If your company has more than fifty employees, the answer is YES.
The new Spanish Act 2/2023 regulates the protection of persons who report infringements and the fight against corruption (hereinafter, the Whistleblower Protection Act), and transposes the Directive (EU) 2019/1937 of the European Parliament, on the protection of persons who report breaches of Union law, (commonly known as the Whistleblowing Directive). It aims to take a further step in the culture of corporate reporting and compliance in order to prevent and detect certain threats to the public interest.
It establishes, on the one hand, the protection of natural persons who, in a work or professional context, who report irregular practices committed by public or private entities and, on the other, the requirements and guarantees that effective communication mechanisms of this information (whistleblowing channels) that companies and other obliged public organisms must comply with.
In accordance with this regulation, companies are obliged to approve whistleblower protection policies and implement internal information protocols, making available to whistleblowers mechanisms for communica-ting, within the company itself, information on irregular practices of which they are aware, always guaran-teeing the application of whistleblower rights and the protection measures established.
Every company with fifty or more employees is under the obligation of having in force an internal informa-tion system, the deadline for its establishment is 1 December 2023. Regardless of the number of employees, the following companies are also obliged to implement the system: companies within the scope of European Union law on financial services, products and markets, prevention of money laundering or terrorist finan-cing, transport safety and environmental protection; political parties, trade unions, business organisations and foundations that receive or manage public funds; and public administrations.
Legal entities shall be deemed to be included if, although not domiciled in Spain, they carry out activities in Spain through branches or agents or by providing services without a permanent establishment.
Regarding the processing and the protection of personal data, the duties established in the Whistleblower Protection Act must comply with the principles of the General Data Protection Regulation (GDPR) and Spa-nish Act 3/2018, on Personal Data Protection and guarantee of digital rights (LOPDyGDD). It is therefore ne-cessary to review and update privacy policies and the records of processing activities of the entities in terms of data protection.
If you are interested in further information, please do not hesitate to contact us, and one of our specialised lawyers in this area will be pleased to help you.