1.- INTRODUCTION
Citizen collaboration is an element of the democratic system that is essential for the effectiveness of the Law. One of its most important manifestations is collaboration to ensure the proper functioning of public and private institutions. This is reinforced by the duty of collaboration that is established for every citizen when they witness the commission of a crime, according to the criminal procedural provisions, as well as the possibility of participating in public actions with the aim of promoting research into actions that are contrary to public interests in various regulated sectors, such as urban planning, the environment and historical heritage. At a European level, sectoral regulations have been established that incorporate specific instruments so that those who know of irregular or illegal actions can provide useful data and information to supervisory bodies. Along with all this, there are also examples of civic actions that warned of the existence of irregular practices and corruption, which have allowed to promote investigations and, if necessary, the eventual prosecution and conviction. However, these civic and collaborative behaviors of citizens have often generated unfavorable consequences for those who have carried them out. As a result, Law 2/2023, of February 20, was drafted, regulating the protection of people who report regulatory violations and the fight against corruption. This regulation, which transposes Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting on breaches of Union law (known as the “Whistleblowing Directive”), was drawn up with the intention of protecting these whistleblowers, establishing procedural obligations for companies and public institutions, as well as guaranteeing the rights of whistleblowers and affected parties, including specific protection against retaliation that could be directed against whistleblowers as a result of the breaches or illegalities reported. GROUP SALTÓ, in its commitment to ethics, social responsibility and respect for the rights of its personnel, establishes the following information management procedure, which will operate in synergy with the adopted Compliance system, and expressly rejects any type of retaliation, including the threat of receiving it, against any of its members who make use of the Internal Information System.
2.- NEED FOR IMPLEMENTATION
Articles 10 to 12 of Law 2/2023, regarding the Internal Information System in the private sector, stipulate that the following will be required to have an Internal Information System:
A. Natural or legal persons in the private sector who have fifty or more employees.
B. Legal persons in the private sector that fall within the scope of the acts of the European Union in the field of financial services, products and markets, prevention of money laundering or terrorist financing, transport safety and environmental protection referred to in Parts I.B and II of the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, must have an Internal Information System that will be regulated by its specific regulations regardless of the number of employees they have. In these cases, Law 2/2023 will be applicable in what is not regulated by its specific regulations. Legal entities that, despite not having their domicile in national territory, carry out activities in Spain through branches or agents or through the provision of services without a permanent establishment will be considered included in the previous paragraph.
C. Political parties, unions, business organizations and foundations created by them, provided that they receive or manage public funds.
2.1.- Legal Entities Not Obliged Legal entities in the private sector that are not bound by the obligation to have an Internal Information System may establish their own Internal Information System, which must comply, in any case, with the requirements set forth in Law 2/2023.
2.2.- Groups of companies In the case of a group of companies, in accordance with article 42 of the Commercial Code, the parent company will approve a general policy relating to the Internal Information System and the defense of the informant, and will ensure the application of its principles in all the entities that make up it, without prejudice to the autonomy and independence of each company, subgroup or group of member companies that, where applicable, may establish the respective corporate governance or governance system of the group, and of the modifications or adaptations that may be necessary to comply with the regulations applicable in each case. The System Manager may be one for the entire group, or one for each member company of the same, subgroup or group of companies, in the terms established by the aforementioned policy. For its part, the Internal Information System may be one for the entire group. The exchange of information between the different Managers of the Group System, if any, will be admissible for the adequate coordination and better performance of their functions.
2.3.- Shared resources in the private sector Legal entities in the private sector that have between fifty and two hundred and forty-nine workers and that so decide, may share with each other the Internal Information System and the resources intended for the management and processing of communications, whether the management is carried out by any of them or if it has been outsourced, respecting in all cases the guarantees provided for in Law 2/2023.
3.- MATERIAL SCOPE: MATTERS THAT MAY BE COMMUNICATED
Law 2/2023, in article 2, protects natural persons who report: A. Any actions or omissions that may constitute breaches of European Union law provided that:
1. They fall within the scope of application of the European Union acts listed in the annex to Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, on the protection of persons reporting on breaches of Union law, regardless of the classification of the same by the internal legal system, these being the following:
– Public procurement. – Financial services, products and markets and prevention of money laundering and terrorist financing. – Product safety and conformity. – Transport safety. – Environmental protection. – Radiation protection and nuclear safety. – Food and feed safety, animal health and animal welfare. – Public health. – Consumer protection: Consumer rights and consumer protection. – Protection of privacy and personal data, and security of networks and information systems.
