1) Local Laws
a) Has the country implemented any laws / regulations on whistleblowing (Local Law)?
Spain has no national law that specifically regulates whistleblowing. While regional laws passed by the autonomous regions’ parliaments cover some areas, there remains a lack of a national regulation. However, several provisions exist that are linked to internal reporting channels and procedures for different sectors.
- Pursuant to Article 31 bis of the Spanish Criminal Code, related to criminal liability of legal entities, a legal entity shall be exempted from liability if the Board of Directors has adopted, and effectively implemented, prior to the commission of the offence, management models which include the suitable control measures to prevent wrongdoings. These models must allow the possibility to inform to the competent body by means of a whistleblowing channel any potential risk or breach and to supervise the performance of prevention channels.
- Article 24 of Organic Law 3/2018, of December 5, on the Protection of Personal Data (Law 3/2018) regulates internal reporting channels. Pursuant to this article, it is permissible to establish channels for reporting, even anonymously, the commission of acts or conducts to any private-law entity, within it or in the actions of third parties contracting with it, that may be contrary to the general or sectoral regulations applicable to it.
- Article 26 of Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing (Law 10/2010). This requires the recipients of such legislation (both public and private) to establish procedures for the internal reporting, even anonymously, by employees, managers or agents, of potential or actual violations of any provisions on the prevention of money laundering and terrorist financing regulation.
- Article 64 of Law 9/2017, of November 8, on Public Sector Contracts (Law 9/2017), opens the door to the adoption of compliance programs and the establishment of internal reporting channels in Spanish public procurement. It states that in order to fight against corruption, contracting authorities shall take any measures to combat fraud, favouritism and corruption and to prevent, detect and effectively solve conflicts of interest that may arise in tendering procedures in order to avoid any distortion of competition and to ensure transparency in the procedure and equal treatment of all candidates and tenderers.
Some Autonomous Communities have taken the lead in legislating on this issue. For example, Castilla y León approved Law 2/2016, of November 11, on information and reports received by the Autonomous Administration on crimes against the Public Administration, establishing special guarantees for informants, and Aragon approved Law 5/2017 on Integrity and Public Ethics.
In addition, several authorities have published guidelines and best practice in this matter.
- Report 1/2016 of the Prosecutor General’s Office pointed out the need for organisations to establish internal channels that allow employers and managers to report any irregularity, guaranteeing at all times that whistleblowers will not suffer any kind of reprisals.
- 2006 Unified Code of Good Governance for Listed Companies stated in recommendation 49 that companies should “establish and supervise a mechanism that allows employees to communicate confidentially and, if considered appropriate, anonymously, irregularities of potential importance, especially financial and accounting ones, that they notice within the company.”
- Report No. 128/2007 and Guidelines in Protection of workers’ personal data drafted by Spanish Data Protection Agency.
- Several recommendations by Transparency International España (TI).
- Guidelines from the Spanish National Competition and Markets Authority issued in 2020 on compliance programmes, where guidance is provided on the design and use of internal reporting channels as well as consequences or benefits of having adequate compliance measures and reporting channels.
2) Scope of application
a) What types of wrongdoings are covered by the Local Law? Does it cover breaches of EU law?
Yes. As stated previously, Article 24 of Law 3/2018 allows internal reports within a private entity for the commission of acts “that may be contrary to the general or sectoral regulations applicable to it.” Therefore, this broad regulation may cover several breaches of EU law e.g. data protection.
In criminal law, if companies set up specific channels, whistleblowers are allowed to report any conduct that may entail the company’s liability for any of the crimes that can be committed by them (e.g. offences against natural resources and the environment, offences against public health, and offences against the market and consumers). In addition, Law 10/2010 covers internal reports regarding the prevention of money laundering and terrorist financing regulation.
The Spanish Competition Authority has also set up a channel that allows any person to report those conducts prohibited by Law 15/2007 on the Defense of Competition or by EU legislation, such as the Treaty on the Functioning of the European Union, including price fixing, market sharing and other anticompetitive conducts. Reports can also be anonymous, as the channel allows for encrypted and anonymous communication with the authority.
b) Personal scope
- Does the Local Law apply to reporting persons working in both the private and public sectors?
