New whistleblower protection law
27 February 2023
27 February 2023
Last February 21st, the Official State Gazette published the Law 2/2023, of February 20th, regulating the protection of persons who report regulatory breaches. The Law transposes into Spanish law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, known as the Whistleblowing Directive. This new Law provides for protection against retaliation for persons who report specific breaches and enters into force on March 13th.
This Newsletter aims to summarise the Law's main business-related features.
Who does this Law protect?
The Law provides for protection for persons working in the private or public sector who become aware of breaches in an employment or professional context (commonly known as whistleblowers). The protection covers: (i) persons working in the public or private sector; (ii) persons having self-employed status, contractors, subcontractors and providers; (iii) whistleblowers with a terminated employment or statutory relationship; (iv) volunteers, interns, trainees or persons taking part in recruitment processes; and (v) shareholders and members of the board.
Additionally, the Law also grants protection to: (i) the whistleblowers' colleagues or relatives; and (ii) the companies the whistleblowers work for, or with which it has a relationship within the employment context, or in which they hold significant shareholdings.
This Law provides for protection for whistleblowers who report any of the following infringements: (i) serious or very serious administrative breach under Spanish law; (ii) criminal offences; or (iii) breaches of Union law under the Whistleblowing Directive, breaches that affect the financial interests of the EU or breaches relating to the internal market.
What reporting channels does the Law provide for?
Whistleblowers may report breaches through, either the internal reporting channel –embedded in the internal reporting system– and the external reporting channel.
Which entities are obliged to have an internal system?
Reporting through internal reporting channels is encouraged before using the external reporting channels. The former must allow whistleblowers to submit written and verbal communications and to report information on the breaches in question. Moreover, it will safeguard the confidentiality of their identity.
Companies with 50 or more employees and those, irrespective of the number of employees, which fall within the scope of Union laws on financial services, products and markets, prevention of money laundering or terrorist financing, transport safety and environmental protection, among others, will be obliged to have an internal reporting system. In the case of groups of companies, the parent company must adopt a general policy on the internal reporting system and ensure that its subsidiaries apply its principles. There may be a shared internal system for the whole group.
Companies that voluntarily introduce an internal system, not being obliged to do so, must also comply with all the regulations laid down by this Law.
Who is in charge of the internal system management?
The internal reporting system shall be managed by the so-called system manager (“responsable del sistema”); a person or a collegiate body which must act independently and must have all the personal and material resources to carry out its functions. Groups of companies may appoint a sole system manager for the whole group.
Management of the internal system may be outsourced to a third party, as long as independence, confidentiality, data protection and communications secrecy are guaranteed.
When is the deadline for establishing the internal systems or adapting the existing ones to the new regulation?
The company board will be responsible for the establishment of the internal reporting system, which must be carried out before 13 June 2023, unless the company has fewer than 250 employees, in which case the deadline is extended to 1 December 2023.
Who will be in charge of the external reporting channel?
Whistleblowers may report through the external channel of the Independent Whistleblower Protection Authority (“Autoridad Independiente de Protección del Informante”) or through the regional authorities or bodies. They may do so directly or after reporting through the internal channel.
Independent Whistleblower Protection Authority –an independent administrative authority created for this purpose– will decide whether to initiate an investigation phase that will end with the issuance of a report that may: (i) file the case; (ii) refer it to the Public Prosecutor's Office if there are signs of a criminal offence; (iii) initiate disciplinary proceedings; or (iv) transfer the proceedings to another competent authority or body. Decisions may not be appealed, except for any decision to terminate the sanctioning procedure that may have been initiated.
What infringements are sanctionable under this Law?
Independent Whistleblower Protection Authority may sanction retaliation against whistleblowers as well as breaches of reporting channel regulations.
The Law provides for these infractions, among others: (i) breach of whistleblower rights; (ii) failure to comply with the obligation to have an internal reporting system; and (iii) retaliations against whistleblowers.
Companies may be fined up to a maximum of one million euros and may be subject to additional sanctions such as bans on obtaining subsidies or other tax benefits for a maximum period of four years.
What protective measures are provided for?
The protective measures laid down by the Law to protect whistleblowers include:
Is publicly disclosing the information also protected?
Whistleblowers who have publicly disclosed the breach will also be protected under the Law if:
Please note that the Law also provides protection measures for those affected by the reporting (e.g. presumption of innocence, right of access to the file or guarantee of confidentiality).
How shall whistleblowers´ personal data be treated?
All entities obliged to have an internal reporting system must keep a register of the information received and the internal investigations to which they give rise, guaranteeing, in all cases, the requirements of confidentiality.
Whistleblowers´ personal data may be kept in the information system exclusively for the time necessary to decide whether or not to initiate an investigation.
If an informant submits a report and an investigation is not initiated within the following three months, the informant's data shall be deleted. On the other hand, the identity of the informant shall never be subject to the right of access to personal data and may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of an investigation.