New whistleblower protection law
27 February 2023
Last February 21st, the Official State Gazette published the Law 2/2023, of February 20th, regulating the protection of persons who report regulatory breaches. The Law transposes into Spanish law Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, known as theWhistleblowingDirective. This new Law provides for protection against retaliation for persons who report specific breaches and enters into force on March 13th.
ThisNewsletteraims to summarise the Law's main business-related features.
Who does this Law protect?
The Law provides for protection for persons working in the private or public sector who become aware of breaches in an employment or professional context (commonly known aswhistleblowers). The protection covers: (i) persons working in the public or private sector; (ii) persons having self-employed status, contractors, subcontractors and providers; (iii) whistleblowers with a terminated employment or statutory relationship; (iv) volunteers, interns, trainees or persons taking part in recruitment processes; and (v) shareholders and members of the board.
Additionally, the Law also grants protection to: (i) the whistleblowers' colleagues or relatives; and (ii) the companies the whistleblowers work for, or with which it has a relationship within the employment context, or in which they hold significant shareholdings.
This Law provides for protection for whistleblowers who report any of the followinginfringements: (i) serious or very serious administrative breach under Spanish law; (ii) criminal offences; or (iii) breaches of Union law under the Whistleblowing Directive, breaches that affect the financial interests of the EU or breaches relating to the internal market.
What reporting channels does the Law provide for?
Whistleblowers may report breaches through, either theinternal reporting channel嵌入式的internal reporting system– and theexternal reporting channel.
Which entities are obliged to have an内部系统?
Reporting throughinternal reporting channelsis encouraged before using theexternal reporting channels. The former must allow whistleblowers to submit written and verbal communications and to report information on the breaches in question. Moreover, it will safeguard the confidentiality of their identity.
Companies with 50 or more employeesand those, irrespective of the number of employees, which fall within the scope of Union laws on financial services, products and markets, prevention of money laundering or terrorist financing, transport safety and environmental protection, among others,will be obligedto have aninternal reporting system. In the case ofgroups of companies, the parent company must adopt a general policy on theinternal reporting systemand ensure that its subsidiaries apply its principles. There may be a shared内部系统for the whole group.
Companies that voluntarily introduce an内部系统, not being obliged to do so, must also comply with all the regulations laid down by this Law.
Who is in charge of the内部系统management?
Theinternal reporting systemshall be managed by the so-calledsystem manager(“responsable del sistema”); a person or a collegiate body which must act independently and must have all the personal and material resources to carry out its functions. Groups of companies may appoint a solesystem managerfor the whole group.
Management of the内部系统may be outsourced to a third party, as long as independence, confidentiality, data protection and communications secrecy are guaranteed.
When is the deadline for establishing the internal systems or adapting the existing ones to the new regulation?
The company board will be responsible for the establishment of theinternal reporting system, which must be carried out before13 June 2023, unless the company has fewer than 250 employees, in which case the deadline is extended to1 December 2023.
Who will be in charge of the external reporting channel?
告密者可能通过外部cha报告nnel of theIndependent Whistleblower Protection Authority(“Autoridad Independiente de Protección del Informante”) or through the regional authorities or bodies. They may do so directly or after reporting through theinternal channel.
Independent Whistleblower Protection Authority –an independent administrative authority created for this purpose– will decide whether to initiate an investigation phase that will end with the issuance of a report that may: (i) file the case; (ii) refer it to the Public Prosecutor's Office if there are signs of a criminal offence; (iii) initiate disciplinary proceedings; or (iv) transfer the proceedings to another competent authority or body. Decisions may not be appealed, except for any decision to terminate the sanctioning procedure that may have been initiated.
What infringements are sanctionable under this Law?
Independent Whistleblower Protection Authority may sanction retaliation against whistleblowers as well as breaches of reporting channel regulations.
The Law provides for these infractions, among others: (i) breach of whistleblower rights; (ii) failure to comply with the obligation to have aninternal reporting system; and (iii) retaliations against whistleblowers.
Companies may befined up to a maximum of one million euros并可能受到额外的制裁等bans on obtaining subsidies or other tax benefits for a maximum period of four years.
What protective measures are provided for?
Theprotective measureslaid down by the Law to protect whistleblowers include:
Is publicly disclosing the information also protected?
Whistleblowers who have publicly disclosed the breach will also be protected under the Law if:
Please note that the Law also provides protection measures for those affected by the reporting (e.g. presumption of innocence, right of access to the file or guarantee of confidentiality).
How shall whistleblowers´ personal data be treated?
All entities obliged to have aninternal reporting systemmust keep a register of the information received and the internal investigations to which they give rise, guaranteeing, in all cases, the requirements of confidentiality.
Whistleblowers´ personal data may be kept in theinformation systemexclusively for the time necessary to decide whether or not to initiate an investigation.
If an informant submits a report and an investigation is not initiated within the following three months, the informant's data shall be deleted. On the other hand, the identity of the informant shall never be subject to the right of access to personal data and may only be communicated to the judicial authority, the Public Prosecutor's Office or the competent administrative authority within the framework of an investigation.