Business glossary
Corporate Criminal Liability in Spain
Since the 2010 reform of the Spanish Criminal Code, legal entities (companies) can be held directly criminally liable for certain offences committed by their managers or employees in the course of business. Companies can face fines, dissolution, suspension, prohibition from contracting with public bodies, and other criminal sanctions. Implementing a robust criminal compliance programme (compliance penal) is the primary defence.
LegalThe Origin of Corporate Criminal Liability in Spain
Spain introduced corporate criminal liability through Ley Orgánica 5/2010, which reformed the Criminal Code (Código Penal) to add Article 31 bis. Before this reform, Spanish criminal law operated on the principle societas delinquere non potest — a legal entity cannot commit a crime. The reform reversed this position, aligning Spain with EU anti-corruption directives and OECD standards.
Ley Orgánica 1/2015 significantly strengthened the framework, particularly clarifying the role of criminal compliance programmes as a complete defence (eximente) and introducing more detailed conditions for exoneration.
Who Can Be Liable?
Article 31 bis of the Criminal Code creates liability for:
- Legal entities (personas jurídicas): including commercial companies (SL, SA, cooperatives, foundations, associations) operating for profit or other purposes
- Both Spanish-incorporated entities and foreign entities operating in Spain
The following are not subject to corporate criminal liability:
- The Spanish State, regional governments, local authorities, and other public bodies
- Some regulatory bodies and public agencies (narrow exceptions)
The Two Liability Routes
Route A: Liability for Acts of Management
A company is liable when an offence is committed:
- By its legal representatives or persons with management authority (board members, CEOs, managing directors)
- In the company’s name or on its behalf
- For the company’s benefit (direct or indirect, including saving costs)
Route B: Liability for Lack of Supervision
A company is also liable when an offence is committed:
- By an employee or subordinate worker (not just managers)
- The offence was made possible by the failure to exercise adequate supervision, vigilance, or control over that person by management
This second route is particularly broad: it can cover a salesperson bribing a customer’s purchasing manager, a logistics employee defrauding carriers, or an HR officer making discriminatory hiring decisions — if the company failed to implement controls that would have prevented the conduct.
Offences That Can Trigger Corporate Liability
The Criminal Code does not make all offences applicable to legal entities — only a defined catalogue:
| Category | Key offences |
|---|---|
| Corruption | Bribery (cohecho), influence peddling (tráfico de influencias) |
| Financial crime | Fraud, document falsification, insider trading, market manipulation |
| Tax crime | Tax fraud above EUR 120,000 (delito fiscal) |
| Environmental crime | Pollution, illegal waste disposal, emissions offences |
| Labour crime | Exploitation of workers, illegal hiring of undocumented workers |
| Data crimes | Unauthorised access to computer systems, personal data offences |
| Money laundering (blanqueo de capitales) | Handling proceeds of crime |
| IP/trademark offences | Industrial and intellectual property infringement at scale |
| Transnational bribery | Bribing foreign public officials |
| Human trafficking | Trafficking in persons |
| Child exploitation | Child pornography (where servers or distribution channels are involved) |
| Terrorist financing | Providing funds or resources to terrorist organisations |
Criminal Sanctions for Companies
When a company is convicted, the court may impose:
| Sanction | Notes |
|---|---|
| Fine (multa) | Calculated as a multiple of the daily fee (días-multa) or as a proportion of earnings; can reach tens of millions of euros in serious cases |
| Dissolution (disolución) | Terminal sanction — the company ceases to exist |
| Suspension of activities | Temporary closure of operations (up to 5 years) |
| Closure of premises | Specific locations closed (up to 5 years) |
| Prohibition from certain activities (inhabilitación) | Prohibited from activities in which the offence was committed |
| Bar from public contracts and aid | Cannot tender for public contracts or receive subsidies |
| Judicial supervision (intervención judicial) | A court-appointed supervisor oversees company operations |
These sanctions run in addition to, and independently from, the criminal sanctions imposed on the individual perpetrators.