Yes. Article 24 of Law 3/2018 is applied for both public and private entities. Thus, internal reporting channels are available for reporting breaches within the entity or in the actions of third parties contracting with it. Employees and third parties must be informed about the existence of these information systems.
Article 26 of Law 10/2010 requires the addressees of anti-money laundering legislation (both public and private) to establish procedures for the effective internal reporting, by employees, managers or agents, of any potential or actual breach under the scope of the prevention of money laundering and terrorist financing regulation.
- Does the Local Law apply only to breaches that the reporting person became aware of in a work-related context?
No. As no specific law on whistleblowing exists in Spain, with the broad provisions regulating internal reporting channels mentioned previously it is unclear if they apply only to breaches that the reporting person became aware of in a work-related context alone.
- Does the Local Law also protect: facilitators; people connected to the whistleblower and who could suffer retaliation in a work-related context; and legal entities the whistleblower owns, works for, or is otherwise connected with?
No, local law does not extend to such facilitators.
c) Does the Local Law require specific conditions to protect reporting persons?
No specific conditions for the protection of reporting persons are provided by local law. In this area, TI recommends avoiding strict conditions that could limit or affect the filing of potential reports.
3) Reporting channels
a) Does the Local Law allow anonymous reports? How are companies/agencies meant to handle them?
Any reporting channel should ensure that any whistleblower (generally company employees) is protected. Law 3/2018 on Protection of Personal Data and Law 10/2010 on the prevention of money laundering and terrorist financing allows employees, managers or agents to report anonymously.
b) Is there a duty of confidentiality and any derogation from this duty?
Pursuant to Article 24.3 of Law 3/2018, “Necessary measures must be taken to preserve the identity and guarantee the confidentiality of the data belonging to the persons affected by the information provided, especially the one belonging to the person who has brought the facts to the attention of the entity, if he or she has been identified.”
Pursuant to Article 30 of Law 10/2010, “The addressee entities shall adopt appropriate measures to maintain confidentiality regarding the identity of employees, managers or agents who have reported operations that show signs or are certainty related to money laundering or terrorism financing to the internal control bodies.”
c) Public disclosures: does the Local Law provide for this possibility?
Yes. According to Article 259 of the Spanish Criminal Procedural Law, anyone who acknowledges a criminal activity is obliged to report it to the authorities. Therefore there is always the possibility to bring the facts to the authorities whenever the whistleblower believes that his report is not being effectively addressed.
4) Reporting channels: internal
a) Is there an obligation for private and/or public legal entities to establish channels and procedures for internal reporting and follow-ups?
No. There is no general obligation to implement channels and procedures for internal reporting.
Notwithstanding this, there is an obligation to establish channels and procedures for internal reporting in the field of anti-money laundering and, pursuant to Article 53 of the Law 10/2010, failure to implement internal reporting channels can be considered as a minor infringement and sanctioned with fines of up to EUR60,000.
Additionally, the Spanish Criminal Code foresees channels as factors of efficiency of criminal risk prevention programs. Likewise, there are no specific requirements on how these channels should be implemented.
And, finally, the Spanish National Competition and Markets Authority has recognised in public guidelines issued in 2020 that compliance programmes including adequate internal reporting channels may yield benefits to the companies such as mitigating economic fines.
b) Do internal reporting channels need to allow reporting in writing, orally or both?
No specific conditions are provided for in local law. TI recommends avoiding strict conditions that could limit or affect the filing of potential reports.
c) Procedures for internal reporting and follow-up: does the Local Law require legal entities to adopt internal reporting systems with the following elements?
- Channels able to ensure the confidentiality of the identity of the reporting person and the protection of third parties mentioned in the report:
The confidentiality of the reporting person’s identity (employee, manager or agent) and the data of the people affected by the information provided must always be ensured.
The Spanish Data Protection Agency recommends the adoption of measures such as:
- Restricting access to the content of the complaints only to users who carry out the investigation and listing them in the security document.
- Establishing a system for recording accesses, even when it is not appropriate to apply high level measures.
