In 2019, the European Union approved Directive 2019/1937 of the European Parliament and of the Council of 23rd October 2019 with the aim of preventing crime and irregularities within companies. This directive regulates the implementation and management of whistleblowing channels, as well as defining their characteristics and the subjects protected by them.
On the 20th February 2023, Law 2/2023, regulating the protection of persons who report regulatory infringements and the fight against corruption, was approved in Spain, which regulates the introduction of these whistleblowing channels in Spain and the protection of those who, in a work or professional context, detect criminal or administrative infringements and make use of these channels to report them.
The whistleblowing channel is mandatory for all companies with more than 50 employees, as well as for companies that, regardless of the number of employees, want to adopt the ISO 37301 standard on compliance.
The deadline for implementing the whistleblowing channel varies according to the number of employees a company has. For companies with between 50 and 249 employees, the whistleblowing channel should be active before 1st December 2023, while companies with more than 250 employees have a period of 3 months after the enactment of the regulatory law in Spain.
Similarly, companies obliged to implement a whistleblowing channel are also obliged to appoint a Data Protection Officer, for the protection of sensitive data or data that may jeopardise the privacy of those using the channel.
Companies with less than 50 employees are exempted from implementing an internal whistleblowing channel, unless they are required to do so by another law (such as those mentioned above) or by their applicable collective agreement.
The obligation to have the information channel also extends to the public sector, with public administrations, whether territorial or institutional, being obliged to implement it.
This channel must comply with certain requirements, such as accessible use, protection of confidentiality, anonymous communication, monitoring of correct functioning and protection of the worker who uses the channel to report.
With regard to groups of companies, the parent company will be responsible for the implementation of the principles and policies for the coordination of the channels in each of its entities. There is also the possibility of outsourcing the service to an external provider, such as a law firm or consultancy.
Óscar Vilá
Vilá Abogados
For more information, please contact:
24th February 2023