The Spanish Whistleblower Protection Law

As of March 13th, 2023, Law 2/2023 is the first national legislation protecting whistleblowers across all private organizations employing more than 50 employees within Spain. Public sector entities with any number of employees fall into the scope of the Law, as well as other entities, including political parties, trade unions, employers’ organizations and foundations receiving or managing public funds. Private companies with fewer than 50 employees are not obligated to meet the requirements of Law 2/2023 by December 1st. However, those operating within certain sectors must still abide by existing EU and national reporting channel regulations specific to those sectors1. 

Law 2/2023 aims to protect people who report offenses in a professional or work-related context where the offense could constitute an infringement of EU law and/or serious or very serious criminal or administrative offenses within Spain. Reported issues that obligate protections for the whistleblower include: 

• Financial loss to the Spanish Treasury and Social Security in any capacity
• EU acts that are listed in the Annex to the EU Whistleblowing Directive 
• Violations that affect the financial interests of the Treating on the Functioning of the European Union (TFEU) 
• Infringements impacting the internal market as outlined in EU law. These include breaches of EU competition,  State aid rules and various tax rules

What are the new rules outlined by the Spanish Whistleblower Protection Law?

• The private sectors governed by EU regulations for specific sectors, regardless of their number of employees, include financial services, products and markets, money laundering, terrorist financing, security and environmental protections. The protection requirements specific to these industries under EU law are referred to in parts I.B and II of the Annex to the Directive (EU) 2019/1937 of the European Parliament. Law 2/2023 will apply to these sectors where not governed by these EU sector-specific regulations. 
• Organizations operating within Spain, even without a permanent establishment in Spain, are also affected by the above protection requirements. 
• Public sector entities with any number of employees fall into the scope of Law 2/2023. Also in scope, regardless of number of employees, are entities including political parties, trade unions, employers’ organizations and foundations receiving or managing public funds. 
• Protections also to whistleblowers working in both the public and private sectors – including self-employed workers, shareholders and non-executive members, and supervisory and management bodies. Protection also applies to people no longer working at or with a subject entity, trainees, volunteers and parties involved in the selection process. Those who assist the whistleblower, including legal assistance and other people linked to the whistleblower that may suffer detriment due to the report made, are also afforded protection under the law.
• Internal reporting channels must allow reports in writing or orally, be secure and confidential, and have a clear policy or strategy on the principles of the system published by the entity. There must also be procedures for processing cases, managing information collected during the investigation of each case and providing specific protections for reporters. 
• All internal reporting channels within an entity (e.g., channels for reporting fraud, sexual harassment) must be merged into one. 
• Anonymous reports must be accepted. 
• All organizations within the new law’s scope with a website must publish information on the whistleblowing channel, procedure and policy in an accessible way through a separate, easily-identifiable section of the homepage. 
• Organizations must maintain an internal registry of information received and managed for the purposes of potential future judicial proceedings. 
• If a report indicates a criminal offense or activity, the law requires the reported information to be forwarded to the Public Prosecutor’s Office. If the report indicates the financial interests of the European Union, the information must be forwarded to the European Public Prosecutor. 
• A response on the investigation process must be fed back to the reporter within three months of the report being made. However, this may be extended by an additional three months in complex cases requiring further details or investigation. 
• Per Articles 29 and 32 of the Spanish Whistleblower Protection Law, all personal data must be processed in accordance with the GDPR, but there are additional stipulations for data deletion and segregation. For more information on the specific requirements related to data retention in the Spanish Law, visit this webpage.
• Personal data acquired from reports and the investigation proceedings can be stored for a maximum of three months unless further action is required, in which case it can be stored longer. 
• There are additional measures within the law applicable to internal reporting channels and people who report breaches through them. These measures include: 
  • Voiding any action that may be deemed a retaliation against the reporter, such as denying a license or permit, within two years following the conclusion of an investigation 
  • Granting special protection to the people referred to in a report; this includes the presumption of innocence for the subject of a report, the right to defense, access to their file and data, and the matter remaining confidential throughout the process 
  • Offering the support of the Independent Whistleblower Protection Authority (Autoridad Independiente de Protección del Informante) to those reporting breaches