- Signing reinforced commitments of confidentiality with authorised users, with special measures to discourage the breach of the duty of secrecy.
The Spanish National Competition and Markets Authority also recommends that channels are able to ensure confidentiality of the relevant identities.
Acknowledgement of receipt of the report to the whistleblower within seven days of receipt:
Acknowledgment of receipt of the report is not provided for in local law but the Spanish National Competition and Markets Authority generically recommends compliance programmes include details on how to handle complaints.
The designation of an impartial function/team to manage follow-ups on reports and maintain communication with the whistleblower:
This is not provided for by local law.
Nevertheless, under Law 3/2018, access to the data contained in the internal reporting systems will be limited exclusively to those who, whether or not they are part of the entity, carry out the functions of internal control and compliance, or those who are responsible for data processing that may be designated for this purpose.
However, it will be lawful for other people to have access to the data, or even for them to communicate it to third parties, when this is necessary for the adoption of disciplinary measures or for the beginning of legal proceedings, if applicable. Without prejudice to the notification to the competent authority of facts that can be taken into account to file a criminal or administrative proceeding, only where disciplinary measures may be taken against an employee shall such access be allowed to staff with human resources management and control functions.
The Spanish National Competition and Markets Authority recommends that claims are handled by an independent and autonomous employee, preferably a dedicated compliance manager that reports directly to the company’s governance body.
Any other follow-up requirements including those for anonymous complaints:
There are no other follow-up requirements.
A reasonable timeframe to provide feedback, not exceeding three months from acknowledgment of receipt or if no acknowledgement was sent, three months from the expiry of the seven-day period after a report is made:
No. In this area, TI appreciates the establishment of a maximum time limit to provide feedback and for the report’s resolution. TI considers that an extension of this time limit could be advisable and justified due to the complexity of the case. Such an extension must be supported by a reasoned submission setting out the motives for the extension. This resolution should also be communicated to the whistleblower, giving its opinion on the delay of the proceedings.
Providing clear and easily accessible information on internal reporting procedures and external reporting procedures to competent authorities and/or EU institutions/bodies:
This is not provided for by local law. There is only an obligation to inform employees and third parties about the existence of these information systems.
Should legal entities take any additional measures in order to comply with the above requirements?
As internal reporting channels are not entirely regulated under Spanish law, and are not mandatory, following transposition of the EU Directive it will be essential to take several measures to be compliant.
It will be necessary for public entities and private companies with more than 50 employees to implement at least one internal reporting channel and/or adapt existing channels to the requirements set forth by the Directive.
Companies will need to implement the following measures:
- Reporting persons will include not only employees, but also self-employed workers, volunteers, trainees, shareholders, etc.
- In addition to the breaches mentioned previously, it must be allowed to report all breaches defined by the EU Directive, especially public procurement.
- Whistleblowers must be protected from retaliation, both directly and indirectly, including colleagues and relatives.
- Establishing a system that allows the acknowledgement of receipt of the report to the whistleblower in the time frame set forth by the EU Directive.
- Designation of an impartial team which manages follow-ups on the reports and maintains communication with the whistleblower.
- Providing clear and easily accessible information on internal reporting procedures as well as on external reporting procedures to competent authorities and/or any EU institutions and bodies.
For reporting channels, in addition to written reports, entities should allow whistleblowers to report orally by free telephone line or other voice messaging system, or both. At the request of the reporting person, it must also be possible to make reports through face-to-face meetings.
The Spanish National Competition and Markets Authority also recommends that channels that allow both consultation on whether a specific practice is legal and, also, proper complaints of potentially illicit conducts.
5) Reporting channels: external
a) Has the country designated a competent authority to receive and investigate whistleblower disclosure and retaliation complaints?
There are only sector-specific provisions.
- Breaches within the scope of Law 10/2010 can be reported to the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (Sepblac).
- The Spanish Competition Authority is the authority in charge of the Leniency Programme and the collaboration channel that allows any person to report conduct prohibited by Law 15/2007 on the Defense of Competition, such as price fixing and market sharing.
