Law 2/2023 of 20 February 2023, which entered into force on 13 March 2023, has a significant impact on medium and large companies, which will be obliged to implement an internal whistleblowing system.
who is protected?
The main objective of the regulation is to protect those who report corrupt practices, fraud or any violation of national or European laws in the work or professional context, by establishing protected channels of communication and prohibiting any retaliation against them.
which entities are obliged by law?
The entities obliged by law to establish whistleblowing systems and to guarantee protection measures are both in the private and public sector. In the private sector, the following entities are obliged to do so:
- Natural or legal persons in the private sector who have fifty or more employees.
- Legal entities in the private sector that fall within the scope of European Union acts on financial services, products and markets, prevention of money laundering or terrorist financing, transport security and environmental protection, regardless of the number of employees, and which will have an internal information system in accordance with their specific regulations.
- Political parties, trade unions, business organisations and foundations created by them when they receive or manage public funds.
what is the deadline for setting up the internal information system?
The deadline for the implementation of the system for companies with more than 249 employees is 3 months from 13 March to 13 June; and as an exception, this deadline is extended to 1 December 2023 for companies with between 50 and 249 employees.
what whistleblowing systems does the new law provide for?
The reporting systems foreseen for channelling infringements are:
- The company’s internal channel, which must guarantee the protection, confidentiality and anonymity (if desired) of the whistleblower.
- The external channel or the Independent Whistleblower Protection Authority.
- Public disclosure on web, social media or media platforms, where internal or external channels have not worked; there is an imminent threat to the public interest; or there is a risk of retaliation or ineffective treatment.
what are the requirements for the internal reporting system?
The main characteristics of the internal system are the following:
- Guarantee the confidentiality of the identity of the informant and of any third party mentioned in the communication, as well as of the actions carried out in the management and processing of the communication and data protection.
- Allow communications to be submitted in writing or verbally, or both.
- Integrate the different internal information channels that may be established within the entity.
- Ensure that the communications submitted can be dealt with effectively within the corresponding entity, so that the entity itself is the first to know about the possible irregularity.
- Have a person responsible for the system.
- Have a policy or strategy that sets out the general principles of internal information systems and whistleblower protection and that is duly publicised within the entity or body.
- To have a procedure for managing the information received.
- Establish guarantees for the protection of whistleblowers within the entity or body itself.
- Companies with between 50 and 249 employees may share the internal information system and the resources allocated to the management and processing of communications.
- In the case of groups of companies, the possibility of establishing an integrated information system, with a single person responsible for it, is envisaged.
Non-compliance or deficient implementation of the information systems will lead to penalties which, in the case of very serious infringements, could be as high as
- Fines of up to €1,000,000 for legal persons and €300,000 for natural persons.
- Public reprimands.
- Prohibition from obtaining subsidies or other tax benefits for a period of 4 years.
- Prohibition from contracting with the public sector for a period of 3 years
who is responsible for the implementation and management of the system?
The management body of the company is responsible for the implementation of the whistleblowing information system, after consultation with the legal representation of the employees. With regard to the management of the system and the processing of communications, entities must have a person responsible for the internal information system.
This new obligation provided for in Law 2/2023, of 20 February, transposes the Whistleblowing Directive into Spanish law, aims to reinforce the compliance culture of public and private entities, and is in addition to the policies, protocols, plans, codes and procedures that companies must implement with their workforces.
At Baker Tilly – AddVANTE we have a team of experts in regulatory compliance programmes, which we have been developing and implementing since the reform of the Criminal Code introduced the exemption of legal persons from criminal liability, in which the whistleblowing channel plays an essential role.