Spain – Whistleblowing Protection

GAPS in Spanish legislation on whistle-blowers

  • whistle-blower protection in the commercial sector – contradiction in Spanish data protection law with the ability to make anonymous complaints (the data protection laws are the strongest in the EU)
  • since there is a strong movement in Spain against anonymous whistle-blowing and that complaints have to be made in a very formal way those with useful knowledge are further discouraged where they know of facts either first or second hand but are not sure enough to official go on record with their information and accusations
  • companies that are traded on the US stock exchange are required to implement whistle-blower procedures but they seem ineffective in Spain
  • complete lack of cultural and political will to protect/encourage whistle-blowers; for example Spain seems to be very unlike other Latin American countries where every Ministry is involved and required to exchange information;
  • witness/whistle-blower protections are weak and not highly emphasised by the court
  • there is no specific or official witness protection program in Spain
  • only intensive through criminal immunity to whistle-blow in the public sector really is for bribery – and even still it is underutilised
  • there is criminal immunity for whistle-blowers/informants in drug trafficking and terrorism cases although it only applies to those directly involved with personal knowledge
  • there is a Constitutional protection for those considered journalistic sources but there is no mechanism for enforcement or implementation of protection measures

a. Legislation – Whistle-blower

i. What is the existing legislative regime in force?

Each citizen has a duty to report crimes, which are encouraged by the establishment of hotlines. The Spanish system favors written documents and generally the whistle-blower must acquire the legal status as an accuser and sign a formal complaint against the person suspected of having committed an “irregularity”. Originally, the procedure was intended to protect basic rights and liberties. In some instances there is no right to make an anonymous complaint – particularly in the corporate setting. The requirement that the whistle-blower sign a formal complaint dissuades those who have valuable information that they are not completely sure of. An informal complaint to the media, for instance does not have the same requirements.

In January 2012, the Security Minister in the Salta province created a electronic system to receive anonymous complaints concerning activities related to drug trafficking and the Spanish National police are implementing a similar initiative. Reports can be made via twitter, but since twitter is not very secure, a news report has criticized the system. Although, it acknowledged the important role of informing citizens and creating a culture of whistle-blower acceptance where there is confidence in their security. The report noted the importance of the Spanish authorities providing the most strict confidentiality in messages.

The Central Brigade on Narco-trafficking also manages an email account where complaints will be handled with maximum confidentiality and will analyze all information that it receives.

Internal informers in a corporate setting may be in conflict with their duties as an employee and under various laws – there may also be a duty though to whistle-blow or otherwise prevent crimes, and in some cases there is a contractual duty of good faith for some to whistle-blow. There are several rules and regulations that require auditors and tax inspectors to report significant deficiencies that raise concern of corruption or criminal offenses.

After the introduction of Sarbanes-Oxley in 2002, many companies (Spanish included) implemented whistle-blowing systems. The most commonly implemented system then was a telephone hotline or specifically allocated internet mailboxes where employees can disclose information anonymously. Many companies include whistle-blowing procedures in their code of conduct, which is annexed to employment contracts. Employees should acknowledge receipt of the code in writing – these things will ensure compliance with the AEPD approach so that there is a contractual relationship and to some extent necessary.

The Spanish Agency for Data Protection (AEPD) has taken direction under the EU directive 1/2006 to protect personal data in whistle-blower programs concerning the financial fields. Some find that the directive provides little support/protection for whistle-blowers, and Spain has paid even less attention to these protections than other countries. See the discussion below and in the government bodies section concerning AEPD.

Spanish criminal law does not contemplate immunity beyond certain cases of bribery, blackmail, terrorism and drug trafficking.

As of 2010, protection to whistle-blowers is limited to ex-terrorists who report to the authorities and parliamentary protections to protect journalists’ sources have not gone forward.

Spain ratified the UN Convention against Corruption in 2006, and the OECD Anti-Bribery Convention in 2000.

1. Which Acts/codes directly apply to the area?

Criminal Procedure Law (Ley de Enjuiciamiento Criminal)
Book II. Title I Of the Complaint

Article 259 requires persons who witness the commission of an offense to report it. Sanctions for non-compliance range from 25 to 250 pesetas.

