Since December 2010 legal entities can be held liable in Spain. The establishment of effective measures and programmes to prevent and detect crimes within the company is deemed a mitigating factor of criminal liability related to a crime already committed.

From 1 July 2015 the abovementioned rules have been tightened since the scope of liability has been clarified and expanded. However, the existence of management systems, including control and vigilance measures to prevent the commission of crimes supervised by a specific body within the company, is necessary to release the company from any criminal liability.

Companies need to review their existing systems and adequately organise the corporate defence programme in light of the new regulation.

Background: Establishment of the Criminal Liability of Companies

On December 2010, the Spanish Criminal Code underwent a material transformation. One of its main features was the establishment of criminal liability for legal entities.

Criminal liability: Article 31bis of the Criminal Code provided that legal entities can be held criminally liable when:

  1. A criminal offence is committed by their (de jure or de facto) directors (“Directors’ Crimes”).
  2. A criminal offence is committed by the employee of the entity, due to a lack of adequate control (“Employees’ Crimes”).

Mitigating factor: The existence of effective measures to prevent crimes which could be committed in the course of the business of the legal entity was regarded as a mitigating factor of the criminal liability of the entity itself.

The law only referred to measures and programmes put in place “before the beginning of the trial” which could be interpreted as meaning that only measures taken after the crime was committed could constitute a mitigating factor. However, most of the scholarly writings considered that a more correct interpretation of the law would be that any measure or programme of such kind put in place within the company prior to the commitment of the offence should also be considered a mitigating factor.

Penalties: The penalties to the company could include economic fines, a prohibition to receive subsidie s a nd to contra ct with the public administration; Court supervision; temporary closing of the business or establishments (up to 5 years); prohibition to carry out activities related to the crime (up to 15 years or permanent) and full winding up of the company.

Other issues: The Criminal Code sets out 24 criminal offences that can generate criminal liability for legal entities (thus, companies cannot be held criminally liable for all criminal offences contained in the Criminal Code, only for a numerus clausus), e.g. human trafficking, tax fraud, bribery, environmental offences or money laundering.

The traditional criminal liability of company directors for the crimes committed by the company was also retained in art. 31 of the Criminal Code.

New regulation in force as from 1 July 2015: exemption from liability if prevention models are effectively established

On 31 March 2015, art. 31bis of the Criminal Code was amended.

Concerning Directors’ Crimes, the law now provides for full exemption from liability of the company (not just mitigation) if all of the following apply (subject to evidence):

  • The board of directors had adopted and effectiv el y i mpl emented, pri or to the commission of the crime, organisation and management models, including suitable monitoring and control measures in order to prevent the commission of criminal offences or to reduce in a significant manner the risk of their commission;
  • Supervision of the implemented prevention model’s functioning and compliance has been entrusted to a body at the legal entity with independent powers of initiative and action or that has been legally entrusted with overseeing the internal controls of the legal entity.
  • The individual person who committed the crime by fraudulently circumventing the prevention models.
  • There was no omission or insufficient exercise of supervision, vigilance and control by the aforementioned body.

If the above circumstances are proved only in part, such situation shall be assessed by the relevant Court in its determination of the penalty.

Concerning Employees’ Crimes, the law now also provides for full exemption from liability of the company if, prior to commission of the crime, the adequate organization and management model to prevent the commission of crimes or to reduce significantly the risk of their commission has been put in place in an effective way.

Partial implementation of the model shall also be assessed for the purposes of determining the penalty.

Requirements of the Organisation and Management Models

The management and organisation mode ls referred to above must meet the following requirements:

  • Identify risky activities in which criminal offences could be committed in order to prevent them;
  • Establish protocols and procedures that specify the process for adoption of decisions and implementation thereof in relation to those protocols or procedures;
  • Are adequately funded to prevent  the commission of criminal offences;
  • Impose the obligation to report potential risks and breaches of the internal policies to the body entrusted with oversight over the prevention model and program’s functioning and compliance;
  • Establish a disciplinary system with adequate sanctions for any non-compliance with the measures established in the model; and
  • Periodic verification and modification of the model in the event of significant infringements of its provisions, or when there are changes in the company’s organisation, control structure or business activities.


The establishment of prevention models, with the abovementioned characteristics, becomes paramount.

This implies the appraisal of the company’s current risk control and compliance system as well as the establishment of the adequate supervisory body and ancillary procedures. Moreover, different regulations should be drafted together with the establishment of an adequate training programme as evidence of the effectiveness of the prevention model’s implementation.