Mandatory Whistleblower Channel in Spain (Law 2/2023): Company Guide

Law 2/2023 on the protection of whistleblowers has radically changed the compliance obligations of Spanish companies. If your company has 50 or more employees, it is obliged to have an operative internal whistleblower channel compliant with the regulations. Non-compliance can carry fines of up to 1,000,000 euros. As criminal lawyers, we explain the obligations.

What Is an Internal Whistleblower Channel?

A whistleblower channel is a secure, confidential system that allows employees, executives, suppliers and others connected with the company to report possible legal or regulatory breaches without fear of retaliation. Law 2/2023 transposes EU Directive 2019/1937. It is not a mere formality: it is a fundamental instrument of the criminal compliance programme that can determine whether your company is exempt from criminal liability.

Who Is Obliged?

Private companies: all with 50 or more employees, regardless of sector. Public sector: all public entities, political parties, trade unions and foundations receiving public funds. Anti-money-laundering obliged parties: companies subject to AML rules (Law 10/2010) regardless of size — lawyers, auditors, estate agents, car dealers, jewellers.

Legal Requirements of the Channel

• Confidentiality: the identity of the whistleblower and the person investigated must be confidential.
• Anonymity: the channel must allow anonymous communications and process them like the rest.
• System officer: an independent officer responsible for management must be designated.
• Acknowledgement of receipt: within a maximum of 7 calendar days.
• Investigation deadline: a maximum of 3 months from acknowledgement.
• Record: retention of the information for a minimum of 10 years.
• Prohibition of retaliation: any retaliation against the whistleblower is null and sanctionable.

Connection With Criminal Compliance (Art. 31 bis CP)

Criminal compliance is the crime-prevention programme that allows the legal person to be exempt from criminal liability (Art. 31 bis.2 CP). One of the essential requirements of compliance is, precisely, having a whistleblower channel. Without it, the compliance programme does not meet the minimum standards of Art. 31 bis CP.

How to Implement the Channel: Step by Step

1. Compliance audit: analysing the company's current situation and risks.
2. Platform selection: choosing a technology platform meeting the confidentiality and anonymity requirements.
3. Designation of the officer: appointing the person or body responsible.
4. Investigation protocol: developing the receipt, investigation and resolution procedures.
5. Training and communication: informing the whole organisation about the channel.