Article 262 provided that persons because of their position, profession or affectation learn of a public crime must report it immediately to the relevant judicial or enforcement authorities. There is no specification concerning the level of certainty the whistle-blower must have to report the offense, according to Spanish authorities, reasonable suspicion is generally required. Authorities have indicated that persons who report are protected provided they are acting in good faith. The Criminal Procedure Law provides no meaningful sanctions for violations of this article.

Article 262 also provides that non-reporting by a public official should be reported to the official’s superior so that administrative measures may be taken. Non-compliance with the reporting obligation is subject to sanctions provided in Article 14 of the Regulation on the Disciplinary Regime for Public Officials in the State Administration, which includes sanctions up to dismissal. Cases under these provisions are not made public by the judiciary.

Article 264

One who has knowledge of the perpetration of some crimes that should be prosecuted must report to the Attorney General’s office, the competent court or examining magistrate or municipal, or police officer, without being bound to prove the facts denounced or formalize a complaint.

The whistle-blower will not incur further liability than what corresponds to the crimes that they have been committed under the doctrine of proportionality.

Estatuto de los Trabajadores

Article 5 Statute for Workers

Workers’ Duties

Workers have the following basic duties:

  1. comply with the concrete obligations of the worker’s position, in conformity with the rules of good faith and diligence.
  2. comply with the security and health methods that are adopted.
  3. comply with the company’s orders and instructions in the regular exercise of its executive powers.
  4. do not compete with the activity of the company, in the terms set out in this law.

Contribute to maximizing the company’s productivity.

Internal informers may be in conflict with their duties as an employee and under various laws – there may also be a duty though to whistle-blow or otherwise prevent crimes, and in some cases there is a contractual duty of good faith for some to whistle-blow.

Organic Law 15/1999 – allows for a system where anyone in a company can be a whistle-blower concerning violations of the law, and the company’s internal policies, codes of conduct and ethics, etc. concerning accounting and auditing.

The reporting system must rely on wrongdoings which could actually affect the contractual relationship between the company the employee incriminated (arts. 6 and 11 of the Spanish Law on Data Protection) Some companies have created “ethical mailboxes” where an employee can denounce alleged breaches of the company’s internal code of conduct. Employees must be made aware of the system, how it works and be guaranteed confidentiality concerning the information in the complaint. Complaints can be made in person or by phone. Confidential information will be available only to those essential to the investigation of the complaint. The whistle-blower’s identity will only be revealed if it is done in bad faith.

The accused should be informed of the facts brought against them as soon as possible, including the department responsible for the investigation and their rights concerning data protection. Information will be destroyed within a maximum of two months after the end of the investigation if nothing comes of it. If there is a legal case, the information can be retained as long as needed by the company.

The company should implement security methods at the most basic level. The information should be given to competent offices or brought to the AEPD. Personal data will only be revealed with the consent of the person unless it is necessary for the Public Administration to do its job or under certain contractual obligations. (Art. 6) The law defines personal data as “any information concerning identified or identifiable natural persons.” The same protections apply to revealing this information to third parties. But considering the nature of the whistle-blowing system there is a high likelihood that there will be some type of contractual relationship that will allow for protected personal data to be shared without the affected person’s consent. So a “proportionality clause” was included in the law – personal data may only be collected and used where appropriate, relevant and not excessive in relation to the scope and the specific, explicit and legitimate purposes for which they have been obtained. (Art. 4)

The law recognizes certain instances where anonymous reporting is necessary, but only allows for it in exceptional circumstances and under strict circumstances. An accused person has the right to access information concerning their whistle-blower; however, there are built in safeguards to the rule concerning the revelation of information to third parties. (Art. 11) The accused person has a right to the following information: the entity responsible for the program; the acts they are accused of; the departments or service that they can receive information from in their society or other entities or companies of the group that are a part of their society; and how to exercise their right to access and rectification. If the release of this information causes a significant risk to jeopardizing the investigation these notifications could be delayed as long as the risk exists. The objective of this exception is to preserve evidence by avoiding its destruction or alteration by the accused. It should be applied in a restrictive, case-by-case manner and take into account the broader interest at stake. The delay will not exceed three months.

The Organic Law provides that all data controllers (that is, any individual or legal person who controls and is responsible for the keeping and use of personal information on a computer or in structured manual files) must implement a data processing system based on three security levels: basic, medium, or high. The application of each security level depends on the sensitivity of the data being processed or the nature of the relevant business. All data processing systems concerning the medium and hight level must be audited externally for compliance with the applicable security level requirements. And specific regulations must be followed for the internal or international transfer of the data. Generally, the company should hold security measures at the highest level; however, under certain circumstances it is not necessary.

