Whistleblowing Channel: Law 2/2023 Compliance Made Simple

Spain's whistleblowing framework is established by Law 2/2023 of 20 February on the Protection of Persons who Report Regulatory Infringements and the Fight against Corruption, which transposed EU Directive 2019/1937 on whistleblower protection. Law 2/2023 requires private companies with 50 or more employees, public entities, and all companies operating in financial services regardless of size to implement an Internal Information System (Sistema Interno de Información, SII) with specific requirements: a confidential and optionally anonymous reporting channel, a designated responsible person (Responsable del Sistema), acknowledgement within 7 days, a substantive response within 3 months, anti-retaliation protections for reporters, and coordination with GDPR obligations for personal data processed through the channel. Non-compliant organisations face sanctions of up to EUR 1 million for serious infringements.

Our team combines expertise in regulatory compliance, employment law, and data protection to implement whistleblowing systems that function in practice — not only on paper.

The Gap Between Having a Channel and Being Compliant

Law 2/2023, transposing EU Directive 2019/1937 into Spanish law, establishes a comprehensive framework for whistleblower protection that extends far beyond enabling a contact form. The law requires a structured Internal Information System with a formally designated responsible person, statutory processing deadlines, genuine confidentiality guarantees, and effective protection against retaliation. Organisations that have installed a generic inbox or a third-party whistleblowing tool without structuring the system around it are technically non-compliant — and potentially exposed to sanctions reaching EUR 1 million.

Designing a System That Works Under Pressure

The first step in any implementation is system design. A 60-employee manufacturing company and a 5,000-employee financial services group require fundamentally different architectures. We analyse the organisational structure, risk profile, and corporate culture to recommend whether the channel should be managed internally by the designated responsible person or outsourced to an independent third party. Outsourcing typically provides greater perceived credibility for potential whistleblowers — a critical factor in whether employees actually use the system — and removes the conflict-of-interest concerns that arise when the channel is managed internally.

Integration with Criminal Compliance

The relationship between a whistleblowing channel and a criminal compliance programme is direct and legally significant. Spanish courts have confirmed that a functional internal reporting system is one of the elements they examine when assessing whether a legal entity’s compliance programme should have exculpatory effects on criminal liability. A channel that exists on paper but generates no investigations and no corrective measures will not satisfy this standard. We design the investigation protocol to produce the documented evidence trail that compliance programmes require.

GDPR Considerations Specific to Whistleblowing

The processing of personal data in whistleblowing systems presents specific challenges that require close coordination with the Data Protection Officer. The AEPD has issued specific guidance on impact assessments for these systems, retention periods for data relating to both whistleblowers and reported individuals, and the limits of the reported person’s right to information when it could compromise the investigation. We integrate all of these requirements from day one, avoiding the retroactive GDPR remediation that many organisations face after deploying their channels without adequate data protection planning.