Learn everything about the new Whistleblowing Law in Spain

Tuesday, June 20, 2023

8 Minutes reading time

Whistlehub content team

Spain's new Whistleblowing Law requires companies with 50 or more workers to have an internal whistleblowing system and sets out fines up to €1,000,000. This groundbreaking legislation aims to combat corruption and protect whistleblowers who expose regulatory breaches across various sectors. In this blog post, we'll take a deep dive into the vital aspects of Spain's new law - from reporting channels and requirements to whistleblower protection measures and penalties for non-compliance.

Key Takeaways

  • Spain's new Whistleblowing Law, Law 2/2023, transposes the EU Whistleblowing Directive provisions into Spanish law to promote transparency and good governance while safeguarding whistleblowers from potential retaliation.
  • The law applies to a wide range of sectors and organizations with over 50 employees as well as sensitive sectors such as finance, money laundering prevention, and political parties.
  • Companies must establish internal reporting channels for whistleblowers under Spain's new law that allow complaints to be made verbally or in writing. They also need information systems to manage internal and external reporting channels compliant with GDPR requirements on privacy notices, data retention periods, data deletion rules, and data subject rights.
  • The new law includes measures to safeguard whistleblowers from retaliation by prohibiting discrimination or economic damage against them. It provides legal protection for whistleblowers who self-report regulatory breaches or cooperate with investigators.

Background On Spain's Whistleblowing Law

Spain's new whistleblower protection law, Law 2/2023, is based on the EU Whistleblowing Directive (Directive 2019/1937) and transposes its provisions into Spanish law.

Implementation Of EU Whistleblowing Directive

To ensure a consistent approach to whistleblower protection across its member states, the European Union introduced the EU Whistleblowing Directive (Directive 2019/1937).

This groundbreaking legislation aimed to bolster anti-corruption measures and enhance regulatory compliance by encouraging individuals to report instances of misconduct in various sectors.

The adoption of this comprehensive legal framework signals Spain's commitment to promoting transparency and good governance while safeguarding whistleblowers from potential retaliation.

As an EU member state, Spain had until December 17th, 2021, to transpose the provisions of the directive into national law.

Scope Of Spain's New Whistleblowing Law

The new whistleblowing law in Spain, Law 2/2023, applies to a wide range of sectors and organizations including those with over 50 employees as well as sensitive sectors such as finance, money laundering prevention, and political parties.

Application To Various Sectors

Spain's new whistleblowing law has wide-ranging applications across multiple sectors, ensuring that diverse industries adhere to its provisions and remain accountable in the event of regulatory breaches. The sectors affected by the law include:

  1. Banks: Ensuring financial institutions maintain transparency and adhere to anti-money laundering and terrorist financing regulations.
  2. Chemicals: Safeguarding public health and the environment by encouraging responsible handling of hazardous materials.
  3. Consumer: Protecting consumer rights by addressing deceptive marketing practices, product safety concerns, and more.
  4. Energy & Utilities: Encouraging compliance with environmental regulations, worker safety standards, and fair competition in this essential industry.
  5. Healthcare and Life Sciences: Maintaining the integrity of research, development, and delivery of healthcare products and services.
  6. Industrials: Addressing labor rights issues, environmental impacts, and other potential violations in industrial manufacturing processes.
  7. Infrastructure: Ensuring proper management of public works projects, including construction quality control, safety measures for workers, anti-corruption measures among contractors.
  8. Insurance: Promoting transparency in pricing policies, claims handling procedures, underwriting standards for risk assessment among insurers.
  9. Mining: Encouraging responsible mining practices that protect local communities' rights while preserving the environment from harmful pollution or resource depletion.
  10. Mobility: Enhancing road safety by reporting instances of corruption or fraud affecting transportation infrastructure or systems design.
  11. Private Equity & Financial Sponsors: Maintaining high ethical standards within investment management firms while addressing conflicts of interest between stakeholders.
  12. Real Estate & Leisure: Combating fraud or unethical behaviors within property development transactions as well as tourism-related businesses such as hotels or amusement parks.
  13. Retail Asset Managers: Monitoring asset management firms to ensure they apply fair business practices towards clients while regarding fiduciary duties with shareholders appropriately
  14. Sports: Promoting integrity in sports organizations by preventing doping scandals or match-fixing incidents that could undermine competitiveness
  15. Technology: Encouraging adherence to intellectual property laws and privacy regulations within fast-paced tech industries.
  16. Telecoms: Ensuring fair competition among telecom providers while upholding consumer rights regarding transparent billing practices, service quality, and more.