Penal Code

Article 426

One who has occasionally agreed to request gifts or other payments done by an authority or public official shall be exempt from punishment for the crime of bribery if they denounce the facts the appropriate authority with a duty to investigate before opening proceedings, provided that the denouncement is made within two months of the date when the facts occurred. See academic discussion of this provision.

2. Which other Acts/code indirectly apply to the area?

Constitution

Article 20

The law shall regulate the right to the protection of the clause on conscience and professional secrecy in the exercise of these freedoms. There is no specific law on protection of sources.

NOTE: In Sept. 2007, photographers in Catalonia were required to give up photographs of a demonstration where pictures of the King were burned.

Article 118

It is obligatory to comply with the firm sentences and other resolutions of the Judges and the Tribunals, as well as to provide the collaboration required by them during the course of the process and in the execution of the judgment.

Criminal Procedural Law

Article 410

All those that reside in the Spanish territory, nationals and foreigners that are not disabled, have obligations to answer any call by the court to answer questions brought to them that comply with the formalities of the law.

Organic Law 19/1994

Article 1.2

The judicial organ is responsible for establishing protective measures in the existence of racial and grave danger to the person, liberty and property, spouses or persons who is tied by similar affectivity, or ascendant, descendant or sibling.

Article 3.1

Protections are adopted at the request of the Attorney General’s office for the entire process or for as long as there is a serious danger to the protected person.

Article 3.2

Modes of protection in criminal proceeding:

  • use of official vehicles to transport those affected (victims, etc.)
  • private and/or guarded residence
  • police protection
  • funds to change residence and place of employment (in exceptional cases)
  • new identity (in exceptional cases)
Penal Code
Chapter III Circumstances that attenuate criminal responsibility

Article 21 Attenuated circumstances are:

  1. The fact that he/she has been the culprit, before they know that the judicial proceeding has been brought against them, confess the infraction to the authorities.
Title VI Crimes against Liberty
Chapter III Coercion

Artículo 172

  1. Any person without legitimate authorization impedes upon another with violence from doing something that the law doe not prohibit, or compel the other to do something he/she does not want to shall be punished with imprisonment for a period of six months to three years or a maximum fine of six to twenty months, depending on the seriousness of the coercion.

When coercion is done with the objective to impede the exercise of a fundamental right the upper half of penalties shall be imposed unless the activity is subject to another provision of the code with a higher penalty.

Higher penalties will also be imposed on when coercion was exerted with the intent to prevent the legitimate enjoyment of housing.

Artículo 173 – provides penalties for other specific acts of physical and emotional violence.

Chapter III Crimes against Public Health

Chapter 376

In cases found in articles 368 – 372 (mostly crimes to do with organized crime, terrorism or drug trafficking), the judges or court may impose a penalty lowered by one or two degreed by law for the offense in question, provided that the subject has voluntarily abandoned their criminal activity and has actively collaborated with the authorities or their agents, either to prevent a crime, to obtain decisive evidence for the identification or capture of others responsible, or to prevent the action or development of of organizations or associations to which he/she has belonged or with he/she collaborated.

Similarly, in the cases found in articles 368 – 372, the judges or courts may impose a penalty lowered by one or two degrees to the defendant that at the time of the commission of the facts was a drug addict provides sufficient evidence proving that he/she completed treatment for the addiction, provided that the amount of toxic drugs, narcotics or psychotropic substances is not marked as one that reaches notorious importance or extremely serious.

Chapter VII The obstruction of justice and professional disloyalty

Article 464 punishes obstruction of justice – One who tries with violence or intimidation to influence directly or by implication one who is an informer, party or accused, attorney, solicitor, expert, interpreter or witness so that their performance is modified and those who act against life, integrity, freedom, sexual freedom or property as reprisal against persons referred to above due to their performance in judicial proceedings.

  • This does not take into account reprisal having to do with one’s work position, such as coercion.
  • Spanish law does not contemplate immunity beyond certain cases of blackmail, terrorism and drug trafficking.

