Skip to content

Four compliance obligations, one provider: save time, money and duplication

Spanish mid-sized companies — between 50 and 250 employees — face an unprecedented regulatory accumulation. In less than five years, four major compliance frameworks have come into force or intensified simultaneously, affecting virtually any company of this size: the General Data Protection Regulation (GDPR) and the LOPDGDD with their obligations for records of processing activities, Data Protection Officer (DPO) and impact assessments; Ley 10/2010 on the prevention of money laundering for obliged entities in the sector; Ley 2/2023 on whistleblower protection (the Whistleblowing Directive), which requires companies with 50 or more employees to have an operational internal reporting channel in place; and the corporate criminal liability regime under Article 31 bis of the Penal Code (art. 31 bis del Código Penal), which can only exonerate or mitigate criminal liability if the company had an effective crime prevention programme in place before the offence was committed. The problem is that many companies manage these obligations in a fragmented way: one consultancy for GDPR, one law firm for criminal compliance, a technology platform for the whistleblowing channel, and nobody checking whether the four programmes are coherent with each other. This fragmentation generates documentary duplication, contradictory policies, unnecessary costs, and — most critically — invisible compliance gaps. The whistleblowing channel processes personal data and needs its own record of processing activities compliant with GDPR. Criminal compliance requires a channel for reporting irregularities. AML prevention needs internal policies that do not contradict data protection policies. Everything is interconnected.

Since 2010 · 16 years Tax agent AEAT

Pick a slot in the specialist's calendar.

Tell us when to call and a partner will contact you in your chosen window.

Write to us and we'll reply within 24 business hours.

Data processed in the EU · GDPR · No commitment

Why BM Consulting

Specialised advice and personal service

BMC offers an integrated compliance service for SMEs that brings all four obligations under one provider and a single point of contact. We design the compliance programme as a coherent system in which internal policies, procedures and documentation do not duplicate but complement each other. A single external compliance officer coordinates all four areas, knows the company in depth, and ensures there are no contradictions between the different programmes. The integrated approach not only reduces the total cost of compliance — we estimate savings of 30% to 50% compared with engaging the four services separately from different providers — it also produces a higher-quality compliance programme, because the different elements are designed in a coordinated way from the outset. We also include an annual compliance audit that reviews the status of all programmes and updates documentation in response to regulatory changes.

  • Integrated SME compliance covers three dimensions

    criminal (crime prevention programme), GDPR (data protection) and employment (equality, harassment, whistleblowing channel).

  • The whistleblowing channel has been mandatory for companies with 50 or more employees since Ley 2/2023.

  • The equality plan is mandatory for companies with more than 50 employees — without it, the company may be excluded from public contracts.

  • GDPR requires records of processing activities, a privacy policy, data processing agreements with providers, and impact assessments for high-risk processing.

How we work

From first contact to case completion

  1. Multi-disciplinary compliance audit

    We begin the engagement with a cross-cutting audit that analyses the current state of compliance across all four areas: GDPR (records, processor agreements, privacy policy, legal bases), AML where applicable, whistleblowing channel and criminal compliance. We deliver a gap report prioritised by risk level and a coordinated action plan.

  2. Design of the integrated programme

    We design the compliance programme as a single system: coherent internal policies, a code of ethics that serves as the foundation for all programmes, a staff training system that covers all areas simultaneously, and a documentary structure that avoids duplication. The whistleblowing channel is integrated with criminal compliance and GDPR from the outset.

  3. Coordinated implementation and training

    We implement all programmes in a coordinated manner, managing timelines and internal communications. We train staff in a single annual session covering all four areas in an integrated way, with differentiated materials by level of responsibility. We document training attendance for each employee.

  4. External compliance officer and annual audit

    We act as the company's external compliance officer: we are the single point of contact for any compliance matter, manage incidents as they arise, and conduct the annual audit that verifies the status of all programmes and updates documentation in response to regulatory or business changes.

Self-check · 45 seconds

Do you need this service?

Answer three questions and we'll show you the most relevant service for your case.

