecutor.

  11. The management of the internal information system may be carried out within the entity itself or by contracting the service with a specialised external third party, with the appropriate guarantees of independence, confidentiality, data protection and secrecy of communications.

External reporting system

Title III of the Law regulates the external reporting system to which individuals may submit information to the new Independent Authority for the Protection of Whistleblowers or to the corresponding regional authorities or bodies, of the commission of any actions or omissions included in the scope of application of the Law, either directly or following communication through the corresponding internal channel.

The Law regulates the processing of these complaints, establishing a maximum period of three months for their investigation. The resolution adopted by the Independent Whistleblower Protection Authority may not be appealed, without prejudice to the possible challenge of the sanctioning resolution with respect to the facts investigated.

Sanctions

The exercise of the sanctioning powers provided for in the law corresponds to the Independent Authority for the Protection of Whistleblowers and to the competent bodies of the autonomous communities, without prejudice to the disciplinary powers that the competent bodies may have within the internal sphere of each organisation.

The offences set out in the Act are designed to penalise the actions of obliged parties who limit the rights of informants or who take reprisals against them, in the case of very serious offences. Breaches of confidentiality guarantees or of the duty of secrecy are classified as serious offences. Infringements relating to lack of collaboration with the Independent Authority or other formal infringements are punishable as minor offences.

Fines for individuals range from €1,001 for minor offences to €300,000 for very serious offences. In the case of entities, penalties range from a maximum of €100,000 for minor infringements to €1,000,000 for very serious infringements.

In addition, another type of sanction is envisaged for very serious infringements, in which the Independent Authority for the Protection of Informants may impose: a) a public reprimand, b) a ban on obtaining subsidies or other tax benefits for a maximum period of four years, and c) a ban on contracting with the public sector for a maximum period of three years.

The rule contains a novel leniency system for whistleblowers who have been involved in the commission of the reported offence, provided that they fully cooperate with the investigation.

Finally, the statute of limitation will be three years for very serious infringements, two years for serious infringements and one year for minor infringements.

Other whistleblower regulations

There was no uniform regulation on whistleblower protection in Spanish law prior to the entry into force of the Law 2/2023, however, there were fragmented sectoral rules. Thus, there are specific laws in certain sectors that already contain some provisions that are in line with the requirements set out in the Directive, such as the obligation to introduce internal whistleblowing channels or the requirement for competent authorities to establish external whistleblowing channels for whistleblowers. Three such laws that include whistleblowing obligations are:

  1. Law 10/2010 of 28 April 2010 on the prevention of money laundering and terrorist financing (the "Law 10/2010"), stipulates that certain entities in Spain are legally obliged to prevent money laundering and terrorist financing (the "Regulated Entities") and have certain obligations, such as:
  • All Regulated Entities have a duty to implement and adopt written internal policies and procedures to ensure employees, managers or agents are able to report, even anonymously, relevant information on possible breaches of law or irregularities.
  • The whistleblowing channel can be a stand-alone procedure or be integrated into systems that Regulated Entities may have in place to report information on acts or conduct contrary to other general or sectoral rules that apply to them.
  • Regulated Entities must also take measures to ensure that whistleblowers are protected against retaliation, discrimination or any other unfair treatment and are obligated to comply with data protection regulations.

However, this law only applies to certain subjects and types of companies (financial and investment institutions, lawyers, advisors, real estate developers etc.), but it can be a benchmark or starting point for new legislation.

  1. Article 31 bis of the Criminal Code, which regulates the criminal liability of corporations for acts committed by their directors or employees introduces, as an exonerating circumstance, the adoption of organisational and management models that are adequate to prevent crimes. Among these models expressly mentioned is the “obligation to report possible risks and non-compliance to the body responsible for monitoring the functioning and observance of the prevention model”.

However, the introduction of a whistleblowing system under the Criminal Code is regulated not as an obligation, but as an exemption from liability and does not include express whistleblower protection.

  1. Article 48 of Organic Law 3/2007 of 22 March, for the effective equality of women and men, which establishes that Companies should promote working conditions that prevent sexual harassment and harassment based on sex, and establish specific procedures for its prevention and for dealing with any complaints or claims that may be made by those who have been subjected to it.

Spain was strictly required to bring into force the new laws, regulations and administrative provisions necessary to comply with the Whistleblowing Directive by 17 December 2021.

Assisting employers to stay updated on the law implementing the EU Directive 2019/1937, we have provided a document outlining compliance details, deadlines, and essential actions that are required before 1 December 2023.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.