Criminal Compliance Programme as a Defence
Complete Defence (Eximente Completa)
A company is fully exonerated of criminal liability if, before the commission of the offence, it had adopted and implemented an effective criminal compliance model (modelo de organización y gestión) that:
- Identified and mapped the criminal risks inherent in the company’s activities
- Established protocols and controls to prevent or significantly reduce those risks
- Delegated a body with autonomous supervisory powers (compliance officer / órgano de vigilancia y control)
- Included a channel for reporting potential violations (canal de denuncias)
- Established a disciplinary system for violation of the compliance model
- Periodically reviewed and updated the model
For the complete defence to apply via Route B (employee offence), the compliance model must have been effective and the management of the órgano de vigilancia must not have been negligent.
Partial Defence (Eximente Parcial)
If the compliance programme existed but was not fully implemented or had gaps at the time of the offence, the court may apply a mitigating circumstance (atenuante) rather than a full exoneration — resulting in reduced sanctions.
Compliance Certification
Several certification bodies (AENOR, Bureau Veritas, Lloyd’s Register, etc.) offer certification of criminal compliance management systems against standard frameworks (UNE 19601, ISO 37001 for anti-bribery). While not legally required for the defence, certification provides strong evidence of genuine implementation.
The Compliance Officer and Supervisory Body
The órgano de vigilancia y control must have:
- Genuine autonomy from management (cannot report to the same management that is subject to supervision)
- Sufficient resources and access to information
- Power to investigate reported violations
- Ability to propose disciplinary measures
In large companies, this is typically a dedicated Chief Compliance Officer (CCO) supported by a compliance function. In smaller companies, an external lawyer or consultant may serve in this role. For small companies below certain thresholds, the audit committee (órgano de administración) may assume the compliance oversight role.
Whistleblowing Channel Requirement
The requirement for a reporting channel within the compliance programme has been reinforced by the Ley 2/2023 de protección del informante (transposing the EU Whistleblower Protection Directive). Companies with 50+ workers must have an internal reporting channel (canal interno de denuncias). This channel is now both a PRL obligation and a criminal compliance obligation.
Frequently Asked Questions
Can a company be convicted even if the individual perpetrator is not identified? Yes. Spanish law allows the company to be convicted even where the individual responsible is not identified, as long as the facts constituting the offence are established and they occurred within the company’s activity for the company’s benefit.
What is the statute of limitations for corporate criminal liability? The limitation period depends on the specific offence. Serious offences (corruption, money laundering, tax fraud) carry limitation periods of 10–20 years. The company’s liability prescription runs from the same date as for the natural person.
Are Spanish subsidiaries of foreign groups subject to this framework? Yes. Any Spanish-incorporated legal entity (including subsidiaries of foreign groups) is subject to Article 31 bis. The fact that the parent company has its own international compliance programme does not automatically protect the Spanish subsidiary — a locally adapted programme is necessary.
What is UNE 19601? UNE 19601 is the Spanish standard (norma española) for criminal compliance management systems, published by AENOR. It is the primary Spanish standard against which criminal compliance programmes are certified, designed specifically to demonstrate compliance with Article 31 bis requirements. ISO 37001 covers anti-bribery specifically.
Can a company face both criminal and administrative liability for the same facts? The principle of non bis in idem (no double jeopardy) prevents both criminal and administrative sanctions for identical facts. However, if the criminal prosecution is ongoing or concluded, overlapping administrative proceedings must generally be stayed pending the criminal outcome. After acquittal, administrative proceedings may resume.
Frequently asked questions
When did companies become criminally liable in Spain?
What criminal offences can trigger corporate liability in Spain?
Can a Spanish company be convicted even if the individual employee responsible is not identified?
How does a criminal compliance programme protect a Spanish company?
Is a whistleblowing channel mandatory for Spanish companies under criminal compliance rules?
Related service
Discover our services in this area
Related sectors
Request a personalized consultation
Our experts are ready to analyze your situation and provide tailored solutions.