Do you currently reside in Spain?
Do you have assets or income in another country?
Have you received or are you expecting an inheritance?
Are you considering setting up a company?
Answer to see your recommended services.

The problem

Spanish mid-sized companies — between 50 and 250 employees — face an unprecedented regulatory accumulation. In less than five years, four major compliance frameworks have come into force or intensified simultaneously, affecting virtually any company of this size: the General Data Protection Regulation (GDPR) and the LOPDGDD with their obligations for records of processing activities, Data Protection Officer (DPO) and impact assessments; Ley 10/2010 on the prevention of money laundering for obliged entities in the sector; Ley 2/2023 on whistleblower protection (the Whistleblowing Directive), which requires companies with 50 or more employees to have an operational internal reporting channel in place; and the corporate criminal liability regime under Article 31 bis of the Penal Code (art. 31 bis del Código Penal), which can only exonerate or mitigate criminal liability if the company had an effective crime prevention programme in place before the offence was committed. The problem is that many companies manage these obligations in a fragmented way: one consultancy for GDPR, one law firm for criminal compliance, a technology platform for the whistleblowing channel, and nobody checking whether the four programmes are coherent with each other. This fragmentation generates documentary duplication, contradictory policies, unnecessary costs, and — most critically — invisible compliance gaps. The whistleblowing channel processes personal data and needs its own record of processing activities compliant with GDPR. Criminal compliance requires a channel for reporting irregularities. AML prevention needs internal policies that do not contradict data protection policies. Everything is interconnected.

Our solution

BMC offers an integrated compliance service for SMEs that brings all four obligations under one provider and a single point of contact. We design the compliance programme as a coherent system in which internal policies, procedures and documentation do not duplicate but complement each other. A single external compliance officer coordinates all four areas, knows the company in depth, and ensures there are no contradictions between the different programmes. The integrated approach not only reduces the total cost of compliance — we estimate savings of 30% to 50% compared with engaging the four services separately from different providers — it also produces a higher-quality compliance programme, because the different elements are designed in a coordinated way from the outset. We also include an annual compliance audit that reviews the status of all programmes and updates documentation in response to regulatory changes.

Process

How we do it

1

Multi-disciplinary compliance audit

We begin the engagement with a cross-cutting audit that analyses the current state of compliance across all four areas: GDPR (records, processor agreements, privacy policy, legal bases), AML where applicable, whistleblowing channel and criminal compliance. We deliver a gap report prioritised by risk level and a coordinated action plan.

2

Design of the integrated programme

We design the compliance programme as a single system: coherent internal policies, a code of ethics that serves as the foundation for all programmes, a staff training system that covers all areas simultaneously, and a documentary structure that avoids duplication. The whistleblowing channel is integrated with criminal compliance and GDPR from the outset.

3

Coordinated implementation and training

We implement all programmes in a coordinated manner, managing timelines and internal communications. We train staff in a single annual session covering all four areas in an integrated way, with differentiated materials by level of responsibility. We document training attendance for each employee.

4

External compliance officer and annual audit

We act as the company's external compliance officer: we are the single point of contact for any compliance matter, manage incidents as they arise, and conduct the annual audit that verifies the status of all programmes and updates documentation in response to regulatory or business changes.

4 in 1
GDPR + AML + whistleblowing channel + criminal compliance
'50'
Employees: threshold that triggers all obligations
up to 50%
Estimated saving versus separate providers

We had GDPR with one firm, a recently installed whistleblowing channel with another, and criminal compliance half-finished with our lawyer. BMC unified everything, identified three serious contradictions between our policies that nobody had spotted, and now we have a coherent programme with a single point of contact. Total cost fell by 35% and we sleep much better. (anonymised case)

Marta Sánchez Prieto Managing Director, Grupo Esparza Distribución, SL

The regulatory accumulation facing mid-sized companies

Spanish companies with between 50 and 250 employees find themselves at the epicentre of an unprecedented accumulation of regulatory obligations. This is not a single new law to absorb: over the past five years, four major regulatory frameworks have simultaneously come into force or intensified, applying independently yet sharing the same operational space within the company.

