Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES
Legal Analysis

The Corporate Internal Investigation After a Sign of Crime

calendar_todayJune 18, 2026

Last updated:

listIn this article

lightbulbKey Takeaways

  • check_circleInvestigate, yes, but with safeguards
  • check_circleDigital evidence: prior policy and proportionality
  • check_circleWhistleblowing channel (Law 2/2023)
  • check_circleKey evidence for Art. 31 bis CP

Quick answer

An internal investigation is the procedure by which a company clarifies, before or during criminal proceedings, an indication of a crime arising within it. For it to serve as exculpatory evidence and reinforce the exemption under Art. 31 bis of the Criminal Code (CP), it must respect the rights of the investigated employee (privacy, data protection and the right against self-incrimination) and obtain evidence proportionately and with a sound chain of custody. Poorly executed, it can become the main evidence against the company itself.

When an alert is raised in the whistleblowing channel, an auditor spots an accounting discrepancy, or management receives a request from the authorities, the company faces a delicate decision: whether to investigate internally what has happened. The internal investigation is today a central piece of criminal compliance and, well executed, the best evidence that the prevention model works. Poorly executed —violating the employee's rights or gathering evidence without safeguards— it can turn against the company itself and its directors. As a firm that directs corporate internal investigations, we explain its legal framework from a strictly defensive standpoint.

What an Internal Investigation Is and When It Is Triggered

The internal investigation is the procedure, ordered by the company, to clarify potentially criminal acts committed within its area of activity. It is neither a parallel trial nor a substitute for judicial proceedings: its purpose is to find out what happened, assess the organisation's criminal risk, and decide on internal measures and, where appropriate, disclosure to the authorities. It is usually triggered by one of four routes:

  • A report through the whistleblowing channel (internal information system).
  • An audit or internal-control alert.
  • A finding during a due diligence process, typically in an acquisition or restructuring.
  • A request from a public authority (the Prosecutor's Office, a court, a supervisory body).

The decision to open the investigation and its precise scope must be documented from the very first moment. Article 31 bis 5 CP itself requires the prevention model to impose the obligation to report and investigate risks and breaches, so failing to act on reasonable indications directly compromises the company's position.

There is no single, self-contained statute in Spain governing the internal investigation; its regime is built from several sources worth bearing in mind:

  • The Criminal Code (CP) (Art. 31 bis), which links the functioning of the prevention model to the exemption or mitigation of the legal entity's liability.
  • Law 2/2023, on the protection of persons who report breaches, which governs the whistleblowing channel and the handling of reports.
  • Data protection law (the GDPR and Organic Law 3/2018), which regulates the processing of the investigated person's personal data.
  • The Workers' Statute, which delimits the employer's monitoring powers and their limits.
  • The fundamental rights of the employee (privacy, secrecy of communications, data protection, the right not to testify against oneself), as interpreted by settled constitutional doctrine and by the case law of the European Court of Human Rights.

The practical consequence is clear: the company may investigate, but not at any cost. Evidence obtained in breach of fundamental rights is null and taints derivative evidence, while also exposing the company to labour and data-protection liabilities.

Rights of the Investigated Employee

An employee subject to an internal investigation does not forfeit their safeguards. An investigation that tramples them is not only unlawful: it is worthless as exculpatory evidence. The essential rights are:

  • Privacy and proportionality: any monitoring measure (access to devices, review of records, video surveillance) must pass the triple test of suitability, necessity and proportionality. Indiscriminate searching "just in case" is not permitted.
  • Data protection: processing the personal information requires a lawful basis, a specific purpose and the duty to inform, save for the exceptions legally provided for the investigation.
  • Information about their status: the employee must be made aware that they are under investigation and of its subject matter, to the extent this does not frustrate its purpose.
  • Legal assistance, especially where the internal interview may bear on subsequent criminal proceedings.
  • The right against self-incrimination: the employee cannot be compelled, under threat of disciplinary action, to confess a crime. The labour duty to cooperate must be distinguished from the right to remain silent in the face of a criminal charge.

These safeguards do not weaken the investigation: they strengthen it. A finding obtained while respecting the rights of the investigated employee is far more robust before a court than a confession extracted in an interview without safeguards.

Validity of Digital Evidence: Email and Devices

The most contentious point is access to corporate email and the company devices used by the employee. The general rule emerging from the case law can be summarised as follows:

  • There must be a prior, clear and known policy on the use of company resources and on the possibility of monitoring. Without a reasonably limited expectation of privacy, monitoring becomes complicated.
  • Access must serve a legitimate purpose (investigating a specific indication) and be proportionate: confined to what is necessary in terms of persons, period and keywords.
  • Manifestly private communications and the employee's strictly personal accounts enjoy enhanced protection; intervening in them demands particular caution. The case law of the European Court of Human Rights (ECtHR case law on employer monitoring of employee communications) set firm criteria on the monitoring of an employee's communications.
  • The forensic chain of custody of digital evidence (acquisition, preservation, integrity via hashing) is decisive: evidence that has been altered or lacks traceability loses its value.

That is why we recommend that the collection be directed by a computer forensics expert under legal supervision, separating what is material evidence —emails, contracts, accounting entries, judicially seizable through independent channels— from the lawyer's work product, which is protected by professional secrecy.

