The law protecting whistleblowers requires companies with 50 or more workers to have an internal whistleblowing system in place and sets out fines of up to €1,000,000. We will be looking at this from various different standpoints: labor law, data protection, criminal law, corporate governance and anti-money laundering and counter-terrorist financing.
Before June 2023, companies with over 250 workers must have a whistleblowing system in place through which to report breaches as well as a management and protection system for whistleblowers, to prevent retaliation against them. Companies with between 50 to 249 workers have until December 1, 2023. This is established in the new Law 2/2023 of February 20, 2023, on the protection of people who report breaches of the law and on combating corruption, known as the ‘Whistleblowing Law’.
The new requirements have an impact from all angles of business law. In this article we will address the key aspects of the law from a labor law, data protection, criminal law, corporate governance, anti-money laundering and counter-terrorist financing standpoint.
Labor and employment
The content, purpose and approach of the Whistleblowing Law is closely linked to labor and employment legislation.
For example, the law requires that the whistleblowing system be implemented after consultation with the workers’ statutory representatives.
The law also provides that the whistleblowing system must include the different protocols that the company may have in place to prevent bullying, sexual and sex-based harassment, sexual violence or discrimination towards LGTBI people.
In this regard, it should be borne in mind that in most cases, the protagonists of the behavior that has been reported (i.e. the whistleblower, the person affected, witnesses, etc.) are workers with an employment relationship with the company.
Therefore when implementing and managing a whistleblowing system and conducting an internal investigation, it is crucial to be aware of the workers’ rights and obligations, as well as of the formal requirements that need to be met from a labor law standpoint.
The main change introduced by the new law as far as data protection is concerned, is the classification of the governing body as the controller of the whistleblowing system.
This classification means that the governing body is under the obligation to comply with all the provisions of data protection legislation (GDPR and LOPD-gdd) in relation to the whistleblowing system and can be fined up to 20 million euros for privacy breaches resulting from its role as controller.
There are certain inconsistencies in the articles of the law, for example, when defining the processing of sensitive data or determining the storage of personal data resulting from communications received in the whistleblowing system as a result of the integration of channels that are not linked to conduct included in the whistleblower protection law.
These are very important aspects that need to be analyzed and covered from the standpoint of data protection.
Following the implementation of the whistleblower protection law, it is necessary to ensure that the procedure regulating the functioning of the whistleblowing system is compatible with the right to defense of the organization in the event that a criminal proceeding is brought.
Moreover, the criminal compliance aspect of the whistleblowing system is essential, both in companies that already had a system in place to report irregularities or breaches and also in the case of organizations that already have a criminal compliance standard and compliance function, since they must be consistent with the specific aspects of the whistleblowing system.
Particularly in the case of corporate groups the whistleblower protection law envisages different possibilities, permitting, for example, a single whistleblower system (and therefore one manager of the system) for the entire group or for each subsidiary to have its own system in place (and therefore, its own manager).
It is therefore necessary not just to focus on the programmatic and procedural aspects set forth in the law in general for all companies, but also to design the most suitable model from the standpoint of adequately locating and isolating its risks and complying with the requirements of the new law in this area.
Whether to choose one or the other will depend on several factors, such as the corporate structure and governance of each group of companies and the level of decentralization to be adopted in each case.
Anti-money laundering and counter-terrorist financing
The whistleblower protection law includes in its scope all those who are under the obligation to prevent money laundering and terrorist financing.
Implementing a whistleblower system that includes the possibility of notifying breaches of the regulations and procedures of prevention of money laundering and terrorist financing designed by the entities also involves, provided that the specifications envisaged in the law are met, complying with the obligation to keep in place the whistleblowing channel incorporated in 2018 in prevention legislation.