Whistleblowing Channel: Law 2/2023 Compliance Made Simple

Spain's whistleblowing framework is established by Law 2/2023 of 20 February on the Protection of Persons who Report Regulatory Infringements and the Fight against Corruption, which transposed EU Directive 2019/1937 on whistleblower protection. Law 2/2023 requires private companies with 50 or more employees, public entities, and all companies operating in financial services regardless of size to implement an Internal Information System (Sistema Interno de Información, SII) with specific requirements: a confidential and optionally anonymous reporting channel, a designated responsible person (Responsable del Sistema), acknowledgement within 7 days, a substantive response within 3 months, anti-retaliation protections for reporters, and coordination with GDPR obligations for personal data processed through the channel. Non-compliant organisations face sanctions of up to EUR 1 million for serious infringements.

Our team combines expertise in regulatory compliance, employment law, and data protection to implement whistleblowing systems that function in practice — not only on paper.

The Gap Between Having a Channel and Being Compliant

Law 2/2023, transposing EU Directive 2019/1937 into Spanish law, establishes a comprehensive framework for whistleblower protection that extends far beyond enabling a contact form. The law requires a structured Internal Information System with a formally designated responsible person, statutory processing deadlines, genuine confidentiality guarantees, and effective protection against retaliation. Organisations that have installed a generic inbox or a third-party whistleblowing tool without structuring the system around it are technically non-compliant — and potentially exposed to sanctions reaching EUR 1 million.

Designing a System That Works Under Pressure

The first step in any implementation is system design. A 60-employee manufacturing company and a 5,000-employee financial services group require fundamentally different architectures. We analyse the organisational structure, risk profile, and corporate culture to recommend whether the channel should be managed internally by the designated responsible person or outsourced to an independent third party. Outsourcing typically provides greater perceived credibility for potential whistleblowers — a critical factor in whether employees actually use the system — and removes the conflict-of-interest concerns that arise when the channel is managed internally.

Integration with Criminal Compliance

The relationship between a whistleblowing channel and a criminal compliance programme is direct and legally significant. Spanish courts have confirmed that a functional internal reporting system is one of the elements they examine when assessing whether a legal entity’s compliance programme should have exculpatory effects on criminal liability. A channel that exists on paper but generates no investigations and no corrective measures will not satisfy this standard. We design the investigation protocol to produce the documented evidence trail that compliance programmes require.

GDPR Considerations Specific to Whistleblowing

The processing of personal data in whistleblowing systems presents specific challenges that require close coordination with the Data Protection Officer. The AEPD has issued specific guidance on impact assessments for these systems, retention periods for data relating to both whistleblowers and reported individuals, and the limits of the reported person’s right to information when it could compromise the investigation. We integrate all of these requirements from day one, avoiding the retroactive GDPR remediation that many organisations face after deploying their channels without adequate data protection planning.

The Internal Investigation Protocol

A whistleblowing channel is only as effective as the investigation process that follows a report. Law 2/2023 requires the designated responsible person to acknowledge receipt of a report within seven days and to communicate the outcome of the investigation within three months. These deadlines are not aspirational — they are legal obligations with sanction exposure attached. We design investigation protocols that specify who conducts the investigation for different categories of reported conduct, what evidence-gathering steps are required, how potential conflicts of interest are managed, and how the outcome is communicated to the reporter.

The Responsible Person: Appointment and Training

The designation of the responsible person (Responsable del Sistema) is a formal appointment that must be documented. Law 2/2023 requires the responsible person to have the authority to conduct investigations, access relevant information, and recommend corrective measures. Where the responsible person role is outsourced, our team manages the complete lifecycle: report receipt, acknowledgement, investigation coordination, outcome communication, and compliance documentation. The integration with the criminal compliance programme ensures that reports alleging criminal conduct are handled with the procedural rigour that a potential criminal proceeding requires.

Interaction with the Anti-Retaliation Framework

Law 2/2023 establishes comprehensive protections for reporters against retaliation: dismissal, demotion, salary reduction, change of duties, coercion, discrimination, and negative performance assessment are all forms of prohibited retaliation. The law creates a reversal of the burden of proof in employment proceedings. Our employment law team advises on how to handle situations where a report is received and an employment decision affecting the reporter is subsequently required — ensuring the decision is legally defensible and demonstrably independent of the report.

Multinational Groups and Multi-Jurisdiction Channels

For multinational groups with operations in multiple EU member states, Law 2/2023 allows a centralised internal channel at group level as long as the channel is genuinely accessible to employees in all jurisdictions. We design group-level whistleblowing systems that comply with the requirements of the EU Directive as transposed in each operating jurisdiction, manage the cross-border data flows in compliance with GDPR international transfer rules, and ensure that the local law variations across member states are reflected in the system’s operational procedures.

The Internal Investigation Protocol

A whistleblowing channel is only as effective as the investigation process that follows a report. Law 2/2023 requires the designated responsible person to acknowledge receipt of a report within seven days and to communicate the outcome of the investigation within three months. These deadlines are not aspirational — they are legal obligations with sanction exposure attached. We design investigation protocols that specify who conducts the investigation for different categories of reported conduct, what evidence-gathering steps are required, how potential conflicts of interest are managed, and how the outcome is communicated to the reporter.

The Responsible Person: Appointment and Training

The designation of the responsible person (Responsable del Sistema) is a formal appointment that must be documented. Law 2/2023 requires the responsible person to have the authority to conduct investigations, access relevant information, and recommend corrective measures. Where the responsible person role is outsourced, our team manages the complete lifecycle: report receipt, acknowledgement, investigation coordination, outcome communication, and compliance documentation. The integration with the criminal compliance programme ensures that reports alleging criminal conduct are handled with the procedural rigour that a potential criminal proceeding requires.

Interaction with the Anti-Retaliation Framework

Law 2/2023 establishes comprehensive protections for reporters against retaliation: dismissal, demotion, salary reduction, change of duties, coercion, discrimination, and negative performance assessment are all forms of prohibited retaliation. The law creates a reversal of the burden of proof in employment proceedings. Our employment law team advises on how to handle situations where a report is received and an employment decision affecting the reporter is subsequently required — ensuring the decision is legally defensible and demonstrably independent of the report.

Multinational Groups and Multi-Jurisdiction Channels

For multinational groups with operations in multiple EU member states, Law 2/2023 allows a centralised internal channel at group level as long as the channel is genuinely accessible to employees in all jurisdictions. We design group-level whistleblowing systems that comply with the requirements of the EU Directive as transposed in each operating jurisdiction, manage the cross-border data flows in compliance with GDPR international transfer rules, and ensure that the local law variations across member states are reflected in the system’s operational procedures.