Whistleblower Protection Law

On February 21, 2023, Law 2/2023 for the protection of individuals who report regulatory infringements and fight against corruption was published in the Official State Gazette of Spain in response to the obligation imposed by Directive 2019/1937 of the European Parliament, also known as the "Whistleblowing Directive." This law aims to strengthen the culture of compliance and protect whistleblowers in both public and private sector entities.

With a maximum implementation deadline by the end of September (3 months from the entry into force on June 13, 2023) for organizations with more than 250 employees, and December 1 for entities with fewer than 250 employees, this law requires organizations with more than 50 employees to have reporting channels that meet certain minimum requirements.

Among the minimum characteristics listed are: reports must be directed to a single internal system where all cases are managed, systems must be implemented to guarantee the whistleblower's anonymity, and there must be an internal person responsible for the reporting system, although this management can be internal or external to the organization. This law states that mechanisms to protect the whistleblower and related persons must exist

The types of communications to be processed through the reporting channel will be those related to infringements of European Union law, serious administrative infringements, very serious infringements, and criminal acts.

Furthermore, reporting channels must be independent, guarantee anonymity, confidentiality, and compliance with European and Spanish data protection regulations. In all cases, a register must be kept to record the reports received, communications, and investigations carried out.

In terms of data protection measures, the law requires compliance with deadlines for the retention and deletion of personal data. Communications of reports can only be retained within the system for the time necessary to decide whether the investigation proceeds or not. If a decision is not made within a period of 3 months, the report must be deleted from the system. Conversely, if the investigation proceeds, personal data can be retained for an additional 3 months

What are the penalties for organizations that fail to comply with the law?

Organizations that fail to comply with the law may be subject to the following penalties:

  • Fines of up to one million euros for legal entities.
  • Fines of up to 300,000 euros for individuals.
  • Public reprimands.
  • Prohibition from obtaining subsidies or tax benefits for up to 4 years.
  • Prohibition from contracting with the state for up to 3 years.

Make the best decision for your organization, stay informed, and start implementing the reporting channel that best suits your entity's needs while complying with European regulatory requirements.

Author: André Barrantes
CEO and founder of SHOGUN Monitor. He is an expert in digital training development and specialized technology in Operational Fraud Prevention and corruption, with clients in over 20 countries in America and Europe.

Andre Barrantes

André Barrantes   Costa Rica

He is the CEO and founder of SHOGUN Monitor, a leading company in technological development and innovation in the field of digital reporting channels in Latin America.

He is an expert in the technological development of digital reporting channels with a presence in both: America and Europe. Additionally, he specializes in digital training and technology related to Operational Fraud Prevention and corruption.

He is also the CEO and founder of CAPACITA, a leading specialized training company in Fraud Prevention and Auditing, where professionals from various sectors, including finance, government, industry, services, and technology, are trained in over 20 countries in America and Europe.

In the past 3 years, his training activities have registered more than 100,000 participants.

Regulatory compliance with SHOGUN ethical line

European Whistleblower Protection Directive

ISO 37301: Compliance Management System

ISO 37001: Anti-bribery management system

ISO 37002: Whistleblower Channel System

EU General Data Protection Regulation

Corporate Anti-Fraud program

COSO: Committee of Sponsoring Organizations of the Tradeway Commission


Request a demo

Learn how SHOGUN can positively impact your organization