2. Affect the financial interests of the European Union as referred to in Article 325 of the Treaty on the Functioning of the European Union (TFEU).
3. Affect the internal market, referring to its consideration as an area without internal frontiers in which the free movement of goods, persons, services and capital is ensured, as referred to in Article 26(2) of the TFEU, including infringements of EU rules in matters of competition and aid granted by States, as well as infringements relating to the internal market in relation to acts that infringe the rules of corporate tax or with practices whose purpose is to obtain a tax advantage that distorts the object or purpose of the legislation applicable to corporate tax.
B. Actions or omissions that may constitute a serious or very serious criminal or administrative offence. In any case, all serious or very serious criminal or administrative offences that involve economic loss for the Public Treasury and for Social Security will be understood to be included. This protection will not exclude the application of the rules relating to criminal proceedings, including investigative proceedings. Furthermore, the protection for workers who report infringements of Labour Law in matters of health and safety at work is understood without prejudice to that established in its specific regulations. 3.1.- Matters excluded from the protection of this law
A. The protection shall not apply to information that affects classified information. Nor shall it affect the obligations resulting from the protection of the professional secrecy of medical and legal professionals, the duty of confidentiality of the Security Forces and Bodies in the scope of their actions, as well as the secrecy of judicial deliberations.
B. The provisions of this law shall not apply to information relating to infringements in the processing of procurement procedures that contain classified information or that have been declared secret or reserved, or those whose execution must be accompanied by special security measures in accordance with current legislation, or in which the protection of essential interests for the security of the State so requires.
C. In the event of information or public disclosure of any of the infringements referred to in Part II of the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, the specific regulations on reporting infringements in these matters will apply, these being those relating to: – Financial services, products and markets and prevention of money laundering and terrorist financing. – Transport security. – Environmental protection.
4.- PERSONAL SCOPE: PROTECTED SUBJECTS
Law 2/2023 indicates, in its article 3, that it will apply to:
A. Whistleblowers who work in the private or public sector and who have obtained information about violations in a work or professional context.
This classification will include, in any case,:
1. People who have the status of public employees or
workers for the account of others.
2. The self-employed.
3. Shareholders, participants and people belonging to the administrative, management or supervisory body of a company, including non-executive members.
4. Any person who works for or under the supervision and direction of contractors, subcontractors and suppliers.
B. It will also apply to:
1. Whistleblowers who communicate or publicly disclose information obtained within the framework of an employment or statutory relationship that has already ended.
2. Volunteers and Internships, workers in training periods regardless of whether they receive remuneration or not.
3. Those whose employment relationship has not yet begun, in cases where information on violations has been obtained during the selection process or pre-contractual negotiation.
4.1.- Subjects included in the protection
The whistleblower protection measures will also apply:
A. If applicable, specifically to the legal representatives of the workers in the exercise of their advisory and support functions to the whistleblower.
B. To natural persons who, within the framework of the organization in which the whistleblower provides services, assist the same in the process.
C. To natural persons who are related to the whistleblower and who may suffer retaliation, such as coworkers or relatives of the whistleblower.
D. To legal entities, for which they work or with which they maintain any other type of relationship in a work context or in which they have a significant participation.
For this purpose, it is understood that the participation in the capital or in the voting rights corresponding to shares or participations is significant when, due to its proportion, it allows the person who owns it to have the capacity to influence the legal entity in which it is invested.
5.- MANAGEMENT BY AN EXTERNAL THIRD PARTY
The management of the Internal Information System may be carried out within the entity or body itself or by going to an external third party; it being understood that the reception of information is considered management of the System.
The management of the system by an external third party will require, in any case, that this third party offers adequate guarantees of respect for independence, confidentiality, data protection and the secrecy of communications.
