2024 WLG Whistleblower Guide: Spain

Is there a law to protect whistleblowers? If so, which law?

Yes. Spanish Law 2/2023, of February 20, regulates the protection of persons who report regulatory infringements and the fight against corruption, which implements the EU Directive 2019/1937 on the protection of persons who report breaches of Union law. 

Are companies legally obliged to introduce a whistleblowing system?

Yes, companies that meet certain thresholds are legally obliged to introduce a whistleblowing system under Law 2/2023.

If so, which companies must introduce a whistleblowing system (number of employees, turnover, sector)?

(i) Companies in the private sector with 50 or more employees; 

(ii) Companies in the public sector;

(iii) Companies that fall within the scope of application of the European Union acts on financial services, products and markets, prevention of money laundering or terrorist financing, transport security, and environmental protection referred to in Parts I.B and II of the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019); and

(iv) Political parties, trade unions, business organizations and foundations created by them, provided that they receive or manage public funds.

What forms can a whistleblowing system take (written, verbal, email, electronic tool)?

Law 2/2023 does not specifically mention the form that a whistleblowing system must take, although it establishes that the whistleblowing system must be designed, established, and managed in a secure manner, so as to guarantee the confidentiality of the identity of the whistleblower and any third party mentioned in reports, and of the actions carried out in the management and processing thereof, as well as data protection, preventing access by unauthorized personnel. 

Under Law 2/2023, the whistleblowing system must integrate the different internal information channels established within the entity. Reports may be made either in writing, by mail, or by any electronic means provided for this purpose, or verbally, by telephone, or by voice messaging system. At the request of the whistleblower, it may also be submitted by means of a face-to-face meeting.

Which reports must be permitted?

The whistleblowing system must permit reports concerning: 

-Any actions or omissions that may constitute violations of European Union law provided that: (i) they fall within the scope of the European Union acts listed in the annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019 on the protection of persons who report breaches of Union law; (ii) they affect the financial interests of the European Union; or (iii) they impact the internal market, including breaches of European Union competition rules and state aid, as well as breaches related to the internal market concerning acts that infringe corporate tax rules or practices aimed at obtaining a tax advantage that undermines the object or purpose of the applicable corporate tax legislation.

-Actions or omissions that may constitute serious or very serious criminal or administrative offenses. In any case, all serious or very serious criminal or administrative offenses that involve economic damage to the Public Treasury and Social Security shall be understood to be included.

Must anonymous reporting be guaranteed?

Yes.

Who must be able to provide information (only employees or also external third parties)?

The following persons fall under the scope of protection of the law: (a) employees; (b) self-employed individuals; (c) shareholders, partners, and persons belonging to the administrative, management, or supervisory body of a company, including non-executive members; (d) any person working for or under the supervision and direction of contractors, subcontractors, and suppliers; (e) volunteers, interns, and trainees regardless of whether they receive remuneration; (f) persons whose work or statutory relationship has already ended; and (g) persons whose work relationship has not yet begun.

Can companies rely on one centralized hotline or is it necessary to have one hotline for each subsidiary?

Law 2/2023 provides that in the case of a group of companies, the whistleblowing system may be one for the entire group. The responsible of the whistleblowing system may also be one for the entire group, or one for each member company, subgroup, or set of companies.

Can a whistleblowing system also be operated by an external body (e.g. consultant)?

According to Law 2/2023, the administrative body or governing body of each entity or organization shall designate the individual responsible for the management of the whistleblowing system, who shall be an executive of the entity that will perform his or her duties independently of the administrative or governing body of the entity. However, the receipt of reports can be outsourced to an external third party.

Are sanctions imposed for failure to introduce a whistleblowing system?