Whistleblowing Channels And Reporting Requirements

Companies with over 50 employees are required to establish internal reporting channels for whistleblowers under Spain's new law, while certain sensitive sectors must have such channels regardless of their size.

Internal Reporting Channels

are a crucial component of Spain's new whistleblowing law, as they facilitate the reporting of legal breaches and help safeguard whistleblowers. Companies must establish these channels according to specific guidelines:

  • Applicability: Mandatory for companies with more than 50 employees, certain financial entities, and organizations receiving public funding, including political parties and trade unions.
  • Ease of use: The channel must allow complaints to be made verbally or in writing, ensuring accessibility for all potential whistleblowers.
  • Anonymity support: Anonymous reporting is permitted, which encourages individuals to come forward without fear of identification or retaliation.
  • Confidentiality assurance: The internal reporting channel should guarantee the protection of personal data, in compliance with GDPR and Spanish Data Protection Act (Law 3/2018) requirements.
  • Efficient investigation process: Companies must have procedures in place for promptly addressing reported concerns and providing feedback to whistleblowers when appropriate.
  • Retention and deletion policies: Personal data collected through internal reporting channels must be retained only as long as necessary for investigating complaints or complying with legal obligations, then securely deleted.
  • Awareness promotion: Employers are responsible for informing their employees about the existence and purpose of internal reporting channels.

By implementing robust internal reporting channels, businesses can effectively address legal breaches while protecting those who report them.

External Reporting Channels

Under Spain's new whistleblower protection law, companies must establish external reporting channels to enable whistleblowers to report regulatory breaches. Below are key details on external reporting channels:

  • Whistleblowers can report directly to the competent authorities, such as the police or regulatory bodies.
  • Reporting through a lawyer or trade union representative is allowed as long as it protects the whistleblower's identity and confidentiality.
  • The Autoridad Independiente de Protección del Informante (AAI) is an independent authority responsible for receiving and managing reports of breaches of Spanish law by public sector entities and private companies operating in sensitive sectors.
  • Sensitive sectors that require mandatory external reporting channels include financial entities, money laundering prevention, transportation and environmental security, political parties, trade unions, and other organizations performing critical activities essential for the functioning of democratic institutions.
  • Complaints can be submitted anonymously through external reporting channels at the AAI, but evidence supporting the claim must be provided in such cases.
  • External reporting channels must have inbuilt mechanisms for preventing retaliation against whistleblowers who use them.

These measures protect whistleblowers from retaliation by their employers and encourage internal resolution of complaints without fear of reprisals while ensuring compliance with anti-corruption measures set by EU directives.

Management Of Information Systems

To comply with Spain's new whistleblowing law, companies must establish information systems to manage internal and external reporting channels. These systems should be accessible, confidential, and provide good whistleblower monitoring, investigation, and protection practices.

The law also regulates an external reporting channel managed by the Independent Authority for the Protection of Whistleblowers that guarantees the completeness, integrity, and confidentiality of information.

Companies must ensure personal data processing is compliant with GDPR requirements on privacy notices, data retention periods, data deletion rules, and data subject rights.

Failure to have in place adequate management of information systems can result in penalties such as fines or public reprimands for infringing legal obligations under EU and Spanish laws combating corruption.

Protection Against Retaliation

The new law includes measures to safeguard whistleblowers from retaliation, including prohibiting discrimination, dismissal, negative evaluation, and economic damage.