The existence of co-responsible for the processing of personal data requires the prior signing of the agreement regulated in article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights. The management of the Internal Information System by a third party will not entail a breach of the guarantees and requirements established by law, nor an attribution of responsibility different from that of the System Manager provided for in article 8 of Law 2/2023. The external third party will be considered the processor for the purposes of data protection regulations. The processing of data will be governed by the act or contract referred to in article 28.3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
To this end, the Internal Information System will be managed by DESCOMPLICA’T:
https://www.descomplicat.com/ca/denuncies.html
6.- MINIMUM CONTENT AND PRINCIPLES OF THE SYSTEM
The present information management procedure will respond to the following minimum content and principles:
A. Identification of Internal Information Channels to which they are associated.
B. Inclusion of clear and accessible information on external information channels to the competent authorities and, where appropriate, to the institutions, bodies or agencies of the European Union; being this:
At European level, there are several ways to report to different agencies, depending on the matter in question. To facilitate your complaint, the following link is provided:
https://european-union.europa.eu/contact-eu/make-complaint_es
At the state level, the Independent Whistleblower Protection Authority (A.A.I.) is contemplated, the creation of which is provided for in Law 2/2023, of February 20, and whose Statute was regulated in Royal Decree 1101/2024, of October 29.
Despite the above, the Authority as such is still pending creation, so it must be in the authorities created by the Autonomous Communities or, in those already existing ones to which functions relating to the Internal Information System have been attributed.
At the regional level, we find that not all the Autonomous Communities have decided to create or designate an authority to carry out the functions of External Channel.
Those that have done so are:
Anti-Fraud Office of Catalonia (OAC) antifrau.cat/es/investigacion/denuncia.html
Andalusian Anti-Fraud Office (OAAF) buzon.antifraudeandalucia.es/#/
Office for the Prevention and Fight against Corruption in the Balearic Islands (OAIB)
Agency for the Prevention and Fight against Fraud and Corruption of the Valencian Community (AVAF)
antifraucv.es/buzon-de-denuncias-2/
Office for Good Practices and Anti-Corruption of the Autonomous Community of Navarre (OANA)
oana.es/es/denuncia
C. Sending proof of receipt of the communication to the informant, within seven calendar days of its receipt, unless this could endanger the
confidentiality of the communication.
D. Determination of the maximum period for responding to the research actions, which may not exceed three months from the receipt of the communication or, if a receipt was not sent to the informant, three months from the expiration of the period of seven days after the communication was made, except in cases of special complexity that require an extension of the period, in which case, this may be extended up to a maximum of three additional months.
E. Provision of the possibility of maintaining communication with the informant and, if deemed necessary, of requesting additional information from the reporting person.
F. Establishment of the right of the affected person to be informed of the actions or omissions attributed to him, and to be heard at any time.
This communication will take place at the time and in the manner deemed appropriate to guarantee the successful completion of the research.
G. Guarantee of confidentiality when the communication is sent through reporting channels other than those established or to members of staff not responsible for its processing, who will have been trained in this matter and warned of the classification as a very serious infringement of its loss and, likewise, the establishment of the obligation of the recipient of the communication to send it immediately to the System Manager.
H. Requirement of respect for the presumption of innocence and the honor of the affected persons.
I. Respect for the provisions on the protection of personal data in accordance with the provisions of Title VI.
J. Immediate forwarding of the information to the Public Prosecutor’s Office when the facts could indicially constitute a crime. In the event that the facts affect the financial interests of the European Union, it will be forwarded to the
European Public Prosecutor’s Office.
7.- INTERNAL INFORMATION CHANNELS
Within the Internal Information System, any Internal Channel that an entity has for the presentation of information must be included, with respect to the infractions provided for in article 2 of Law 2/2023 and set out in the third section of this document, regarding the material scope of application.
In turn, the internal information channels may be enabled for the reception of any other communications or information outside the material scope established previously, but these will remain outside the scope of protection of Law 2/2023, according to its article 7.4.
The internal information channels will have the following characteristics and procedures:
A. The internal channel must allow for written or verbal communications, or both. The information may be provided in writing, by post or by any electronic means enabled for this purpose, or verbally, by telephone or through a voice messaging system. At the request of the informant, it may also be provided through a face-to-face meeting within a maximum period of seven days.
