Whistleblower Protection Law

Whistleblower Protection Law

On February 21, 2023, Law 2/2023 for the protection of individuals who report regulatory infringements and fight against corruption was published in the Official State Gazette of Spain in response to the obligation imposed by Directive 2019/1937 of the European Parliament, also known as the "Whistleblowing Directive." This law aims to strengthen the culture of compliance and protect whistleblowers in both public and private sector entities.

With a maximum implementation deadline by the end of September (3 months from the entry into force on June 13, 2023) for organizations with more than 250 employees, and December 1 for entities with fewer than 250 employees, this law requires organizations with more than 50 employees to have reporting channels that meet certain minimum requirements.

Among the minimum characteristics listed are: reports must be directed to a single internal system where all cases are managed, systems must be implemented to guarantee the whistleblower's anonymity, and there must be an internal person responsible for the reporting system, although this management can be internal or external to the organization. This law states that mechanisms to protect the whistleblower and related persons must exist

The types of communications to be processed through the reporting channel will be those related to infringements of European Union law, serious administrative infringements, very serious infringements, and criminal acts.

Furthermore, reporting channels must be independent, guarantee anonymity, confidentiality, and compliance with European and Spanish data protection regulations. In all cases, a register must be kept to record the reports received, communications, and investigations carried out.

In terms of data protection measures, the law requires compliance with deadlines for the retention and deletion of personal data. Communications of reports can only be retained within the system for the time necessary to decide whether the investigation proceeds or not. If a decision is not made within a period of 3 months, the report must be deleted from the system. Conversely, if the investigation proceeds, personal data can be retained for an additional 3 months

What are the penalties for organizations that fail to comply with the law?

Organizations that fail to comply with the law may be subject to the following penalties:

• Fines of up to one million euros for legal entities.
• Fines of up to 300,000 euros for individuals.
• Public reprimands.
• Prohibition from obtaining subsidies or tax benefits for up to 4 years.
• Prohibition from contracting with the state for up to 3 years.

Make the best decision for your organization, stay informed, and start implementing the reporting channel that best suits your entity's needs while complying with European regulatory requirements.

Author: André Barrantes
CEO and founder of SHOGUN Monitor. He is an expert in digital training development and specialized technology in Operational Fraud Prevention and corruption, with clients in over 20 countries in America and Europe.