The Whistleblowing Directive and its transposition in Spain
Spain, like many Member States, urgently needs to transpose Directive (EU) 2019/1937 on the protection of persons reporting breaches of EU law, the deadline for which expired on 17 December 2021.
On 16 December 2019, Directive (EU) 2019/1937 on the protection of persons who report breaches of European Union law, known as the Whistleblowing Directive, came into force, by which public and/or private companies with more than 50 employees will be obliged to implement this whistleblowing system through internal, confidential and secure channels. The main objective of the directive is to protect those who report corrupt practices, fraud or any violation of national or European laws, by establishing these protected channels of communication and prohibiting any retaliation against them.
The European standard obliged all Member States to adopt the general legal provisions of the Directive by 17 December 2021, which was the deadline for its transposition. To date, only a few countries such as Denmark, Sweden, Portugal, Malta and France have met this deadline. Faced with this situation, in February 2022 the European Commission decided to send letters of formal notice to 24 Member States to take the necessary measures to remedy the non-compliance with EU law. That said, the European regulation grants a 2-year moratorium (until 17 December 2023) for companies with between 50 and 249 employees to comply with the Directive.
Under pressure from the European Commission, on 4 March 2022, the Council of Ministers approved a Draft Bill “regulating the protection of persons who report regulatory infringements and the fight against corruption, for the transposition of Directive (EU) 2019/1937 Whistleblowing”. This draft bill is currently at the parliamentary stage and may be amended by the parliamentary groups until it is passed into law.
Although it is true that the future law may entail an alteration with respect to the current clauses of the Preliminary Draft, it seems clear which are the relevant aspects. In this sense, the following are highlighted:
Scope of application
The obligation to establish internal channels and the measures for the protection of whistleblowers refer exclusively to complaints concerning infringements in certain areas included in the Directive itself, which can be extended by the legislation established by each of the Member States. Specifically, the minimum target scope set out in the Directive concerns infringements of Union law in the following areas: public procurement, financial services, product, food and transport safety, environmental protection, animal health, nuclear safety, public health, consumer protection, privacy and data protection, competition, internal market or the Union’s financial interests. The Draft Bill broadens this objective scope with a generic reference to those infringements of the rest of the legal system “that directly affect or undermine the general interest”, specifying that this interest is understood to be affected when the infringement involves a loss for the Public Treasury.
Obliged Subjects
In the private sector: All natural or legal persons with 50 or more employees. Likewise, all companies, regardless of their number of employees, in the field of the application of European Union acts on financial services, products and markets, the prevention of money laundering or the financing of terrorism, transport safety and the environment.
Finally, political parties, trade unions, employers’ organisations and foundations. Private sector legal entities with fewer than 249 employees will have until 01 January 2023 to implement the Act.
In the public sector: All public sector entities.
Internal and external information systems:
The creation of two information systems, one internal and one external, is foreseen. On the one hand, the creation of an internal whistleblowing channel within companies, in order to: guarantee the protection, confidentiality and personal data protection provisions of the whistleblower (also known as whistleblower); ensure appropriate follow-up practices; acknowledge receipt by the company and organisation within 7 days of receipt of the information; and provide feedback on the resolution of the information within 3 months of the whistleblower’s report.
On the other hand, together with the internal reporting mechanism described above, the legislator foresees the creation, by the administrative authority, of an external channel, reflected in the figure of the Independent Whistleblower Protection Authority or whistleblower, which will determine whether the fact being reported is an infringement and whether it is necessary to protect the whistleblower.
Measures to protect the whistleblower
A total prohibition of reprisals is established, establishing measures to protect the whistleblower from possible acts or omissions that could result in unfavourable treatment and place him/her at a disadvantage compared to others in the labour context, as well as the establishment of measures to support the whistleblower.
Excluded from this protection are those who carry out false or unfounded actions or communications, among others.
Sanctions
The lack of implementation by companies of this whistleblowing channel, or its implementation without carrying out the measures imposed by the Law, will entail sanctions for these companies. The Draft Bill includes offences classified as minor, serious or very serious (classifying as very serious any retaliation against the informant or the violation of confidentiality guarantees or others that are specific to the procedure), with the provision that the commission of offences provided for in the law will entail the imposition of penalties that can be as high as 1,000,000 euros for legal persons.
The figure of internal alerters linked to the figure of compliance is not new, as they already exist in companies and organisations within their regulatory compliance programmes. To this end, the State has been encouraging the creation of whistleblowing channels in organisations in various ways. From the Tax Agency, to the CNMV, the CNMC, the Spanish Data Protection Agency or anti-corruption agencies, many public administrations have set up ethical mailboxes or alert channels.
So-called internal whistleblowing seeks to strengthen the self-control of organisations, so that they are responsible for detecting and sanctioning irregularities that occur in the course of their activities. Whistleblowers are an essential part of compliance programmes. Complying with regulations, their requirements and obligations as early as possible is essential to avoid future sanctions in companies. Thus, Corporate Compliance plays a fundamental role in any company, to avoid being sanctioned for not complying with laws and regulations.
At AddVANTE we have a team of experts in regulatory compliance programmes which we have been developing and implementing since the introduction of criminal liability for legal persons and which grant mitigating or even exonerating effect to corporate liability for those effective compliance programmes which include a whistleblowing channel prior to the commission of a crime.