GDPR and the LOPDGDD have been in force since 2018, but the AEPD (Spanish Data Protection Authority) has significantly increased its enforcement activity over the past three years. Records of processing activities, processor agreements, impact assessments and privacy policies are not documents written once: they require continuous maintenance.

Ley 2/2023 on whistleblower protection required companies with 50 or more employees to have an operational internal reporting channel in place by 1 December 2023. Companies that do not have one are in active non-compliance, with fines that can reach 1 million euros for the most serious infringements.

The criminal compliance programme under Article 31 bis of the Penal Code (art. 31 bis del Código Penal) is not formally mandatory in the strict sense, but its absence has devastating consequences: if a director or employee commits an offence in the course of their duties for the benefit of the company, the company faces criminal liability unless it can demonstrate that it had an effective and operational crime prevention model in place before the event. The programme cannot be created after the problem has arisen.

AML prevention (prevención del blanqueo de capitales) under Ley 10/2010 applies to entities classified as obliged entities, a category that covers more sectors than many companies realise: real estate agencies, advisory firms, wealth managers and company service providers, among others.

Why fragmentation between providers is the biggest mistake

The typical response of mid-sized companies to the regulatory wave is to engage a different provider for each obligation: a digital consultancy for GDPR, the usual law firm for criminal compliance, a SaaS platform for the whistleblowing channel, and perhaps nobody for AML prevention because they are unsure whether it applies.

This fragmentation generates three critical problems that rarely become visible until an incident occurs.

Documentary contradictions: The whistleblowing channel collects personal data on informants and persons reported. That data requires its own legal basis, its own record of processing activities and its own retention periods. If the channel provider does not communicate with the GDPR DPO, inconsistent policies are almost inevitable.

Invisible gaps: Each provider knows their piece. Nobody reviews the whole. Criminal compliance requires an internal reporting channel to report irregularities to the supervisory body of the model. If the whistleblowing channel was set up by a different provider as a purely employment channel under Ley 2/2023 and is not integrated with the criminal model, there is a gap that nobody has detected.

Unnecessarily high cost: Staff training on GDPR, criminal compliance and the whistleblowing channel can be delivered in an integrated way in a single annual session. With three providers, three separate sessions are delivered with overlapping content that confuses employees.

BMC’s integrated model

BMC’s integrated compliance offering begins with a cross-cutting diagnostic that analyses the current state of compliance across all four areas simultaneously. The result is a single report that prioritises gaps by risk level and proposes a coordinated implementation plan.

The programme is designed as a system: a single code of ethics that serves as the foundation for all programmes, internal policies that cross-reference each other coherently, a whistleblowing channel that simultaneously meets the requirements of Ley 2/2023 and the needs of the criminal model, and an annual training structure that covers all areas in a single session differentiated by level of responsibility.

BMC acts as the company’s external compliance officer: we are the single point of contact for any compliance matter, manage incidents as they arise (data breach, received report, regulatory inspection, preliminary criminal investigation), and conduct the annual audit of all programmes.

The economic case for unified compliance

Engaging GDPR with a specialist consultancy, criminal compliance with a criminal law firm, the whistleblowing channel with a technology platform and AML prevention with an independent adviser can amount to a total annual cost of between 15,000 and 30,000 euros for a company of 100 employees, not counting training duplication and the internal management time required to coordinate four providers.

BMC’s integrated compliance service for a company of equivalent size ranges from 8,000 to 15,000 euros per year (including initial implementation in the first year), with a single point of contact, a coherent programme, and an annual audit included. The difference is not only economic: it is also the difference between having a compliance programme that functions as a system and having four documents that nobody has read in their entirety.

Corporate criminal liability: what Article 31 bis of the Penal Code requires

The regime of criminal liability of legal persons, introduced in Spain with the Penal Code reform of 2010 and extended in 2015, establishes that a company may be held criminally liable for certain offences committed by its directors or employees for the company’s benefit. Consequences include fines of up to twice the benefit obtained, dissolution of the company, disqualification from contracting with the public sector, and closure of establishments.