Spain’s witness protection law, Law 19/94, requires a judicial decision for witness protection measures and are implemented by the Ministry of Interior. Witnesses or experts may be allowed to participate in proceedings under reservation of their identity, under visual protection or under registration of the court instead of their residence, police may also inhibit their photos or videos from being taken. Other potential assistance includes police protection, new identities or economic means to initiate a new life at a different place. These measures are decided on a case-by-case basis. The minimum duration of protection measures lasts the duration of the proceedings and extends as long as necessary.

Spain does not have a specific institutional protection program or specific rules to protect whistle-blowers in labor and administrative law.

Spain has no explicit policies in place to encourage persons who participate in the commission of a corruption offenses to supply information. Partial immunity can be granted in bribery cases. Spanish law does not allow for lower sanctions to those who provide substantial cooperation in the investigation or prosecution (only allowed for those involved in drug trafficking or terrorism cases – where the subject voluntarily abandons their criminal activity and actively collaborates in the discovery, prosecution or impediment of these types of crime)

Ley Organica de Proteccion de Datos / Organic Law on Data Protection

Article 6 – Knowledge of the Affected

  1. The treatment of personal data will require unequivocal consent of the affected person, unless the law provides otherwise.
  2. Consent is not necessary when the data of a personal nature is collected for the exercise of the functions of public administration in the scope of their powers; when they relate to parties of a contract or a “pre-contract” for a business, labor or administrative relationship and necessary for their maintenance or performance; when the treatment of data are designed to protect a vital interest of the person concerned in terms of article 7 and 6 of the present law; or when the data is publicly accessible and its processing is necessary for the satisfaction of the legitimate interest pursued by the controller of the file or by the third party to whom the data is communicated, provided that it does not violate the fundamental rights and freedoms of the individual concerned.
  3. The consent referred to in the article may be revoked where there is valid reason and not attributed retroactive effect.
  4. In cases in which it is not necessary to have the consent of the affected for the treatment of personal data, and whenever a law does not stipulate otherwise, this may oppose the treatment when there are reasonable and legitimate grounds relating to a concrete personal situation. In such case, the person responsible for the file will exclude treatment of data concerning the affected.

Article 7 – Data with special protections

  1. Ideology, religion and beliefs are protected – when consent to use the data is made the subject must be informed of their special right to refuse
  2. Personal data which reveal the ideology, trade union membership, religion and beliefs may be processed only with the explicit and written consent of the data subject. Exceptions shall be files maintained by political parties, trade unions, churches, religious confessions or communities, and associations, foundations and other non-profit-seeking bodies with a political, philosophical, religious or trade-union aim, as regards the data relating to their associates or members, without prejudice to the fact that assignment of such data shall always require the prior consent of the data subject.
  3. Personal data which refer to racial origin, health or sex life may be collected, processed and assigned only when, for reasons of general interest, this is so provided for by law or the data subject has given his explicit consent.

Article 32. Standard codes of conduct – are subject to these rules; the codes must be in the form of codes of conduct or of good professional practice, and must be deposited or entered in the General Data Protection Register and, where appropriate, in the registers set up for this purpose by the Autonomous Communities, in accordance with Article 41. The General Data Protection Register may refuse entry when it considers that the code does not comply with the legal and regulatory provisions on the subject. In such a case, the Director of the Data Protection Agency must require the applicants to make the necessary changes.

Article 33. General rule – International Movement of Data

  1. There may be no temporary or permanent transfers of personal data which have been processed or which were collected for the purpose of such processing to countries which do not provide a level of protection comparable to that provided by this Law, except where, in addition to complying with this Law, prior authorization is obtained from the Director of the Data Protection Agency, who may grant it only if adequate guarantees are obtained.
  2. The adequacy of the level of protection afforded by the country of destination shall be assessed by the Data Protection Agency in the light of all the circumstances surrounding the data transfer or category of data transfer. Particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question, the content of the reports by the Commission of the European Union, and the professional rules and security measures in force in those countries.

3. How is the division of power set out?

Spain has a civil law system with a mixed accusatory criminal process with its main laws being found in the Penal Code and Criminal Procedure Code.

According to the Spanish Constitution treaties ratified by the country are part of the domestic law and can therefore be directly applied. However, the practical use of the Convention is limited due to the use of the European Union instruments and bilateral treaties.