Measures To Safeguard Whistleblowers

Spain's new Whistleblowing Law contains important measures to safeguard whistleblowers, ensuring that they are protected from retaliation and their confidentiality is maintained. These measures include:

  1. Prohibiting acts of retaliation or discrimination against whistleblowers and third parties who report wrongdoing.
  2. Providing legal protection for whistleblowers against negative evaluation, blacklisting, suspension of contract, dismissal, denial of licenses or permits.
  3. Offering leniency programs for whistleblowers who self - report regulatory breaches or cooperate with investigators.
  4. Establishing the Autoridad Independiente de Protección del Informante (AAI), an independent authority to protect whistleblowers' rights and help them navigate the reporting process.
  5. Providing training and support for managers and employees responsible for handling whistleblower reports.
  6. Allowing anonymous reporting to encourage more individuals to come forward with information.
  7. Setting up secure communication channels and data protection protocols to ensure confidentiality and prevent leaks.
  8. Ensuring that all personal data processing is compliant with GDPR regulations regarding data retention, deletion, security, privacy notices, data subject rights and access requests.
  9. Designating a Data Protection Officer (DPO) responsible for overseeing the company's whistleblower program and ensuring compliance with relevant laws.
  10. Establishing clear guidelines on how to investigate whistleblower reports, including protocols for escalation if necessary.
  11. Implementing regular reviews of the company's whistleblower program to ensure ongoing compliance with legal requirements.

Overall, these measures aim to promote transparency and accountability while protecting those who speak out against misconduct in the workplace. Compliance with Spain's new Whistleblowing Law is essential for any organization operating within its scope to avoid penalties or reputational damage due to non-compliance issues.

Penalties For Non-Compliance

Non-compliance with Spain's new whistleblowing law can result in financial penalties for both individuals and companies, including fines and other sanctions.

Fines And Sanctions

Spain's new whistleblowing law enforces stringent penalties for non-compliance, with fines ranging from €1,000 to €300,000 for natural persons and up to €1 million for legal persons depending on the severity of the infringement. These fines serve to encourage adherence to the law and promote a culture of transparency and accountability. The table below details the various categories of infringements and their corresponding penalties.

Category of InfringementFines for Natural PersonsFines for Legal Persons
Minor€1,000 to €10,000€3,000 to €50,000
Serious€10,001 to €100,000€50,001 to €500,000
Very Serious€100,001 to €300,000€500,001 to €1 million

In addition, entities that fail to establish an internal information system within the specified time frame may face penalties of up to €300,000 for natural persons and up to €1 million for legal persons. These sanctions underscore the importance of establishing a robust whistleblowing system, ensuring confidentiality and protection for whistleblowers, and ultimately building a culture of trust between the whistleblower and the administration.

Deadline For Establishing Information Systems

Organizations in Spain are required to establish information systems for whistleblowing by March 16, 2022, and must comply with data privacy regulations such as GDPR and the Spanish Data Protection Act.

Timelines For Implementation

Spain's new Whistleblowing Law will come into force on March 13, 2023. Here are the timelines for implementation:

  1. Large companies with 250 or more employees must implement the required measures within three months of the law coming into effect on June 13, 2023.
  2. Organizations with 249 or fewer employees have until December 1, 2023, to implement the measures.
  3. Spain was among the member states that failed to transpose the EU Whistleblowing Directive by its original deadline of December 17, 2021.
  4. The Ministry of Justice approved draft legislation in September and submitted it for parliamentary approval.
  5. Following criticism and suggested amendments by various organizations, including Osborne Clarke, the draft made progress in parliament in December 2022
  6. The European Commission launched infringement proceedings against Spain in mid - February for not aligning its national whistleblower protection laws with Directive (EU) No.2019/1937.
  7. Shortly after that, the Senate approved Law 2/2023 on February 28, making Spain the eighteenth EU member state to adopt the EU Whistleblowing Directive into law and mandating companies to establish information systems to support whistleblowers' protection and reporting requirements.

Overall, Spain's new Whistleblowing Law aims to create a climate of trust by protecting whistleblowers while strengthening anti-corruption measures nationwide and helping identify regulatory breaches such as criminal and administrative offenses effectively.


Spain's new whistleblowing law is a progressive step towards combating corruption and ensuring the safety of those who speak up against wrongdoing. The law establishes reporting channels for employees to express their concerns internally, without fear of retaliation from their employers.

Additionally, it provides protection for whistleblowers against discrimination, blacklisting, and economic damage. Companies must ensure they comply with the requirements outlined in this legislation to avoid hefty financial penalties and legal repercussions.

Frequently asked questions

© All Rights Reserved. Whistlehub Inc