Article 31 bis of the Penal Code establishes two circumstances that can fully exonerate the company from criminal liability: that the offence was committed by fraudulently circumventing the model’s controls, or that the prevention model was designed and implemented in a manner adequate and sufficient to prevent the type of offence committed. But the model must exist and be operational before the criminal act occurs. Creating the criminal compliance programme after a problem has arisen is legally irrelevant to that case.

The criminal compliance programme under Article 31 bis must include, as a minimum: identification of offences that could be committed within the company’s activities (criminal risk map), protocols and controls for each risk category, a channel for reporting irregularities accessible to employees and third parties, a supervisory body with sufficient autonomy to oversee the programme, and a system for staff training and communication.

The whistleblowing channel as a cross-cutting obligation

Ley 2/2023, of 20 February, on the protection of persons reporting regulatory infringements and combating corruption — transposing Directive (EU) 2019/1937 (the Whistleblowing Directive) — requires companies with 50 or more employees to have an internal reporting system (canal de denuncias) in place, with guarantees of confidentiality and informant protection.

The channel is not merely an anonymous email inbox: the law requires that the system guarantee the confidentiality of the informant’s identity, that there be a communications manager adhering to the established deadlines (acknowledgement of receipt within 7 days, resolution within 3 months), that persons under investigation have basic procedural guarantees, and that the entire process be compatible with GDPR (with legal basis, retention periods and restricted access).

Sanctions for failing to implement the channel can reach 1 million euros for the most serious infringements (retaliation against informants), and between 100,001 and 600,000 euros for failure to implement the system or serious non-compliance. The regulation also expressly prohibits employment retaliation against those who use the channel, with the burden of proof reversed in the informant’s favour.

Data protection as a cross-cutting pillar of compliance

GDPR is not simply a privacy formality: it permeates all other compliance programmes. The whistleblowing channel processes sensitive personal data requiring a specific legal basis (legitimate public interest, Article 6.1.e GDPR), limited retention periods and enhanced security measures. The criminal programme identifies natural persons in risk maps and internal investigations. AML prevention collects and retains client identification data for ten years.

An integrated compliance programme resolves these interactions by design: it defines the legal bases for each processing activity, establishes retention periods consistent with the legal obligations of each programme, and ensures that the Data Protection Officer (or data protection adviser) is informed of any process changes affecting the processing of personal data. Without this coordination, a company may be complying with Ley 2/2023 while simultaneously breaching GDPR in the same process, or retaining compliance file data beyond the period permitted under data protection regulation.

FAQ

Frequently asked questions

It depends on your company's size and sector. GDPR applies to any company that processes personal data, with no size threshold. The whistleblowing channel has been mandatory for companies with 50 or more employees since December 2023. The criminal compliance programme is not formally mandatory, but its absence has severe consequences: if a director or employee commits an offence in the course of their duties, the company faces criminal liability unless it can demonstrate that it had an effective crime prevention model in place before the event. AML prevention is mandatory only for entities classified as obliged entities under Ley 10/2010, which depends on the activity.
Yes, and it is the most efficient option. A provider that knows the company in depth can design coherent internal policies, avoid documentary duplication, and ensure that the different programmes do not contradict each other. Fragmentation between providers creates a real risk: each provider sees only their piece and nobody has an overall view. At BMC we have specialist teams in data protection, criminal law, regulatory compliance and employment law who work in a coordinated manner under a single account manager for each client.
Crossing the 50-employee threshold automatically triggers the obligation to have a whistleblowing channel under Ley 2/2023: the company must implement an internal reporting system with the confidentiality and management guarantees established by law. It also triggers the equality plan (with pay audit), the obligation to constitute a works council, and enhanced obligations in occupational risk prevention. Many companies reach this threshold without realising it, especially when growth is gradual over several months.
For an SME of 80 employees in a sector without AML obligations (for example, a technology services company or an industrial distributor), the integrated compliance service covering GDPR, whistleblowing channel and criminal compliance typically involves an initial implementation cost of between 8,000 and 15,000 euros, depending on the starting position and the complexity of the corporate structure. Subsequent annual maintenance, which includes updating documentation, annual staff training, and the compliance audit, typically ranges from 3,500 to 6,000 euros per year. These amounts are significantly lower than the cost of engaging three separate specialist providers.
Compliance for corporate groups with multinational presence requires additional analysis, particularly regarding data protection (international transfers, standard contractual clauses) and the whistleblowing channel (the possibility of a group-level shared channel, handling of cross-border reports). BMC can manage group-level compliance at the Spanish level and coordinate with local advisers in other jurisdictions where the group operates. Subsidiaries outside the EEA have their own AML and data protection obligations that may differ from the Spanish framework.
Compliance programmes are not static documents. GDPR requires records of processing activities to be reviewed when data processing changes, and processor agreements to be updated when providers change. Criminal compliance must be updated when the corporate structure, type of activity or management team changes. The whistleblowing channel requires maintenance when reports are received that generate internal precedent or when regulation changes. BMC conducts a formal annual audit of all programmes and incorporates the necessary updates as part of the maintenance service.