4. Does each Act apply to all citizens?

Public officials are protected under whistle-blower safeguards in so far as they cannot be arbitrarily sanctioned or removed except for the specific reasons laid down in the law. See also case law section.

Spain does not have a specific institutional witness protection program or specific rules to protect whistle-blowers in labor and administrative law.

As of 2007, of the 35 large Spanish companies liked on the stock market in Spain, only four have whistle-blower protection systems (Repson, Ferrovial, Cintral and BBVA).

ii. Which are the operative provisions (i.e. those provisions that give rise to a cause of action or a criminal sanction)?

iii. What is the history of the legislative regime, has it been recently amended?

The Penal Code was amended in December 2010.

1. If so, how was it amended?

Reform of the Penal Code introduced the criminal responsibility of a legal person requires a company that wishes to avoid or mitigate their legal responsibility to demonstrate that they exercise due control over their managers/directors and employees. The company must demonstrate that it has adopted reforms in the personnel, systems and processes structures, among others, introduce a channel for whistle-blowers, as a central element to the model. Procedures will need to exist at all levels and their effectiveness and efficiency will need to be verified through audits. Penalties include fines, the dissolution or suspension of the organization for up to five years, full closure, disqualification from grants or public aid or contracts with the Public Administration, or liquidation. In particular Article 31 bis requires best practices to be implemented to avoid imputing illegal acts of employees to supervisors or the corporation, for example.

2. What is the reform attempting to cure?

iv. Are there currently any proposals to reform the legislative regime?

A Spanish employer may not discipline or dismiss an employee who has reported malpractice to the authorities (relating to illegal or good faith actions which violate rights protected by the Spanish Constitution). Disclosures made by employees are protected if they relate to malpractice or criminal matters. This applies regardless of whether the disclosure was made by the employee in good faith. If there is a whistle-blower policy or a collective agreement dealing with whistle-blower policies, procedures for reporting concerns internally set forth in that policy must be followed, provided that the disclosure does not relate to criminal malpractice. As of 2010, this subject was under debate in a draft Unified Code on corporate governance of listed companies.

b. Case law

i. What are the general principles at law?

Denouncing illegal activity within a company is not a valid cause for dismissal, especially where the facts are of general public interest and may be against the fundamental right to freedom of information, and most particularly when no contractual obligations are broken.

A complainant cannot appeal an AEPD appeal since they lack standing as an interested party in the sanctioning procedure, even if the complainant considered themselves a victim of the alleged infringement on personal data.

ii. What are the leading cases supporting the general principles?

Tribunal Constitucional – 57/1999 April 12 – Ruled on the constitutionality of the dismissal of an inspector of the Directorate General of Aviation after an airplane crash where he reported to a news paper the bad conditions of the planes and the passivity of the Civil Aviation who the planes belonged to. Most of the judges found the dismissal to be against the fundamental right to freedom of information, since there were relevant facts of general interest that did not break any contractual obligations.

The Central Court of Employment – 12 Nov. 1981 – ruled on a case of workers who made public that the electricity company that he worked for used hazardous materials. The court concluded that his conduct was done to protect the security and health of the workers. The court explained that to take it another way would be the equivalent of forcing the worker to become an accomplice to the fraud/misconduct of his employer, which can become criminal. Loyalty to ones employer would lead one who discovers fraud to let down those customers that they were entrusted to protect.

A former mayor of Gotland, Marianne Smaulelsson, was dismissed from his job as head of the legal office of the urban planning department in Marbella after she provided information concerning a crime in a hotel development deal that sparked an investigation of a specific case. This case evidences the lack of whistle-blower protection provisions in Spain and that leaks take place well after the corruption has occurred.

In October 2009, the Spanish Supreme Court established that one who denounces acts that he/she believes constitutes an infringement of the data protection legislation to their detriment lacks standing to challenge a judicial decision. Specifically, the whistle-blower of an infraction of the data protection legislation lacks standing to oppose the resolution of the AEPD concerning the sanctioning results (imposition of a sanction, amount of sanctions, etc), but, eventually, there may be standing with respect to aspects of the resolution other than specific penalties provided, of course, if some genuine interest is demonstrated that is worthy of protection.

