New whistleblower protection law
27 February 2023
Last February 21st, the Official State Gazette published the Law 2/2023, of February 20th, regulating the protection of persons who report regulatory breaches. The Law transposes into Spanish law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, known as theWhistleblowingDirective. This new Law provides for protection against retaliation for persons who report specific breaches and enters into force on March 13th.
ThisNewsletteraims to summarise the Law's main business-related features.
Who does this Law protect?
The Law provides for protection for persons working in the private or public sector who become aware of breaches in an employment or professional context (commonly known aswhistleblowers). The protection covers: (i) persons working in the public or private sector; (ii) persons having self-employed status, contractors, subcontractors and providers; (iii) whistleblowers with a terminated employment or statutory relationship; (iv) volunteers, interns, trainees or persons taking part in recruitment processes; and (v) shareholders and members of the board.
Additionally, the Law also grants protection to: (i) the whistleblowers' colleagues or relatives; and (ii) the companies the whistleblowers work for, or with which it has a relationship within the employment context, or in which they hold significant shareholdings.
This Law provides for protection for whistleblowers who report any of the followinginfringements: (i) serious or very serious administrative breach under Spanish law; (ii) criminal offences; or (iii) breaches of Union law under the Whistleblowing Directive, breaches that affect the financial interests of the EU or breaches relating to the internal market.
What reporting channels does the Law provide for?
Whistleblowers may report breaches through, either theinternal reporting channel嵌入式的internal reporting system– and theexternal reporting channel.
Which entities are obliged to have an内部系统?
Reporting throughinternal reporting channelsis encouraged before using theexternal reporting channels. The former must allow whistleblowers to submit written and verbal communications and to report information on the breaches in question. Moreover, it will safeguard the confidentiality of their identity.
Companies with 50 or more employeesand those, irrespective of the number of employees, which fall within the scope of Union laws on financial services, products and markets, prevention of money laundering or terrorist financing, transport safety and environmental protection, among others,will be obligedto have aninternal reporting system. In the case ofgroups of companies, the parent company must adopt a general policy on theinternal reporting systemand ensure that its subsidiaries apply its principles. There may be a shared内部系统for the whole group.
Companies that voluntarily introduce an内部系统, not being obliged to do so, must also comply with all the regulations laid down by this Law.
Who is in charge of the内部系统management?
Theinternal reporting systemshall be managed by the so-calledsystem manager(“responsable del sistema”); a person or a collegiate body which must act independently and must have all the personal and material resources to carry out its functions. Groups of companies may appoint a solesystem managerfor the whole group.
Management of the内部系统may be outsourced to a third party, as long as independence, confidentiality, data protection and communications secrecy are guaranteed.
When is the deadline for establishing the internal systems or adapting the existing ones to the new regulation?
The company board will be responsible for the establishment of theinternal reporting system, which must be carried out before13 June 2023, unless the company has fewer than 250 employees, in which case the deadline is extended to1 December 2023.
Who will be in charge of the external reporting channel?
告密者可能通过外部cha报告nnel of theIndependent Whistleblower Protection Authority(“Autoridad Independiente de Protección del Informante”) or through the regional authorities or bodies. They may do so directly or after reporting through theinternal channel.
Independent Whistleblower Protection Authority –an independent administrative authority created for this purpose– will decide whether to initiate an investigation phase that will end with the issuance of a report that may: (i) file the case; (ii) refer it to the Public Prosecutor's Office if there are signs of a criminal offence; (iii) initiate disciplinary proceedings; or (iv) transfer the proceedings to another competent authority or body. Decisions may not be appealed, except for any decision to terminate the sanctioning procedure that may have been initiated.
What infringements are sanctionable under this Law?
Independent Whistleblower Protection Authority may sanction retaliation against whistleblowers as well as breaches of reporting channel regulations.
The Law provides for these infractions, among others: (i) breach of whistleblower rights; (ii) failure to comply with the obligation to have aninternal reporting system; and (iii) retaliations against whistleblowers.
Companies may befined up to a maximum of one million euros并可能受到额外的制裁等bans on obtaining subsidies or other tax benefits for a maximum period of four years.
What protective measures are provided for?
Theprotective measureslaid down by the Law to protect whistleblowers include:
- prohibition of retaliation (e.g. suspension of employment contract, dismissal, etc.) against whistleblowers taken within two years after the investigations end –extendable if there are grounds for doing so–;
- immunity from liability in the case the whistleblower has taken part on the administrative breach that has been reported, as long as these requirements are fulfilled: (i) the whistleblower has ceased committing the breach, (ii) they have fully cooperated with the authorities, (iii) the information provided by the whistleblower was true, and (iv) they have repaired the damage caused;
- in judicial proceedings, the reversal of the burden of proof in proceedings initiated by whistleblowers after having suffered harm as a result of reporting an infringement; and
- immunity from liability where reporting persons acquire or obtain access to the information on breaches reported or the documents containing that information, as long as it does not constitute a criminal offence.
Is publicly disclosing the information also protected?
Whistleblowers who have publicly disclosed the breach will also be protected under the Law if:
- they had previously communicated it through theinternal or external channeland there are reasonable grounds to believe that; either the breach may constitute an imminent or manifest danger to the public interest, or, in the case theexternal reporting channelhas been used, there is a risk of retaliation or there is little likelihood of the information being dealt with effectively; and
- where whistleblowers have directly disclosed the information to the press in the exercise of freedom of speech and truthful information, they will enjoy the protection provided by the Law without any additional requirements.
Please note that the Law also provides protection measures for those affected by the reporting (e.g. presumption of innocence, right of access to the file or guarantee of confidentiality).
How shall whistleblowers´ personal data be treated?
All entities obliged to have aninternal reporting systemmust keep a register of the information received and the internal investigations to which they give rise, guaranteeing, in all cases, the requirements of confidentiality.
Whistleblowers´ personal data may be kept in theinformation systemexclusively for the time necessary to decide whether or not to initiate an investigation.
If an informant submits a report and an investigation is not initiated within the following three months, the informant's data shall be deleted. On the other hand, the identity of the informant shall never be subject to the right of access to personal data and may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of an investigation.
