Business glossary
Whistleblowing Channel
A whistleblowing channel is a secure reporting mechanism allowing employees, contractors, suppliers, and other stakeholders to report suspected legal violations, ethical breaches, or corporate misconduct — typically anonymously. EU Directive 2019/1937 on the protection of whistleblowers and Spain's implementing Law 2/2023 make it mandatory for private companies with 50 or more employees and all public sector entities.
LegalThe EU Whistleblower Protection Directive
EU Directive 2019/1937 on the protection of persons who report breaches of Union law established a common minimum framework across all EU member states for whistleblower protection. Its core objectives are to:
- Ensure that people who report breaches of EU law are protected from retaliation
- Require organisations above certain thresholds to establish internal reporting channels
- Designate competent authorities to receive external reports
- Guarantee confidentiality of reporter identity
Spain’s Implementation: Law 2/2023
Spain transposed the Directive through Ley 2/2023 de 20 de febrero, reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción. The law came into force in March 2023, with a phased compliance timeline:
- March 2023: Public sector entities and private companies with 250+ employees
- December 2023: Private companies with 50–249 employees
Spain went beyond the minimum EU standard in several important respects — the law covers not only breaches of EU law but also breaches of Spanish national law, and extends to criminal offences and administrative infractions across all areas of regulation (not limited to the specific EU law areas listed in the Directive).
Who Must Comply?
Under Law 2/2023, the following entities must establish an internal reporting channel:
- Private sector: All companies with 50 or more employees
- Political parties, trade unions, and employer associations that receive public funding
- Foundations: Regardless of size if they receive public funding
- Public sector: All public administrations, state-owned entities, and public law bodies
- Companies in financial services: Regardless of size (subject to sectoral regulation)
For private groups of companies, each subsidiary with 50+ employees must establish its own channel, or the group may establish a shared channel (subject to confidentiality requirements being met for each entity).
Requirements for a Compliant Whistleblowing Channel
A compliant channel under Law 2/2023 must:
- Allow anonymous reporting (the law does not require anonymity but requires that anonymous reports be received and handled)
- Protect the identity of the reporter and any third parties mentioned in the report (confidentiality is mandatory)
- Provide an acknowledgement of receipt within 7 calendar days
- Provide a substantive response to the reporter within 3 months (extendable to 6 months in complex cases)
- Be independent — managed by a person or body designated with functional independence
- Allow both written and oral reporting (the oral option can be satisfied by a telephone line with a voice recording or meeting)
- Be secure — adequately protected against unauthorised access
Data Protection Requirements (GDPR Intersection)
The whistleblowing channel necessarily processes personal data — the reporter’s identity (even if not disclosed to investigators), the identity of the accused person, and the details of any investigation. This means:
- A Data Protection Impact Assessment (DPIA) is typically required (systematic processing of data related to alleged misconduct falls within GDPR Article 35 high-risk criteria)
- The channel’s data must be kept separate from other HR data systems
- Retention limits apply: data must be deleted once the investigation is concluded and any resulting proceedings finalised (generally no longer than 10 years)
- The accused person’s right to be informed must be managed carefully — they must eventually be notified, but notification may be delayed during the investigation
The Independent Manager Requirement
Law 2/2023 requires that the channel be managed by a person or body designated for this purpose with functional independence. For smaller companies, this is typically:
- An internal compliance officer (provided they have genuine independence)
- An external third-party provider specialising in whistleblowing management
- An external legal advisor managing the channel under a service contract
The external model is recommended for smaller organisations where true independence from management is difficult to guarantee internally, and particularly where the report may concern senior management.
Penalties for Non-Compliance
The Authority for the Protection of Informants (Autoridad Independiente de Protección del Informante — A.A.I.) oversees Law 2/2023 compliance. Penalties:
- Very serious infringements (e.g., retaliation against reporters, destruction of evidence): up to €1 million for private entities; higher for public entities
- Serious infringements (e.g., breach of confidentiality, failure to establish a channel): up to €300,000
- Minor infringements (procedural failures): up to €100,000
How BMC Can Help
We implement compliant whistleblowing channels for companies, covering channel design, policy drafting, DPIA, staff communication and training, appointment of independent channel manager, and ongoing case handling and annual reporting to the board.
Frequently asked questions
Which Spanish companies are legally required to have a whistleblowing channel?
What were the compliance deadlines for Law 2/2023 whistleblowing channels in Spain?
What must a compliant whistleblowing channel include under Spanish law?
What are the penalties for non-compliance with Spain's whistleblowing law?
Does Law 2/2023 require the whistleblowing channel to accept anonymous reports?
Related service
Discover our services in this area
Related sectors
Request a personalized consultation
Our experts are ready to analyze your situation and provide tailored solutions.