This decision involves an appeal brought by a company that was sued in 2003 for allegedly violating the Organic Law on Data Protection. First, the AEPF did not find sufficient reason to impose any sanctions on the company and the plaintiffs appealed to the National Court. The National Court found in favor of the plaintiffs, sending the case back to the AEPF. The Supreme Court found that the plaintiff did not have a subjective right or legitimate interest to which the defendant can be punished for. Since punitive powers rest with the Administration, only the Administration has an interest protected by the legal system in which the offender is punished. The Supreme Court explained that “to accept the legitimate standing of the whistle-blower not only would lead to a finding that he/she has an interest that the legal system does not recognize or protect, but would also lead to transforming the court – administrative courts into a sort of sanctioning appeals body. This would be good because it could impose administrative sanctions that the Administration cannot/does not impose, which would run counter to the so-called “character reviewer” of the contentious jurisdiction – administrative. In other words, the contentious-administrative courts can and must control the legality of the administrative acts in sanctions; but they can not replace the Administration in the exercise of the sanction powers entrusted to it by law.” There have been two similar rulings (Nov. 2007 and Dec. 2008).

c. Parliamentary / Government enquiries and Enforcement Institutions / Bodies that undertake these investigations

i. Regulatory Bodies

Agencia Espanola de Proteccion de Datos (AEPD) / Spanish Agency for Protection of Facts controls compliance with the Organic Law for Protection of Personal Character Facts. In the public sector, the Act also regulates the use and management of information and files with personal data used by all public administrations.

Ley Organica de Proteccion de Datos / Organic Law for Data Protection

Article 37. Functions

The functions of the Data Protection Agency are as follows:

  1. To ensure compliance with the legislation on data protection and ensure its application, in particular as regards the rights of information, access, rectification, objection and cancellation of data.
  2. To issue the authorizations provided for in the Law or in its regulatory provisions.
  3. To issue, where applicable, and without prejudice to the remits of other bodies, the instructions needed to bring processing operations into line with the principles of this Law.
  4. To consider the applications and complaints from the data subjects.
  5. To provide information to persons on their rights as regards the processing of personal data.
  6. To require controllers and processors, after having heard them, to take the measures necessary to bring the processing operations into line with this Law and, where applicable, to order the cessation of the processing operation when the cancellation of the files, when the operation does not comply with the provisions of the Law.
  7. To impose the penalties set out in Title VII of this Law.
  8. To provide regular information on the draft general provisions set out in this Law.
  9. To obtain from the data controllers any assistance and information it deems necessary for the exercise of its functions.
  10. To make known the existence of files of personal data, to which end it shall regularly publish a list of such files with any additional information the Director of the Agency deems necessary.
  11. To draw up an annual report and submit it to the Ministry of Justice.
  12. To monitor and adopt authorisations for international movements of data, and to exercise the functions involved in international cooperation on the protection of personal data.
  13. To ensure compliance with the provisions laid down by the Law on Public Statistics with regard to the collection of statistical data and statistical secrecy, to issue precise instructions, to give opinions on the security conditions of the files set up for purely statistical purposes, and to exercise the powers referred to in Article 46.
  14. Any other functions assigned to it by law or regulation.

In 2007, the AEPD issued an opinion concerning whistle-blowing procedures compliance with Organic Law 15/1999 on personal data protection (LOPD) for the first time. The AEPD follows Opinion 1/2006 concerning the application of EU data protection rules to internal whistle-blowing schemes in the fields of accounting, internal accounting controls, auditing matters, the fight against bribery, banking and financial crimes. Since whistle-blower schemes necessarily trigger the processing of personal data (under EU directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), data processing can be based on:

