Legal development

New whistleblower protection law

Insight Hero Image

    Last February 21st, the Official State Gazette published the Law 2/2023, of February 20th, regulating the protection of persons who report regulatory breaches. The Law transposes into Spanish law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, known as the Whistleblowing Directive. This new Law provides for protection against retaliation for persons who report specific breaches and enters into force on March 13th.

    This Newsletter aims to summarise the Law's main business-related features.

    Who does this Law protect?

    The Law provides for protection for persons working in the private or public sector who become aware of breaches in an employment or professional context (commonly known as whistleblowers). The protection covers: (i) persons working in the public or private sector; (ii) persons having self-employed status, contractors, subcontractors and providers; (iii) whistleblowers with a terminated employment or statutory relationship; (iv) volunteers, interns, trainees or persons taking part in recruitment processes; and (v) shareholders and members of the board.

    Additionally, the Law also grants protection to: (i) the whistleblowers' colleagues or relatives; and (ii) the companies the whistleblowers work for, or with which it has a relationship within the employment context, or in which they hold significant shareholdings.

    This Law provides for protection for whistleblowers who report any of the following infringements: (i) serious or very serious administrative breach under Spanish law; (ii) criminal offences; or (iii) breaches of Union law under the Whistleblowing Directive, breaches that affect the financial interests of the EU or breaches relating to the internal market.

    What reporting channels does the Law provide for?

    Whistleblowers may report breaches through, either the internal reporting channel –embedded in the internal reporting system– and the external reporting channel.

    Which entities are obliged to have an internal system?

    Reporting through internal reporting channels is encouraged before using the external reporting channels. The former must allow whistleblowers to submit written and verbal communications and to report information on the breaches in question. Moreover, it will safeguard the confidentiality of their identity.

    Companies with 50 or more employees and those, irrespective of the number of employees, which fall within the scope of Union laws on financial services, products and markets, prevention of money laundering or terrorist financing, transport safety and environmental protection, among others, will be obliged to have an internal reporting system. In the case of groups of companies, the parent company must adopt a general policy on the internal reporting system and ensure that its subsidiaries apply its principles. There may be a shared internal system for the whole group.

    Companies that voluntarily introduce an internal system, not being obliged to do so, must also comply with all the regulations laid down by this Law.

    Who is in charge of the internal system management?

    The internal reporting system shall be managed by the so-called system manager (“responsable del sistema”); a person or a collegiate body which must act independently and must have all the personal and material resources to carry out its functions. Groups of companies may appoint a sole system manager for the whole group.

    Management of the internal system may be outsourced to a third party, as long as independence, confidentiality, data protection and communications secrecy are guaranteed.

    When is the deadline for establishing the internal systems or adapting the existing ones to the new regulation?

    The company board will be responsible for the establishment of the internal reporting system, which must be carried out before 13 June 2023, unless the company has fewer than 250 employees, in which case the deadline is extended to 1 December 2023.

    Who will be in charge of the external reporting channel?

    Whistleblowers may report through the external channel of the Independent Whistleblower Protection Authority (“Autoridad Independiente de Protección del Informante”) or through the regional authorities or bodies. They may do so directly or after reporting through the internal channel.

    Independent Whistleblower Protection Authority –an independent administrative authority created for this purpose– will decide whether to initiate an investigation phase that will end with the issuance of a report that may: (i) file the case; (ii) refer it to the Public Prosecutor's Office if there are signs of a criminal offence; (iii) initiate disciplinary proceedings; or (iv) transfer the proceedings to another competent authority or body. Decisions may not be appealed, except for any decision to terminate the sanctioning procedure that may have been initiated.

    What infringements are sanctionable under this Law?

    Independent Whistleblower Protection Authority may sanction retaliation against whistleblowers as well as breaches of reporting channel regulations.

    The Law provides for these infractions, among others: (i) breach of whistleblower rights; (ii) failure to comply with the obligation to have an internal reporting system; and (iii) retaliations against whistleblowers.

    Companies may be fined up to a maximum of one million euros and may be subject to additional sanctions such as bans on obtaining subsidies or other tax benefits for a maximum period of four years.

    What protective measures are provided for?

    The protective measures laid down by the Law to protect whistleblowers include:

    • prohibition of retaliation (e.g. suspension of employment contract, dismissal, etc.) against whistleblowers taken within two years after the investigations end –extendable if there are grounds for doing so–;
    • immunity from liability in the case the whistleblower has taken part on the administrative breach that has been reported, as long as these requirements are fulfilled: (i) the whistleblower has ceased committing the breach, (ii) they have fully cooperated with the authorities, (iii) the information provided by the whistleblower was true, and (iv) they have repaired the damage caused;
    • in judicial proceedings, the reversal of the burden of proof in proceedings initiated by whistleblowers after having suffered harm as a result of reporting an infringement; and
    • immunity from liability where reporting persons acquire or obtain access to the information on breaches reported or the documents containing that information, as long as it does not constitute a criminal offence.

    Is publicly disclosing the information also protected?

    Whistleblowers who have publicly disclosed the breach will also be protected under the Law if:

    • they had previously communicated it through the internal or external channel and there are reasonable grounds to believe that; either the breach may constitute an imminent or manifest danger to the public interest, or, in the case the external reporting channel has been used, there is a risk of retaliation or there is little likelihood of the information being dealt with effectively; and
    • where whistleblowers have directly disclosed the information to the press in the exercise of freedom of speech and truthful information, they will enjoy the protection provided by the Law without any additional requirements.

    Please note that the Law also provides protection measures for those affected by the reporting (e.g. presumption of innocence, right of access to the file or guarantee of confidentiality).

    How shall whistleblowers´ personal data be treated?

    All entities obliged to have an internal reporting system must keep a register of the information received and the internal investigations to which they give rise, guaranteeing, in all cases, the requirements of confidentiality.

    Whistleblowers´ personal data may be kept in the information system exclusively for the time necessary to decide whether or not to initiate an investigation.

    If an informant submits a report and an investigation is not initiated within the following three months, the informant's data shall be deleted. On the other hand, the identity of the informant shall never be subject to the right of access to personal data and may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of an investigation.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest