
Whistleblower Channel Lawyers for Companies (Act 2/2023)
Implementation of the mandatory internal reporting channel for companies under Act 2/2023 on whistleblower protection.
Last updated:
Act 2/2023 of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption, transposes Directive (EU) 2019/1937 and requires all companies with more than 50 workers to set up an internal reporting (whistleblowing) channel.
Who Is Obliged
An internal information channel is mandatory for: all private companies with 50 or more workers; all public-sector entities; political parties, trade unions, business organisations and foundations receiving public funds; and any company within the scope of anti-money-laundering regulation (Act 10/2010), regardless of size. Companies of 50-249 workers had until 1 December 2023; those of 250 or more had to implement it before 13 June 2023.
Legal Requirements of the Channel
The channel must guarantee: the confidentiality of the whistleblower's identity and of any third party mentioned; the option of anonymous reporting; secure communication channels (written, verbal or both); an acknowledgement of receipt within 7 days and a response within a maximum of 3 months; the designation of an independent System Officer (Responsable del Sistema); and a documented management procedure. Personal data must be processed in accordance with the GDPR and Organic Law 3/2018.
Sanctioning Regime
Failure to comply exposes the company to a severe administrative regime. Very serious infringements (no channel, retaliation against the whistleblower, breach of confidentiality) carry fines of up to €1,000,000 for legal entities and €300,000 for individuals, with possible public reprimand and a ban on contracting with the public sector. Serious and minor infringements carry proportionally lower fines. Above all, retaliation against a whistleblower is expressly prohibited and reversed.
Implementation and Criminal Compliance
Beyond the legal obligation, the channel is a key piece of the criminal compliance programme (Art. 31 bis CP): a functioning channel that surfaces and corrects offences is decisive for the company's exemption from criminal liability. We design and implement the channel —policy, secure platform, System Officer, management protocol and staff training— integrated with the company's overall crime-prevention model, and we advise on the lawful handling of each report received, including those that may have criminal relevance.
The six requirements of an effective organisation and management model (Art. 31 bis 5 of the Criminal Code)
A whistleblowing channel does not, on its own, exempt a company from liability: it is one component of an organisation and management model that Article 31 bis 5 of the Spanish Criminal Code requires to meet six cumulative conditions. The model must identify the activities in whose scope the offences to be prevented could be committed (a criminal risk map); establish protocols that set out how the company forms its will, adopts decisions and executes them; and provide for financial resource management systems suitable to prevent the commission of those offences. A channel that lacks these elements is ornamental rather than effective.
The remaining three requirements are equally demanding. The model must impose a duty to report possible risks and breaches to the body charged with monitoring its operation; establish a disciplinary system that adequately sanctions breaches of the measures; and provide for periodic verification of the model itself and its amendment whenever significant breaches come to light or where changes occur in the organisation, the control structure or the activity carried out. We design, review and document each of these six elements, because before a court suitability is proved with evidence, not with the mere formal existence of a manual.
The autonomous oversight body and the burden of proving the exemption
Article 31 bis 2 of the Criminal Code makes the company's exemption conditional on entrusting supervision of the model's operation and observance to a body with autonomous powers of initiative and control (commonly known as the compliance officer or compliance body). That autonomy cannot be merely nominal: it requires functional independence, sufficient resources, direct access to the management body and a genuine capacity to investigate and to drive the disciplinary system. In small legal persons, Article 31 bis 3 allows the management body itself to assume those functions, which does not relax the requirement of effectiveness.
The burden of proof makes the difference. In the trial of a legal person it is not enough to allege that a programme existed: it falls to the company to prove that the model was suitable, that it was adopted and effectively implemented before the offence was committed, and that the perpetrator fraudulently circumvented the controls. We therefore build the documentary traceability of the model (minutes of the compliance body, risk reports, training records, disciplinary files, periodic verifications), which is the evidence that supports the exemption or, failing that, the mitigation provided for in Article 31 quater of the Criminal Code.