The Whistleblowing Channel and Law 2/2023

Law 2/2023 requires many companies to have an internal information system (whistleblowing channel) and to handle reports with safeguards. Its key features for the internal investigation are:

  • Confidentiality of the identity of the reporting person and of those affected, with the possibility of anonymous reporting.
  • A prohibition on retaliation against anyone who reports in good faith.
  • An independent system manager and a handling procedure with set response deadlines.
  • Respect for the presumption of innocence and the defence rights of the person identified, who is also protected by the statute.

An operational, well-run channel is not a formality: it is the orderly gateway to the internal investigation and tangible proof that the prevention model lives beyond paper.

Value for the Exemption Under Art. 31 bis CP

This is where doing things properly truly pays off. Article 31 bis 2 CP allows the legal entity to be exempted from criminal liability if it proves that, before the offence, it had adopted and effectively implemented a suitable organisation and management model, supervised by a body with autonomous powers, and that the individual perpetrator fraudulently circumvented it without any failure of supervision. The internal investigation is the evidence that brings those requirements to life: it shows that the model detects, reacts and cleans house.

Where full exemption does not apply, subsequent cooperation —confessing before learning that proceedings are directed against the company, providing new and decisive evidence, repairing the harm and implementing effective measures— operates as a highly qualified mitigating factor (Art. 31 quater CP), with a possible reduction of one or two degrees in the legal entity's penalty. Disclosing findings to the Prosecutor is therefore not a surrender: well designed, it is a defence tool. Deciding what to disclose, when and in what format is the most delicate strategic call of the entire process.

Mistakes That Ruin an Internal Investigation

  • Dumping the employee's entire email without confining the purpose, period or scope: null evidence and a risk of data-protection sanction.
  • "Corridor" interviews with no minutes, no information about the employee's status and no opportunity for legal assistance.
  • Dismissing before concluding: a premature dismissal or one without safeguards may give rise to labour nullity and undermine the credibility of the whole investigation.
  • Confusing audit and legal practice: if whoever directs the investigation does not act as a lawyer, professional secrecy over their work is lost.
  • Failing to document the initial mandate, the chain of custody or the decisions taken: what is not recorded does not exist before a court.

Has an indication arisen at your company?

The difference between a rights-respecting internal investigation and an improvised reaction can be the difference between exculpatory evidence and evidence against the company itself. We work on the external, independent direction of internal investigations, with a guarantor protocol and protection of attorney-client privilege. See our corporate internal investigations service.

📞 Call us: +34 91 078 65 74

Frequently asked questions

Is the company obliged to investigate internally when there is an indication?expand_more

Article 31 bis 5 CP requires the prevention model to impose the obligation to report and investigate risks and breaches. Failing to act when there are reasonable indications of an offence weakens the company's position and may compromise the exemption from criminal liability. The decision whether or not to open the investigation, and its scope, must be documented.

Can the company access the investigated employee's corporate email?expand_more

Only if there is a prior, clear policy on the use and monitoring of company resources, the purpose is legitimate and the access is proportionate (confined to specific persons, period and keywords). Manifestly private communications enjoy enhanced protection. The case law of the European Court of Human Rights (ECtHR case law on employer monitoring of employee communications) sets firm criteria on the monitoring of an employee's communications.

Can the employee refuse to answer in the internal interview?expand_more

The employee has a labour duty to cooperate, but cannot be compelled to self-incriminate under threat of disciplinary action. It is essential to distinguish that duty to cooperate from the right to remain silent in the face of a possible criminal charge, and to inform the employee of their status and of their right to legal assistance where the interview may bear on criminal proceedings.

What value does the internal investigation have for the exemption under Art. 31 bis CP?expand_more

It is the evidence proving that the prevention model genuinely works: it detects the indication, reacts and clears responsibilities. Well executed, it reinforces the exemption under Art. 31 bis 2 CP. If full exemption does not apply, subsequent cooperation may operate as a highly qualified mitigating factor under Art. 31 quater CP, with a possible reduction in the legal entity's penalty.

Is it advisable to disclose the findings to the Prosecutor?expand_more

It is not an automatic decision. Selective, well-founded disclosure accompanied by the internal measures adopted may operate as a highly qualified mitigating factor (Art. 31 quater CP). Material evidence (emails, contracts, accounting) is judicially seizable through independent channels, whereas the lawyer's work product remains protected by professional secrecy. What to disclose, when and how is a strategic decision best analysed case by case.

policy

gavelDo you need criminal defense in this area?

We are criminal defense lawyers specializing in internal corporate investigations. We act urgently to protect your rights.

View expertisearrow_forward

Related Articles

View allarrow_forward
calendar_todayJune 16, 2026

Director and Officer Criminal Liability and the D&O Policy

How a board member, CEO or CFO can be held criminally liable for offences within the company, what a D&O policy actually covers, and why the director needs a separate defence.

ComplianceEmpresa+1
calendar_todayJune 20, 2026

Criminal due diligence in M&A: Art. 130.2 of the Spanish Criminal Code

Why the buyer inherits the target's criminal liability under Art. 130.2 CP, and how criminal due diligence and R&W protect the deal in Spain.

M&ACompliance+2
calendar_todayJune 18, 2026

How compliance exempts the company: Art. 31 bis 2 CP requirements

What a prevention model must satisfy for the legal person to be exempt from criminal liability in Spain, and how the company builds its defence.

ComplianceBusiness+1

Knowledge is power, but strategy is key.

What you read here is just the beginning. Transform information into active defense by contacting our team of experts.

Contact Alonso Sala
Call: +34 91 078 65 74
call