Speak with a specialist

Complimentary first call. No commitment. Response within 1 hour during office hours.

Free first consultation 30 minutes with a specialist in your area
Fixed quote before we start No surprises, no success fees
Registered tax agent Electronic filing of all tax returns

4.8/5 · Data processed in the EU · GDPR · No commitment

Frequently asked questions

Questions about Integrated SME Compliance: GDPR, AML and Criminal Liability | BMC

It depends on your company's size and sector. GDPR applies to any company that processes personal data, with no size threshold. The whistleblowing channel has been mandatory for companies with 50 or more employees since December 2023. The criminal compliance programme is not formally mandatory, but its absence has severe consequences: if a director or employee commits an offence in the course of their duties, the company faces criminal liability unless it can demonstrate that it had an effective crime prevention model in place before the event. AML prevention is mandatory only for entities classified as obliged entities under Ley 10/2010, which depends on the activity.
Yes, and it is the most efficient option. A provider that knows the company in depth can design coherent internal policies, avoid documentary duplication, and ensure that the different programmes do not contradict each other. Fragmentation between providers creates a real risk: each provider sees only their piece and nobody has an overall view. At BMC we have specialist teams in data protection, criminal law, regulatory compliance and employment law who work in a coordinated manner under a single account manager for each client.
Crossing the 50-employee threshold automatically triggers the obligation to have a whistleblowing channel under Ley 2/2023: the company must implement an internal reporting system with the confidentiality and management guarantees established by law. It also triggers the equality plan (with pay audit), the obligation to constitute a works council, and enhanced obligations in occupational risk prevention. Many companies reach this threshold without realising it, especially when growth is gradual over several months.
For an SME of 80 employees in a sector without AML obligations (for example, a technology services company or an industrial distributor), the integrated compliance service covering GDPR, whistleblowing channel and criminal compliance typically involves an initial implementation cost of between 8,000 and 15,000 euros, depending on the starting position and the complexity of the corporate structure. Subsequent annual maintenance, which includes updating documentation, annual staff training, and the compliance audit, typically ranges from 3,500 to 6,000 euros per year. These amounts are significantly lower than the cost of engaging three separate specialist providers.
Compliance for corporate groups with multinational presence requires additional analysis, particularly regarding data protection (international transfers, standard contractual clauses) and the whistleblowing channel (the possibility of a group-level shared channel, handling of cross-border reports). BMC can manage group-level compliance at the Spanish level and coordinate with local advisers in other jurisdictions where the group operates. Subsidiaries outside the EEA have their own AML and data protection obligations that may differ from the Spanish framework.
Compliance programmes are not static documents. GDPR requires records of processing activities to be reviewed when data processing changes, and processor agreements to be updated when providers change. Criminal compliance must be updated when the corporate structure, type of activity or management team changes. The whistleblowing channel requires maintenance when reports are received that generate internal precedent or when regulation changes. BMC conducts a formal annual audit of all programmes and incorporates the necessary updates as part of the maintenance service.
Email
Contact