Spanish Royal Decree-Law 11/2018 (dated 31 August 2018) in Part II, contains the domestic provisions implementing Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLD 4), amending Regulation (EU) No. 648/2012 and repealing Directive 2005/60/EC and Directive 2006/70/EC.  

The new Spanish law, having regard to the legal requirements of GDPR and data protection law, includes the implementation of the provisions of AMLD 4 aimed at requiring the creation of new reporting mechanisms and making existing mechanisms comply with certain requirements to prevent or identify behavior allegedly contrary to this law or to internal procedures designed to prevent such behavior. These reporting mechanisms are both public and those set up by persons required by law. Public reporting mechanisms shall be put in place by the Public Administration to ensure compliance of the entities specified with anti-money laundering and funding of terrorism administrative legislation. This will include the right for both employees of the company and third parties to report any offences. In addition entities falling within this new law are required to set up internal reporting mechanisms which facilitate every employer and contractor reporting relevant information, even anonymously.