Spain's whistleblower law, the Ley 2/2023

Ley 2/2023, of 20 February is Spain's whistleblower law. It protects people who report breaches and helps fight corruption. It brings EU Directive 2019/1937 into Spanish law. The law has been in force since 13 March 2023. It sets clear duties for companies and public bodies. Below we explain who it covers, what you must prepare, and what the fines are.

Who must comply with Ley 2/2023?

In the private sector, the duty starts at 50 people. Every company with 50 or more workers must have an internal reporting system. Firms in regulated sectors, such as finance, are covered whatever their size.

In the public sector the duty covers everyone. It reaches central government, the regions, and all local bodies. The EU Directive let towns under 10,000 people opt out, but Spain dropped that exemption. It also covers political parties, trade unions, employer groups, and their foundations when they handle public money.

Small firms and small towns got more time. The general rule gave 3 months from the day the law took effect to set up the system. Private firms with fewer than 250 workers and towns under 10,000 people could wait until 1 December 2023. Firms with 50 to 249 workers can also share tools and staff to handle reports.

How do you set up the internal reporting system?

The internal channel is the first port of call. The law asks you to use it first when the breach can be solved inside the firm and there is no risk of payback. It must be open to workers, the self-employed, interns, and others linked to the firm.

The system has to meet several rules:

• allow reports in writing, by voice, or both;
• accept and handle anonymous reports;
• keep the whistleblower and any named third parties confidential;
• appoint a System Officer who works on their own and free from pressure;
• keep a logbook of the reports, which stays private for up to 10 years;
• process data under the GDPR and Spanish data protection rules.

The System Officer is a key role. The entity's board appoints them. Their hiring and removal must be reported to the Independent Whistleblower Protection Authority (A.A.I.) within 10 working days. They do their job without taking orders from other bodies.

The law sets strict deadlines. You must confirm the report within 7 calendar days. You must reply to the whistleblower within 3 months. Hard cases can run another 3 months.

The procedure is not the same as the tool. The channel sets out the process. But the full system must be reliable, keep data safe, and control who can see it. Wemoral, as a whistleblowing system, meets those needs. It lets you roll it out without building a tool from scratch. If you start from zero, we help you with a whistleblowing policy template and a guide to set up the system.

What breaches can be reported?

The law covers a wide range of issues. Through the internal system or the external channel you can report:

• breaches of European Union law under Directive 2019/1937, such as those that hurt the single market or the EU's money;
• serious or very serious criminal or administrative breaches of Spanish law;
• above all, those that cost the Treasury or Social Security money.

Some matters are left out. The law does not cover classified information, the professional secrecy of doctors and lawyers, the secrecy of court rulings, or health and safety at work. Other sectors with their own rules are also left out.

Who can be a whistleblower?

Not just the worker on the payroll. A whistleblower is anyone who reports or makes public a breach they learned about through work. We explain it in full in our piece on who is a whistleblower. Under the law, it can be:

• the public employee or salaried worker;
• the self-employed person;
• the partner and members of the board or management;
• anyone working for contractors, subcontractors, and suppliers;
• the volunteer, intern, and trainee;
• the job candidate who got the information during the hiring process;
• the former worker, even after the job has ended.

Protection also reaches workers' reps and close contacts who may be punished for it, such as family or colleagues.

How is the whistleblower protected?

The law's main aim is to protect against retaliation. Protection starts from the report or public disclosure. There is one condition. The whistleblower must have had fair reason to believe the information was true at the time, and that it fell within the law.

Ban on retaliation

The list of reprisals is open-ended. It includes dismissal, a suspended or non-renewed contract, demotion, blocked promotions, a big change to working terms, harm to your name or your wallet, coercion, threats, harassment, freeze-outs, blacklists, or denied training. The ban also covers the threat or attempt to do any of this.

Acts of retaliation are void from the start. The law strips them of effect. They can lead to fixes, discipline, and, where it applies, payment for the harm caused.

Reversal of the burden of proof

The whistleblower does not have to prove the retaliation. Once they show they reported by the book and were harmed, the harm is taken to be retaliation. It is up to the other side to prove otherwise.

"Once the whistleblower has reasonably shown that they have reported or made a public disclosure in line with this law and that they have suffered harm, the harm shall be presumed to have occurred as retaliation for reporting. In such cases, it shall fall to the person who took the harmful measure to prove that the measure was based on duly justified grounds unrelated to the report."
Article 38.4 of Ley 2/2023, of 20 February

Reporting routes

The law sets out three routes to report the same breach:

The A.A.I. runs the external channel. It is a state-level watchdog that works on its own. It confirms a report within 5 working days. It decides whether to take it on within 10 working days. It wraps up the case within 3 months. Public disclosure is only protected in three cases: the earlier channels did not act in time, there is a clear and pressing danger to the public, or the external channel would not work.

What fines does the law set?

The fines are tough. They depend on how serious the breach is. They also depend on whether the guilty party is a person or a company.

Retaliation and the lack of a channel are very serious breaches. So is leaking who the whistleblower is, or even trying to. In these cases, the A.A.I. can add a public warning, a ban on grants for up to 4 years, and a ban on public contracts for up to 3 years.

The worst sanctions are made public. Fines of 600,001 € or more on companies can appear in the Official State Gazette once they are final. Very serious breaches lapse after 3 years, serious ones after 2, and minor ones after 6 months.

Ley 2/2023 is already in full force. So the bodies it covers should have their internal reporting channel ready. To see how it fits with the rest of Europe, browse our list of whistleblowing laws by country. The sooner you set up the system, the lower the risk of fines.