The Spanish Act 2/2023 on the protection of persons who report regulatory breaches and anti-corruption measures (the “Act”) was published just a few days after the European Commission had decided to take Spain, among other countries, to the CJEU for failing to transpose the EU Whistleblowing Directive 2019/1937 (the “Directive”).

The Act aims to protect whistleblowers and sets out the obligation to establish internal and external systems for reporting infringements in private and public organisations. It also sets forth detailed data protection obligations.

Purpose and scope

The purpose of the Act is to protect whistleblowers from retaliation and thereby foster a reporting culture to detect and prevent threats to the public interest. The Act also requires companies to have internal systems for handling disclosures. It applies to reports of acts or omissions that:

• may constitute an infringement of EU law as set out in the Directive, or affect the financial interests of the EU or relate to the internal market; or
• may constitute a serious or very serious infringement of criminal or administrative law, including those entailing a financial loss for Spanish tax and social security authorities.

A very broad range of individuals are protected including those working in the public or private sector, shareholders, investors, volunteers and trainees. It also applies to whistleblowers after any work-based relationship has ended.

Internal reporting channels

Companies with 50 or more employees and other regulated entities (such as public sector institutions) must establish an internal reporting channel. That should enable the disclosure of information, in writing and/or verbally, and ensure that the identities of whistleblowers and any named third parties are protected. The entity must also appoint a whistleblowing officer.

Reports must be investigated within three months, extendable for an additional three months. The entity must allow the person to which the report relates to be heard, and inform the Spanish public prosecutor's office where the alleged situation may constitute a crime.

External reporting channels

The Act creates external public whistleblowing channels supervised by the Autoridad Independiente de Protección del Informante (the “AAI”), or by the relevant regional authority.

Any individual may inform the AAI of an infringement set out in the Act, whether in the public or private sector, directly or after making a report through an internal channel. If accepted for processing, the AAI will then investigate to check the veracity of the report and ultimately issue a decision. These proceedings cannot take longer than three months. Decisions by the AAI will not be appealable.

Public disclosure

Finally, any person making a public disclosure will also be protected where:

• the person first reported internally and/or externally, but no appropriate action was taken;
• the person had reasonable grounds to believe that the infringement may constitute a danger to the public interest (e.g. an emergency situation) or a risk of irreversible damage, or there is a risk of retaliation, or a low prospect of the infringement being effectively addressed; or
• the person discloses information to the press when exercising their constitutional right to freedom of expression and information.

Data protection vs whistleblowing

The potential conflict between data protection and whistleblowing laws is longstanding, dating all the way back to the Article 29 Working Party’s Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes (WP117). However, those conflicts are now largely resolved given the Act implements EU law and has been designed to comply with the GDPR.

In particular, the Act contains detailed provisions on the processing of personal data of whistleblowers and other persons involved in the disclosure, retention and subsequent investigation. It repeals the previous rule contained in the Spanish Data Protection Act 3/2018 (Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales).

Key data protection requirements

The key data protection requirements in the Act are as follows:

• Only relevant personal data – Personal data should only be processed where it is relevant for handling a report. If personal data that is not relevant for that purpose is collected, it must be deleted without undue delay.
• Presumption of lawfulness – There is the presumption that any processing of personal data that is necessary for the application of this law is considered lawful. In particular, the processing of personal data in the cases of both internal and external reporting channels is based on the need for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR). If such processing is not legally mandatory, the processing will be presumed to be based on the public interest (Article 6(1)(e) GDPR).
• Rights of data subjects – Where appropriate, whistleblowers must be informed about the processing of their personal data in accordance with Article 13 GDPR. They should also be expressly informed that their identity will not be disclosed to the persons to which their report relates or to any third party. The law restricts the right to object to the processing (Article 21 GDPR) of the persons to which reports or public disclosures relate, as there will be a rebuttable presumption that there are overriding legitimate grounds to allow the processing of their personal data.
• Whistleblowers’ identities are protected – Anyone making a report or a public disclosure will have the right not to have their identity disclosed to third parties. Reporting channels and systems must have appropriate technical and security measures in place to protect the identity of the persons involved and ensure the confidentiality of the disclosed information. The identity of the whistleblower may only be communicated to the competent judicial authority and the public prosecutor's office in the context of an investigation.
• Access controls – The Act limits access to the personal data contained in the internal reporting system, providing an exhaustive list of the company staff positions entitled to access such data, including, among others, the data protection officer, the whistleblowing officer, and any processors that may be appointed. The processing of personal data by others, including its communication to third parties, will be lawful where necessary for the adoption of corrective measures or for handling the reports received.
• Data retention – The information received must be deleted if no investigation has been initiated within three months of receipt unless it is kept to demonstrate the functioning of the system. In such case, the information should be kept anonymised, and the obligation to keep personal data in a “blocked” manner, a Spain-specific obligation under Article 32 of the Spanish Data Protection Act, will not apply.

Conclusion

Companies must implement the internal reporting system within three months after the law comes into force, i.e. by 13 June 2023. For companies with less than 249 employees, this time limit has been extended to 1 December 2023. Companies should also review and update their data protection practices relating to whistleblowing, including their privacy notices, procedures for handling data subject rights, data deletion procedures and security requirements.