Whistleblower protection and reporting channels in Spain

1. Is there a law on whistleblowing in your country?

In Spain, EU Directive 2019/1937 on whistleblowing was transposed by Law 2/2023 of 20 February on the protection of persons who report regulatory offences and the fight against corruption of 21 February 2023 (Law 2/2023).

Law 2/2023 sets forth the obligation of employers to implement internal information systems in order to report any breach that may occur in the workplace or related to the work environment and to ensure the effective protection of those making the complaint. The aim is to protect whistleblowers against reprisals when reporting serious or very serious criminal or administrative offences in the context of an employment or professional relationship.

The internal information system must be available, according to Law 2/2023, to the following:

  • Shareholders and persons belonging to the management body, regardless of whether they have a special employment or corporate relationship.
  • Employees working under the supervision of contractors, subcontractors, or suppliers.
  • Former employees.
  • Trainees, regardless of whether or not they are on payroll.
  • Employees whose employment engagements have not yet started, if they obtained information during the recruitment process or pre-contractual negotiations.

It broadly applies to cases in which the whistleblower has obtained information disclosed (i) in the context of an employment relationship that has ended; and (ii) in the recruitment or precontractual negotiation process, among others.

2. Does local law require private entities to establish a whistleblowing system? (If so, which private entities?)

Yes. Law 2/2023, since 13 June 2023, obliges private entities with 250 or more employees to bring into force the necessary laws, regulations, and administrative provisions to comply with the obligation to establish internal information systems.

For other companies with 50 or more employees, the implementation will come into effect before 1 December 2023.

The Law sets out a list of infringements related to the implementation of an internal information system.

A breach of these obligations, related to the correct implementation of the reporting channel, may lead to penalties ranging from EUR 100,000 up to EUR 1 million for legal entities, depending on the seriousness of the circumstances.

In particular, not establishing an internal information system may lead to penalties ranging from EUR 600,000 up to EUR 1 million. These fines will be imposed along with: (i) a public warning; (ii) prohibition to obtain subsidies or tax benefits for a maximum of four months; or (iii) a temporary suspension of the administrative authorisation to operate.

4. Are there any mandatory requirements for establishing a reporting channel under local labour law?

Yes. Under Spanish employment law, companies must consult employee representatives on the applicable internal information system. They can then issue a non-binding report.

5. Does local law require employee involvement when establishing a whistleblowing system?

No. Additional involvement of the employees is not necessary when implementing the internal information system, regardless of the obligation that companies have of informing employees of the system in place, in order to guarantee the correct use of this hotline.

6. Does local law prohibit employees from disclosing irregularities/misconduct externally, e.g. to the public?

There is no express prohibition under Law 2/2023 against disclosing irregularities/misconduct externally.

Furthermore, the internal channels will inform/include any external channel applicable and by which the employees may also disclose irregularities.

In the event that it can be shown that an employee has been dismissed due to their involvement in a complaint, in the event of litigation the court may consider an employee dismissal null and void if there is evidence that this course of action was due to retaliation (and if the grounds disassociating the dismissal from the employee’s complaint were insufficient).

For the purposes of the law, examples of retaliation include: (i) suspension of the employment contract; (ii) dismissal or termination of the employment relationship (including failure to renew or early termination of an employment contract after the trial period has ended); (iii) imposition of any type of disciplinary measure; (iv) demotion or withholding of promotion; (v) substantial modification of working conditions; and (vi) failure to convert a temporary employment contract into a permanent one when the employee had legitimate expectations of being offered permanent employment, among others.

8. Are there any mandatory requirements and/or accompanying measures under local data protection law?

According to Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (Law 3/2018), there are certain regulations on the processing of personal data that must be complied with when establishing an internal whistleblowing system for companies. These regulations, included in article 24 of the Organic Law 3/2018, are as follows:

  • Legal basis for the processing of personal data – As mentioned in the preamble of the Law 3/2018, the legal basis for the processing of personal data is the public interest according to Art. 6(1)(e) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or GDPR).
  • Minimisation and purpose limitation – It is crucial that reports only refer to cases in which the facts or actions have an effective implication on the relationship between the company and the reported party and the information obtained this way may not be used for any purpose other than the implementation of the whistleblowing system.
  • Access to personal data processed in the whistleblowing system – The personal data in the system will be accessible exclusively to those carrying out internal control and compliance functions or to the data processors designated for this purpose. Access by other persons or communication to third parties will only be lawful when it is necessary for the adoption of disciplinary measures or the processing of legal proceedings.
  • Where disciplinary measures may be taken against an employee for acts constituting criminal or administrative offences, access will be granted to staff with human resources management and control duties without prejudice to the notification to the competent authority.
  • Measures to preserve the identity and ensure confidentiality of the whistleblower – In case of an identified reporting system, the whistleblower's information must be kept secure, and their identification must not be made available to the respondent. This requires implementing reinforced measures of security and confidentiality of the information.
  • Data retention – Personal data processed (concerning whistleblowers, employees and third parties) should be kept only for the amount of time necessary to investigate the facts, unless the investigation leads to certain measures against the accused, in which case it would be possible to keep the data stored for a longer period.
  • In any event, the data must be deleted three months after having been entered into the whistleblowing system, unless the purpose of keeping this record is to provide evidence that the company’s criminal prevention protocol is functioning correctly.
  • Once those three months have elapsed, personal data may continue to be processed by those who are carrying out internal control and compliance functions for investigating the facts reported. In this case, personal data may not be kept in the internal whistleblowing system.
  • Reports that have not been followed up may only be recorded in an anonymised way. In this case, the obligation to suppress personal data (Art. 32) will not apply and personal data will be deleted without having to be kept for three years.

The abovementioned regulations will apply to the internal whistleblowing systems in Public Administrations.

9. Does local law prohibit a group of entities from different jurisdictions from setting up a joint whistleblowing system?

No. However, a joint whistleblowing system must also comply with the EU's GDPR and Law 3/2018, as mentioned above.

It would be necessary to carry out a case-by-case assessment on the data protection implications of a joint whistleblowing system and consider that confidentiality must be ensured. If the joint whistleblowing system may comply with applicable legislative requirements, as previously mentioned, then it may be possible to set up a joint whistleblowing system of various entities in different jurisdictions, but any prior assessments must be taken into account to avoid data protection violations.

Portrait ofCésar Navarro
César Navarro
Partner
Madrid
Portrait ofCristina Ridruejo Ruiz
Cristina Ridruejo Ruiz
Senior Associate
Madrid