The 50-employee threshold is one of the most consequential milestones in Spanish business law. Crossing it does not simply mean a larger payroll — it activates a coordinated set of legal obligations spanning employment law, gender equality, corporate governance and whistleblower protection. Companies that fail to manage this transition systematically expose themselves to significant administrative penalties, reputational risk, and potential liability that can fall on individual directors as well as the company itself.
The Equality Plan: The Highest-Impact Obligation
Organic Law 3/2007 of 22 March on the effective equality of women and men, developed by Royal Decree 901/2020, requires companies with 50 or more workers to negotiate, adopt and implement an Equality Plan. This is not a policy document — it is a formal instrument negotiated with workers’ legal representatives, built on a mandatory prior diagnosis that includes a pay register, a salary audit and a gender gap analysis across the full organisation.
The Plan must cover measures in recruitment, training, promotion, working conditions, and the prevention of sexual harassment and harassment on grounds of gender. Once agreed, it must be registered in the official register of collective agreements (REGCON) to be legally effective and must be reviewed at agreed intervals or at least every four years.
Non-compliance is classified as a very serious labour infringement under Article 40.1.c of the TRLISOS, with fines ranging from €7,501 to €225,018. The absence of an Equality Plan can also disqualify a company from public procurement contracts under the Public Contracts Law (LCSP) — a particularly damaging consequence for companies with public sector clients.
Royal Decree 902/2020 on equal pay adds a parallel obligation: a pay register covering the entire workforce, including directors and senior managers, disaggregated by gender, professional group and job category, combined with a pay audit as part of the Equality Plan diagnostic process.
The Whistleblowing Channel: Mandatory Under Law 2/2023
Law 2/2023 of 20 February — transposing EU Directive 2019/1937 on whistleblower protection — requires all private-sector companies with 50 or more employees to establish an internal reporting channel. The legal requirements for this channel are specific:
- Guaranteed confidentiality of the reporting person’s identity and of third parties mentioned in reports.
- Availability of anonymous reporting.
- Management by a person or body that is independent from company management and has the competencies required to investigate.
- Acknowledgement of receipt within seven working days and a substantive response to the reporting person within three months.
- An express prohibition on any form of retaliation against reporters.
Failure to implement a compliant channel exposes companies to fines of up to €1 million. The independent supervisory body, the Autoridad Independiente de Protección del Informante (A-IPI), is responsible for enforcement and has published guidance on what constitutes a compliant channel design.
The Works Council: Broader Consultation Rights
Under Article 63 of the Workers’ Statute (Estatuto de los Trabajadores), companies reaching 50 employees at a single workplace are required to constitute a works council (comité de empresa). Unlike employee delegates (delegados de personal), who can be elected from as few as ten employees, the works council is a collegiate body with significantly broader information, consultation and negotiation rights.
From a corporate management perspective, the works council’s presence imposes consultation obligations that extend well beyond routine labour matters. Article 64 ET requires the company to provide the council with information about the company’s economic situation, employment trends, subcontracting arrangements and — critically — any restructuring plans that may affect employment. Failure to respect these information rights can render subsequent collective dismissal or substantial modification of working conditions procedures null and void, exposing the company to reinstatement orders and continued salary liability.
The Joint Health and Safety Committee
Article 38 of the Prevention of Occupational Risks Act (Law 31/1995) requires companies with 50 or more employees to constitute a Joint Health and Safety Committee (Comité de Seguridad y Salud), composed equally of prevention delegates from the workforce and management representatives. The committee must meet at least quarterly and has consultation, information and participation functions in the company’s health and safety management.
Alongside the committee, the company’s obligations in occupational risk assessment, prevention planning, employee health surveillance and prevention training all become more complex with a larger workforce. These are typically managed through an accredited external prevention service (servicio de prevención ajeno) or an in-house equivalent.
Corporate Governance and Company Secretarial Obligations
Beyond employment law, reaching 50 employees typically coincides with a moment of greater corporate governance complexity. Key obligations and best practices at this threshold include:
Minute books and records: Spain’s Companies Act (Ley de Sociedades de Capital, LSC) requires up-to-date minute books for board meetings and shareholders’ meetings, a shareholder register, and — in sole-member companies — a register of contracts with the sole member. Annual legalisation of these books at the Companies Registry is mandatory for all capital companies regardless of size.
Internal control and risk management: although mandatory only for listed companies and public interest entities, the CNMV’s Code of Good Governance and international best practice recommend that companies of this size maintain documented internal control functions, a corporate risk map and a conflicts-of-interest policy for their directors.
Data protection and the DPO: the GDPR (EU Regulation 2016/679) and Spain’s LOPDGDD require the designation of a Data Protection Officer (DPO) in specific circumstances determined by the nature of processing activities rather than headcount. However, companies of 50+ employees have typically reached a volume and variety of personal data processing that makes a DPO — or a contractual arrangement with an external DPO — both advisable and, in many sectors, legally required.
A Compliance Checklist for Companies at the Threshold
If your company is approaching or has recently crossed the 50-employee threshold, we recommend an immediate review of compliance status across the following areas:
- Equality Plan negotiated, registered in REGCON and in force
- Pay register and salary audit completed (RD 902/2020)
- Whistleblowing channel implemented and communicated to all staff (Law 2/2023)
- Works council election process initiated or council already in place
- Joint Health and Safety Committee constituted and meeting records maintained
- Occupational risk assessment and prevention plan updated
- Company books legalised and up to date at the Companies Registry
- DPO designated and data processing register reviewed
Managing these obligations proactively is not simply risk avoidance — it is the organisational foundation needed to scale with legal and operational confidence.
At BMC we manage operational processes for more than 200 companies. See our corporate secretarial and governance services.