Law 2/2023 and the Internal Reporting System
Law 2/2023, of 20 February, regulating the protection of persons who report regulatory breaches and the fight against corruption, transposes Directive (EU) 2019/1937 and requires private sector entities with 50 or more employees to implement an Internal Reporting System. This is not simply a matter of setting up a mailbox: the law requires an accessible channel that allows written, verbal or both types of communication, the appointment of a System Manager, a policy and management procedure approved by the management body, and reinforced confidentiality guarantees over the identity of the reporting person and any third party mentioned.
The procedure has its own deadlines and rules: prompt acknowledgement of receipt, diligent handling of the file, the option of anonymous reporting and resolution within the statutory period, with data processing carried out under its specific rules. The law protects the reporting person from retaliation and additionally provides an external channel before the Independent Authority for the Protection of Reporting Persons. We integrate this system with the model under Article 31 bis of the Criminal Code, so that the whistleblowing channel simultaneously satisfies the Law 2/2023 obligation and the internal reporting requirement of Article 31 bis 5, avoiding duplication and procedural contradictions.
The company under investigation: its own status, succession in corporate transactions and the penalties of Art. 33.7
The criminal liability of a legal person is autonomous from that of the natural person: Article 31 ter of the Criminal Code allows the company to be convicted even where the specific natural person has not been identified or proceedings could not be directed against them. When the company is under investigation it acquires its own procedural status, with a right of defence and specific representation, and it can enter a guilty plea separately from its directors. The company's defence also requires close attention to the lawfulness of evidence gathered in internal investigations, where the rights of the affected employees must be respected for the findings to be usable in proceedings.
Article 130.2 of the Criminal Code prevents criminal liability from being extinguished through the transformation, merger, absorption or division of the company: liability transfers to the resulting or benefiting entity, which makes criminal due diligence essential in M&A transactions. The penalties applicable to a legal person are set out in Article 33.7 and include fines, dissolution, suspension of activities, closure of premises and establishments, a ban on carrying out certain activities, disqualification from obtaining subsidies and public aid, contracting with the public sector or enjoying tax benefits and incentives, and judicial intervention. We advise across the whole cycle: prevention, internal response to an incident and defence of the entity if it ends up under investigation.
Economic Criminal Law in Spain: Tax Fraud, Money Laundering and Corporate Crimes
Economic criminal law encompasses the most severe financial penalties in the Spanish Criminal Code. Tax fraud over €120,000 (Art. 305 CP), money laundering (Art. 301 CP), and corporate crimes (Art. 290-297 CP) are complex offenses where defense requires a combination of criminal law expertise and deep accounting/financial knowledge.
Penalty Comparison: Economic Offenses
| Offense | Threshold | Penalty |
|---|---|---|
| Tax Fraud (Art. 305) | >€120,000 | 1 – 5 years + fine x6 |
| Aggravated Tax Fraud | >€600,000 | 2 – 6 years |
| Money Laundering (Art. 301) | Any amount | 6 months – 6 years |
| Aggravated Laundering | Organized/financial system | Up to 9 years |
| Corporate Crime (Art. 290) | Balance sheet falsification | 1 – 3 years |
| Punishable Insolvency (Art. 259) | Fraudulent bankruptcy | 1 – 4 years |
Key Defense Strategies
Tax Regularization Defense (Art. 305.4 CP)
Pay the full tax debt before charges are formally filed and the crime is extinguished. This is the most powerful complete defense in tax fraud cases.
Challenge the €120K Threshold
The tax authority's calculation method is often contestable. Independent forensic accounting can challenge the assessed figure below the criminal threshold.
Money Laundering 'Self-laundering' Issues
Spanish courts have debated whether the primary offender can also be convicted of laundering their own proceeds. Challenge the double jeopardy implications.
Corporate Crime: Harm to Company vs. Shareholders
Art. 295 corporate crimes require actual financial harm to the company or its members. Demonstrate that any loss was speculative or absent.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.