  1. the unambiguous consent of the data subject;
    1. under the operation of a whistle-blower system it is not possible to obtain the relevant data subject’s consent for the processing of their personal data
      1. Exception – AEPD allows data to be processed if it is necessary for the performance of a contract to which the data subject is a party (i.e. those covered by the system are bound to the company by an employment, civil or commercial contract)
        1. contractual relationship exists and all parties have been informed that the whistle-blower system exists; and
        2. is necessary for the performance of the contract.
  2. compliance with legal obligation to which the controller of the data is subject; or
    1. there is no legal obligation regarding the implementation of whistle-blower procedures under Spanish law
    2. AEPD recognizes that investment service companies, credit entities and persons or entities that act on the stock exchange are able to implement whistle-blower systems pursuant to Article 79.1 of Spanish Securities Market Act 24/1988.
    3. Spanish Unified Best Practices Corporate Governance Code of May 19, 2006, advises public companies to implement mechanisms to allow employees to confidentially denounce (anonymously if appropriate) any irregularities that take place within the company, particularly in the context of financial and audit work, provided that those systems are implemented in compliance with the LOPD. The code is based on the “comply or explain” principle: companies must explain how it complies with best practices or explain the reasons why it fails to do so.
      1. The AEPD does not find a legal obligation for companies to implement whistle-blowing procedures under the code – public companies may not implement whistle-blowing systems if they can explain why such systems have not been implemented. It finds it to be “soft law” which shall be dealt with by the AEPD in the future.
  3. the legitimate interests pursued by the controller, provided said interests are not overridden by the fundamental right of the data subjects.
    1. LOPD does not adequately implement the “legitimate interest objection”
    2. according to the AEPD the implementation of whistle-blowing procedures in Spain cannot be based on the legitimate interest exception.

SCOPE of whistle-blowing procedures – **NOTE: the AEPD provided this opinion with regard to a specific company inquiry** but it has been widely followed

  • whistle-blowing systems are limited to reporting specific irregularities, and only cover those irregularities which have an impact on the maintenance of the employment contract between the reported person and the company

ANONYMOUS reporting – does NOT comply with LOPD

  • under Article 29, anonymous reports should not be accepted as a general rule and should be discouraged; however, in certain circumstances they are allowed
  • whistle-blowers need to be informed that their identity may be disclosed if necessary in the context of a judicial proceeding.

Fair Processing of Information – regarding the obligation to inform the reported person of the collection and processing of their personal data according to Article 29 – the data subject must be informed as soon as possible of the collection of their personal data, provided it is applied on a case-by-case basis and take into account wider interests at stake. This can wait if it is necessary not to inform the reported persons so that the company can investigate the report. The AEPD agrees as long as the person is informed no later than 3 months after the report. If the employee is part of a union, the company should inform the union of any processing against its members. The company could decide to hold information related to the association confidential/protected. Companies are obliged to notify the AEPD of the processing of personal data and must ask for authorization if they intend to transfer the data to an affiliate in a country that does not provide equivalent levels of data security.

The Spanish Unified Best Practice Corporate Governance Code (Codigo Unificado de la Comision Nacional del Mercado de Valores), of 19 May 2006, through Recommendation 50.1(d) of Part II of the Código Unificado de Buen Gobierno (approved by the Spanish Comisión Nacional del Mercado de Valores, Spain’s version of the S.E.C., on May 22, 2006) recommends (but does not mandate) that the audit Committees of Spain-traded public companies “establish and supervise mechanisms that allow employees to communicate confidentially and even anonymously, as appropriate, any potentially-significant irregularities they notice in the company, especially those relating to financial or accounting issues”. Nevertheless, this same recommendation also says that these “mechanism[s]” must “scrupulously comply with limitations established” by the Spanish Data Protection Act, and Spain’s data law, in turn, flatly prohibits anonymous whistle-blowing. This Spanish securities recommendation follows a rarely-discussed non-binding EU recommendation, the EU Commission Recommendation of 15 February 2005 on the Role of Non-Executive or Supervisory Directors of Listed Companies and the Committees of the (Supervisory) Board, 2005/162/EC, which (at its annex 4.3.8) recommends (but does not require) that “audit committees of public companies should review the process whereby the company complies with existing provisions regarding the possibility for employees to report alleged significant irregularities in the company, by way of complaints or through anonymous submissions, normally to an independent director…”.

The court determines the level of protection a witness or expert receives during court proceedings to last for as long as necessary. Protection measures are decided on a case-by-case basis. The Ministry of Interior carries out these protective measures.

Spain has a financial intelligence unit, Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias / Executive Service on the Commission on Prevention of Money Laundering and Monetary Offenses (SEPBLAC) that receives suspicious transaction reports from businesses, government and foreign authorities, lawyers and auditors.

What is their track record?

According to the US Securities and Exchange Commission Annual Report on Dodd-Frank Whistle-blower Program, Fiscal Year 2011, only two whistle-blower tips were received from Spain between 8/12/2011 and 9/30/2011.

There are no statistics concerning the number of protected witnesses, the type of offenses in which witness protection had to be provided, or measures taken to protect the witness.