- Some autonomous regions have created an integrity office to receive reports and conduct investigations.
b) Is an independent and autonomous external reporting channel already established in the country?
The Spanish Competition Authority has set up a collaboration channel in addition to the Leniency Programme that allows any person to report conducts prohibited by Law 15/2007. This channel allows the complainant to remain anonymous. In addition, a special reporting channel was set up to report breaches related to the COVID-19 crisis.
The Labour and Social Security Ministry set up its own reporting channel in 2013. The National Securities Market Commission established a reporting channel in 2018.
6) Processing of personal data
a) Is personal data concerning the reports processed in compliance with local and EU legislation such as EU Regulation 2018/1725 and local privacy laws?
Entities are required to comply with applicable data protection regulation e.g. Law 3/2018.
7) Record keeping of reports
a) Is there any obligation regarding record keeping of reports as provided for by the EU Directive?
Pursuant to Law 3/2018, data of the person making the communication and of the employees and third parties should be kept in the internal reporting system only as long as is necessary to decide on the appropriateness of starting an investigation with the facts reported.
In any case, after three months from the communication, it must be deleted from the internal reporting system, unless the purpose of conservation is to leave evidence of the effective performance of prevention models established by the legal entity. Those reports that had not been followed up may only be recorded in anonymous form.
a) Is there any difference between whistleblower protections in the private and public sectors?
No, there is no difference between protection in the private and public sectors.
b) Are whistleblowers protected against all forms of retaliation including threats and attempts of retaliation? Which forms of retaliation are expressly indicated?
Not specifically. However, from a labour perspective there is a jurisprudential rule that protects employees from being dismissed in retaliation. Employees who have reported any misconduct from their employer have protection from the labour courts. This protection derives from the interpretation of Article 24 of the Spanish Constitution, which grants the constitutional right of being protected by the Spanish Courts of Justice.
c) Does the Local Law provide for any other measures of support such as those indicated in the EU Directive?
There are no additional measures of support.
d) Does the Local Law provide for the necessary measures to prohibit any form of retaliation against whistleblowers?
No such measures are provided for in local law.
e) Does the Local Law provide for any remedial measures, including interim relief measures?
No, local law does not provide for such remedial measures.
f) Does the Local Law provide for exemptions from liability for whistleblowers?
No exemptions from liability are provided for.
g) Does the Local Law provide for sanctions against natural and legal persons that violate whistleblowers’ protection or the duty of maintaining the confidentiality of their identity?
Sanctions for violating the duty of maintaining the confidentiality of the identity of whistleblowers and its protection are not provided for by local law.
h) Does the Local Law provide for sanctions in case of false reports?
In general terms, no. However, a false report could constitute a criminal offence itself.
9) Other issues
a) Under the Local Law, is adopting a whistleblowing system relevant to assess the adequacy of a compliance program? Does this have any value to mitigate or eliminate criminal liability for legal entities?
Yes, this new set of rules will add further detail and instruction to properly advise on the adequacy of a compliance program.
The Spanish National Competition and Markets Authority has recognised that adequate compliance programmes may yield benefits to the companies such as mitigating economic fines.
b) Does the Local Law or another law in your country provide for whistleblower reward programs?
Such reward programs are not provided for by local law, except for the leniency programme in the context of anticompetitive conducts reported to the Spanish National Competition and Markets Authority.
c) Can companies benefit from any incentives in the case of voluntary self-disclosure of violations they became aware of following an internal report?
Confession is a mitigating factor foreseen in Article 21.4 of the Spanish Criminal Code. To mitigate the penalties, offenders are requested to report to the authorities before they learn that a criminal prosecution is being brought against them.
The Spanish competition legislation foresees benefits for companies in the context of its leniency programme, where companies can be exonerated from payment of fines that could have otherwise been imposed and avoid associated penalties such as prohibitions to contract with the public administration.
d) Will implementing the EU Directive create any issues with obligations provided for under other laws / regulations?
The main issue we foresee is a debate on who will administrate and be responsible for the channels implemented in the public sector.
From a regional perspective, since there are regional regulations that cover whistleblowing, they will need to be adapted.
For a pdf of the full guide please click on the button below.