On 4 March 2022, the Government approved the Draft Law on the protection of persons who report infringements of regulations and the fight against corruption, aimed at transposing Directive (EU) 2019/1937 on whistleblowers’ protection (the “Draft Law“).
The Draft Law arrives once the term for implementing the Directive by the Member States has elapsed – it ended on 17 December 2021. The introduction of this regulation seeks to protect the general interest through citizen collaboration and, in particular, through the following objectives:
1) to guarantee the protection of citizens who report violations of the legal system, both European Union and domestic, which affect the general interest; and
2) to establish minimum standards for communication channels.
The Draft Law applies to informants, both from the private and public sectors, who have obtained information about infractions in a work or professional context. That is employees, freelancers, shareholders or directors, people who follow orders from contractors and suppliers, etc. But also to people already separated from a company, or whose relationship with the company has not yet begun (for violations known during the selection process), interns, etc.
Notwithstanding the foregoing, the informant’s protection measures provided for in the Draft Law also extend to (a) natural persons who assist the informant within an organization; (b) individuals related to the informant and who may suffer reprisals (co-workers, family members); and (c) legal entities where the informant has significant ownership, among others.
As for the obligated subjects by the Draft Law, in the private sector these will mainly be (without prejudice to the application of specific regulations to certain companies considering the sector in which they operate) natural persons or companies with more than 50 employees. Companies that are not obliged may voluntarily establish their internal information system. If established, this internal system must meet the requirements outlined in the Draft Law.
The Draft Law includes a series of obligations that should be highlighted:
- The obligated subjects in the private sector will be under an obligation to have an internal information system, which is the “preferential channel” to report. However, the Draft Law admits that companies with more than 50 workers but less than 250, may share the internal information system and the resources intended to manage and process communications. In the case of groups of companies, a System Manager and a common internal information system may be established for the entire group or one for each company. In the public sector, the obligation applies to all types of entities, regardless of the number of workers.
- The internal information system will comprise one or several complaint channels. The system as a whole must, inter alia: (i) be designed and managed securely, guaranteeing the confidentiality of the informant’s identity, as well as the status of subsequent actions; (ii), have a person responsible for the system; (iii) have a policy on internal system to provide information to and defence of the informant, duly disseminated within the company; (iv) allow complaints to be made both in writing and verbally (in the latter case they must be documented), (v) allow anonymous complaints or with reservation of the identity of the complainant. The system should be reviewed at least every three years.
- As for the person in charge of the system, this may be a natural person or a collegiate body. It shall be designated by the management or governing body of the entity and notified to the Independent Authority for the Protection of Informants (a new body introduced by the Draft Law).
- The management of the system may be carried out by the entity itself or by a subcontracted external third party. The external third party must offer adequate guarantees in terms of respect for independence, confidentiality, data protection, and secrecy.
- The person in charge of the system must approve a communications management procedure. Among others, this policy must determine the maximum duration of the investigative actions, which may not exceed three months from receipt of the communication.
- Obligated subjects must provide adequate, clear, and easily accessible information on the use of the internal information channels implemented, as well as on the essential principles of the communications management procedure. This information must appear on the home page, in a separate and easily identifiable section.
- Obligated subjects must keep a record book of the communications received and of the internal investigations carried out, although this record will not be public and access will only be allowed upon reasoned request of the competent judicial authority, within the framework of a judicial proceeding. Data will not be kept for a period exceeding 10 years.
- The Draft Law prohibits any type of retaliation adopted within 2 years after the end of the investigation or public disclosure, and includes new measures guarantee the protection of the informant:
- Independent, accessible and free information and advice on procedures and resources available to protect against retaliation and on the informant’s rights.
- Exemption of informants from liability for breach of disclosure restrictions if the disclosure was necessary to disclose a violation. Criminal responsibilities remain.
- Effective assistance in protection against retaliation.
- Right not to have your identity disclosed to third parties.
The protection does not extend to those who publicly disseminate the information, except for failures or limitations in internal and external channels, or if there is an imminent or manifest threat to the public interest.
- The Draft Law guarantees protection of the offender’s personal information while his file is being processed and it regulates the possibility of his or her participation in leniency programs, by collaborating with the Administration before being notified of the initiation of the procedure.
- On another note, in terms of data protection, the subjects caught by the Draft Law (as well as, where appropriate, the external engaged third parties) that are not obliged to have a data protection officer pursuant to Regulation (EU) 2016/679 must appoint one to oversee the data processing foreseen by the Draft Law, including the internal communications system. Likewise, the Draft Bill establishes the lawful grounds for processing of the collected data, either based on compliance with a legal obligation or based on public interest.
The Draft Law foresees creation of an Independent Authority for the Protection of Informants, endowed with autonomy and organic and functional independence from the Government and the public sector, to guarantee the effectiveness of protection measures for informants. This institution will be endowed with sanctioning power. In addition, this institution will have an external reporting channel that can be used if no other external channels are available.
Given the foregoing, and if the Draft Law is finally approved in the same or similar terms, it will be essential that the obligated subjects have internal information systems, and that these meet all the conditions and guarantees established in the Draft Law. Regarding the application dates, the obligated subjects must implement internal information systems within three months from the entry into force of the regulation (or adapt the existing ones within six months); companies with less than 250 workers will be able to do so until 1 January 2023.