The Law regulating the protection of people who report regulatory infractions and the fight against corruption has been definitively approved

The Law regulating the protection of people who report regulatory infractions and the fight against corruption has been definitively approved

The Law regulating the protection of people who report regulatory infractions and the fight against corruption will be a reality in the coming days after being definitively approved last week in the Congress of Deputies. This regulation is a consequence of the well-known Whistleblower Directive (EU DIRECTIVE 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 October 2019 on the protection of persons who report infringements of Union law).

The Whistleblower Directive seeks guarantee transparency and combat corruption in both the public and private spheres. Article 26 of the aforementioned Directive established that the Member States would put into force the legal, regulatory and administrative provisions necessary to comply with the provisions of said Directive no later than December 17, 2021. The case of Spain has been particularly due to its great delay in approving the regulations in its legal system. The delay has been so great that the European Commission announced days ago that it will take Spain and other Member States before the Court of Justice of the European Union (CJEU) for failing to meet the deadlines to incorporate into national legislation the European Directive on the protection of whistleblowers who report on corruption or fraud.

The important thing is that more than a year after the deadline to transpose the Whistleblower Directive, Spain has definitively approved its bill in the Congress of Deputies, a law that will be published and will come into force 20 days after its publication in the Official State Gazette (BOE). The purpose of this regulation is to provide adequate protection against retaliation that may be suffered by natural persons who report any of the actions or omissions.

It also aims to strengthen the information culture, the integrity infrastructures of organizations and the promotion of the information or communication culture as a mechanism to prevent and detect threats to the public interest.

The law will apply to and protect informants who work in the private or public sector and who have obtained information about violations in a work or professional context, including in all cases:

• People who have the status of public employees or self-employed workers.
• The self-employed.
• Shareholders, participants and persons belonging to the administrative, management or supervisory body of a company, including non-executive members.
• Any person who works for or under the supervision and direction of contractors, subcontractors and suppliers.

It must be remembered that this law will apply to informants who communicate or publicly reveal information about infractions obtained within the framework of an employment or statutory relationship that has already ended, volunteers, interns, workers in training periods, regardless of whether or not they receive remuneration. , as well as those whose employment relationship has not yet begun, in cases where information about infractions has been obtained during the selection or pre-contractual negotiation process.

COMPLAINTS CHANNEL. Title II of the law regulates the well-known “Complaints Channel” or, as it is literally called, “Internal Information System.” The Internal Information System will be the preferred channel for reporting actions or omissions, provided that the infraction can be dealt with effectively and if the complainant considers that there is no risk of retaliation. Before its implementation, it will be carried out after consulting the legal representation of the workers. Several issues related to the Whistleblowing Channel:

• The Internal Information System will be managed securely, so that the confidentiality of the identity of the informant is guaranteed and any third party mentioned in the communication, and the actions carried out in the management and processing of the same, as well as data protection, preventing access by unauthorized personnel.

• You must have a policy or strategy that states the general principles regarding internal information systems and defense of the informant and that it is duly publicized within the entity or organization.

• Have a procedure for managing the information received.

• Allow the presentation of communications in writing or verbally, or both ways.

• This Internal Information System may be managed by a third party. This management will require that it offer adequate guarantees of respect for independence, confidentiality, data protection and the secrecy of communications. You must have a Data Processing Contract in accordance with the provisions of article 28 of the RGPD 2016/679.

• When making the communication, the informant may indicate an address, email or safe place for the purpose of receiving notifications.

• As he appointment as dismissal of the individual individual designated to manage the Internal Information System, as well as the members of the collegiate body, must be notified to the Independent Whistleblower Protection Authority.

• Inside of the PRIVATE SECTOR, MUST HAVE AN INTERNAL INFORMATION SYSTEM: natural or legal persons in the private sector who have cFifty or more workers hired, lthe poli partieslawyers, unions, business organizations and foundations created by each other, provided they receive or manage public funds.warlike. Finally, legal entities in the private sector that fall within the scope of application of the acts of the European Union on services, products and financial markets, prevention of money laundering or financing must also have this Channel. of terrorism, transport security and environmental protection

DATA PROTECTION OFFICER. Finally, after passing through the Senate, the obligation to have a Data Protection Delegate will not be mandatory for all those entities obliged to have the so-called Whistleblowing Channel. In the approved bill, specifically in its article 34 it defines that “in accordance with the provisions of article 37.1.a) of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, the Independent Authority for the Protection of Informants, AAI, and the independent authorities that If they are established, they must appoint a data protection delegate.”

INDEPENDENT AUTHORITY FOR THE PROTECTION OF INFORMANTS (AAI). Title III regulates the Independent Authority for the Protection of Informants, AAI, which establishes that any natural person may report to said authority or to the corresponding authorities or autonomous bodies, the commission of any actions or omissions of the law, whether directly or after communication through the corresponding internal channel.

Once any person has filed their complaint, they will be registered and assigned an identification code. The Information Management System will be contained in a secure database with access restricted exclusively to staff of the Independent Whistleblower Protection Authority, AAI.

Once the complaint is registered, a prior analysis will be carried out and a decision will be made, within a period of no more than 10 business days, whether or not to admit said complaint for processing. The admission for processing will be communicated to the informant within the following five business days, unless the communication was anonymous or the informant had renounced receiving communications from the Independent Authority for the Protection of Informants, AAI. The period to complete the actions and respond to the informant, if applicable, may not exceed three months from the entry of the information into the registry.. Whatever the decision, it will be communicated to the informant, unless he or she has waived it or the communication is anonymous.

Don't miss all the news about compliance and data protection from the best professionals in the sector in our Master in Compliance and Data Protection Management