With the entry into force of Law 2/2023, of February 20, regulating the protection of persons who report on regulatory and anti-corruption infractions (hereinafter, the Law on the protection of whistleblowers), Directive (EU) 2019/ 1937 of the European Parliament and of the Council, of October 23, is transposed into the Spanish legal system. on the protection of persons reporting on breaches of Union law, (known as the Whistleblowing Directive) and aims to take a further step in the culture of information and business compliance, to prevent and detect certain threats to the public interest.
It regulates, on the one hand, the protection of natural persons who, in the work or professional context, report irregular practices committed by public or private entities and, on the other, the requirements and guarantees that must be met by the effective communication mechanisms of this information (reporting channels), by companies and other obliged public bodies.
In accordance with this regulation, companies are obliged to approve whistleblower protection policies and implement Internal Information System protocols, by which mechanisms are made available to persons who have the status of informants, to communicate, within the entity itself, information on irregular practices of which they are aware, guaranteeing at all times, the application of the rights of the informant and the established protection measures.
All companies with fifty or more workers are required to have an internal information system, with the deadline for its creation being December 1, 2023. Regardless of the number of employees, the following are also obliged to implement the System: companies falling within the scope of European Union law on financial services, products and markets, prevention of money laundering or terrorist financing, transport security and environmental protection; political parties, trade unions, employers’ organisations and foundations receiving or managing public funds; as well as public administrations.
Regarding the processing and protection of personal data, the obligations established in the Law on the informant must comply with the principles of the General Data Protection Regulation and Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights. Therefore, it is necessary to review and update the privacy policies and the register of treatment activities of the entity in terms of data protection.
If you are interested in expanding this information do not hesitate to contact us here.
