The Spanish Whistleblower Protection Law

Spanish Whistleblower Protection Law overview

Law 2/2023 outlines the protection of persons who report breaches of law and seek to combat corruption. Published in the Official State Journal on 21st February 2023 and entering into force on March 13th, 2023, this law marks Spain as the eighteenth country in the EU to adopt legislation implementing the EU Whistleblower Protection Directive. 

Before the implementation of Law 2/2023, Spanish law lacked a unified approach to whistleblower protection. Though a patchwork of laws and regulations was in place at a national and regional level, which provided some protection for whistleblowers, they varied widely in scope, coverage and effectiveness. For example, these existing laws covered the financial sector around the prevention of money laundering and terrorist financing and in violations of law around handling personal data, but they did not provide comprehensive protection for whistleblowers in all sectors or meet all EU Whistleblower Protection Directive requirements. 

As of March 13th, 2023, Law 2/2023 is the first national legislation protecting whistleblowers across all private organizations employing more than 50 employees within Spain. Public sector entities with any number of employees fall into the scope of the Law, as well as other entities, including political parties, trade unions, employers’ organizations and foundations receiving or managing public funds. Private companies with fewer than 50 employees are not obligated to meet the requirements of Law 2/2023 by December 1st. However, those operating within certain sectors must still abide by existing EU and national reporting channel regulations specific to those sectors1. 

Law 2/2023 aims to protect people who report offenses in a professional or work-related context where the offense could constitute an infringement of EU law and/or serious or very serious criminal or administrative offenses within Spain. Reported issues that obligate protections for the whistleblower include: 

• Financial loss to the Spanish Treasury and Social Security in any capacity
• EU acts that are listed in the Annex to the EU Whistleblowing Directive 
• Violations that affect the financial interests of the Treating on the Functioning of the European Union (TFEU) 
• Infringements impacting the internal market as outlined in EU law. These include breaches of EU competition,  State aid rules and various tax rules

What does the new law in Spain cover?

The Spanish Whistleblower Protection Law adopts the minimum standards for whistleblower  protection outlined in the EU Whistleblower Protection Directive. These requirements include: 

1. A secure and confidential channel for receiving whistleblower reports must be in place 
2. Acknowledgment of the receipt of every whistleblowing report must be provided to the  whistleblower within seven days 
3. An impartial person or department must be appointed to follow up on the reports 
4. Records must be kept of every report received in compliance with confidentiality requirements 
5. There must be diligent follow-up of the report by the designated person or department 
6. Feedback on the follow-up or investigation must be given to the whistleblower within three  months of receiving the report 
7. All processing of personal data must be completed in accordance with GDPR

What are the new rules outlined by the Spanish Whistleblower Protection Law?

• The private sectors governed by EU regulations for specific sectors, regardless of their number of employees, include financial services, products and markets, money laundering, terrorist financing, security and environmental protections. The protection requirements specific to these industries under EU law are referred to in parts I.B and II of the Annex to the Directive (EU) 2019/1937 of the European Parliament. Law 2/2023 will apply to these sectors where not governed by these EU sector-specific regulations. 
• Organizations operating within Spain, even without a permanent establishment in Spain, are also affected by the above protection requirements. 
• Public sector entities with any number of employees fall into the scope of Law 2/2023. Also in scope, regardless of number of employees, are entities including political parties, trade unions, employers’ organizations and foundations receiving or managing public funds. 
• Protections also to whistleblowers working in both the public and private sectors – including self-employed workers, shareholders and non-executive members, and supervisory and management bodies. Protection also applies to people no longer working at or with a subject entity, trainees, volunteers and parties involved in the selection process. Those who assist the whistleblower, including legal assistance and other people linked to the whistleblower that may suffer detriment due to the report made, are also afforded protection under the law.
• Internal reporting channels must allow reports in writing or orally, be secure and confidential, and have a clear policy or strategy on the principles of the system published by the entity. There must also be procedures for processing cases, managing information collected during the investigation of each case and providing specific protections for reporters. 
• All internal reporting channels within an entity (e.g., channels for reporting fraud, sexual harassment) must be merged into one. 
• Anonymous reports must be accepted. 
• All organizations within the new law’s scope with a website must publish information on the whistleblowing channel, procedure and policy in an accessible way through a separate, easily-identifiable section of the homepage. 
• Organizations must maintain an internal registry of information received and managed for the purposes of potential future judicial proceedings. 
• If a report indicates a criminal offense or activity, the law requires the reported information to be forwarded to the Public Prosecutor’s Office. If the report indicates the financial interests of the European Union, the information must be forwarded to the European Public Prosecutor. 
• A response on the investigation process must be fed back to the reporter within three months of the report being made. However, this may be extended by an additional three months in complex cases requiring further details or investigation. 
• Per Articles 29 and 32 of the Spanish Whistleblower Protection Law, all personal data must be processed in accordance with the GDPR, but there are additional stipulations for data deletion and segregation. For more information on the specific requirements related to data retention in the Spanish Law, visit this webpage.
• Personal data acquired from reports and the investigation proceedings can be stored for a maximum of three months unless further action is required, in which case it can be stored longer. 
• There are additional measures within the law applicable to internal reporting channels and people who report breaches through them. These measures include: 
  • Voiding any action that may be deemed a retaliation against the reporter, such as denying a license or permit, within two years following the conclusion of an investigation 
  • Granting special protection to the people referred to in a report; this includes the presumption of innocence for the subject of a report, the right to defense, access to their file and data, and the matter remaining confidential throughout the process 
  • Offering the support of the Independent Whistleblower Protection Authority (Autoridad Independiente de Protección del Informante) to those reporting breaches

What other frameworks does the Spanish legislation cover?

The Law 2/2023 broadens the scope of the “Reporting System Officer” position – the private-sector company’s designated role responsible for managing the internal reporting system. The Senate amended the original Bill to allow existing compliance or ethics officers to serve in this role if they meet requirements. 

An organization can manage its own internal information system outlined as a requirement or contract the service to a specialized external third party – as long as it can also ensure independence, confidentiality and adherence to data protection and sharing requirements. Outsourcing the management of this internal reporting system must also not release the Reporting System Officer from liability.

The law also outlines the penalties for entity-level or individual actions that limit the rights of whistleblowers or amount to retaliation against the reporter. 

For entities, infringements of the law result in penalties that start at €100,000 for minor offenses to upwards of €1 million for serious offenses. Additional sanctions for serious offenses will allow the Independent Authority for the Protection of Informants to impose public reprimand, a ban on obtaining subsidies or tax benefits for up to four years, and/or a ban on contracting with the public sector for up to three years. Fines for individuals start at €1000 for minor offenses to €300,000 for serious offenses. 

The sanctions for non-compliance include a leniency system in the cases of reporters involved in the reported offense if they fully cooperate with the investigation proceedings. Failure to implement an internal reporting system in compliance with the law qualifies as a very serious breach and can result in a penalty of between €600,001 and €1,000,000.