If applicable, the informant will be warned that the communication will be recorded and will be informed of the processing of their data in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
B. Furthermore, those who make the communication through internal channels will be informed, in a clear and accessible manner, about the external channels of information to the competent authorities and, where applicable, to the institutions, bodies or agencies of the European Union.
C. When making the communication, the informant may indicate an address, email address or safe place for the purpose of receiving notifications.
D. Verbal communications, including those made through face-to-face meetings, by telephone or through a voice messaging system, must be documented in one of the following ways, with the consent of the informant:
1. By recording the conversation in a secure, durable and accessible format, or
2. By means of a complete and accurate transcription of the conversation made by the staff responsible for processing it.
E. Without prejudice to the rights that correspond to them in accordance with the regulations on data protection, the informant will be offered the opportunity to check, rectify and accept the transcription of the conversation by signing it.
F. The Internal Information Channels will even allow the submission and subsequent submission of anonymous communications.
8.- RESPONSIBLE FOR THE INTERNAL SYSTEM
The administrative or governing body of each entity or body required to have an Internal Information System will approve the information management procedure.
This administrative or governing body will be competent for the designation of the natural person responsible for the management of this system or “System Manager” (RSII), and for his dismissal or termination.
The System Manager will be responsible for its diligent processing.
If it is chosen for the System Manager to be a collegiate body, it must delegate to one of its members the powers of management of the Internal Information System and processing of research files.
Both the appointment and the termination of the individually designated natural person, as well as the members of the collegiate body, must be notified to the Independent Authority for the Protection of the Informant, A.A.I., or, where applicable, to the competent authorities or bodies of the autonomous communities, within the scope of their respective powers, within the following ten working days, specifying, in the case of their termination, the reasons that have justified the same.
To this end, the Head of the Internal Information System designated is Blanca Rosell Cecilia.
The Head of the System must carry out their functions independently and autonomously with respect to the rest of the bodies of the entity or body, may not receive any kind of instructions in their exercise, and must have all the personal and material means necessary to carry them out.
In the case of the private sector, the System Manager, a natural person or the entity to which the responsible collegiate body has delegated its functions, will be a director of the entity, who will exercise his position independently of the administrative or governing body of the entity. When the nature or size of the entity’s activities do not justify or allow the existence of a System Manager, it will be possible to perform the ordinary functions of the position or position with those of the System Manager, trying in any case to avoid possible situations of conflict of interest. In entities or bodies in which there is already a person responsible for the regulatory compliance or integrity policy function, whatever its name, this person may be designated as System Manager, provided that it meets the requirements established in Law 2/2023.
9.- PUBLICITY OF INFORMATION
Adequate information will be provided in a clear and easily accessible manner, on the use of all Internal Information Channels that have been implemented, as well as on the
essential principles of the management procedure. In the event of having a website, this information must appear on the home page, in a separate and easily identifiable section.
10.- REGISTER OF INFORMATION
A book-register of the information received and the internal searches that have given rise to them must be kept, guaranteeing, in any case, the confidentiality requirements provided for in Law 2/2023.
This register will not be public and only upon reasoned request of the competent Judicial Authority, by act, and within the framework of a judicial procedure and under the supervision of the latter, may the content of said register be accessed in whole or in part.
Personal data relating to the information received and internal investigations will only be kept for the period that is necessary and proportionate for the purpose of complying with this law. In particular, it will be taken into account that:
A. The data that are the object of processing may only be kept in the information system for the time necessary to decide on the appropriateness of initiating an investigation into the reported facts.
If it is proven that the information provided or part of it is not truthful, it must be immediately deleted from the moment this circumstance is known, unless this lack of truthfulness may constitute a criminal offence, in which case the information will be kept for the time necessary for the judicial procedure to be processed.
B. In any case, after three months have passed since the receipt of the communication without any investigation having been initiated, it must be deleted, unless the purpose of the conservation is to leave evidence of the operation of the system. Communications that have not been acted upon may only be recorded in an anonymized form, without the obligation to block provided for in art. 32 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, LOPD) being applicable.
In no case may the data be kept for a period exceeding ten years.
11.- PUBLIC DISCLOSURE AND PROTECTION CONDITIONS
Public disclosure is understood to mean the making available to the public of information about actions or omissions.
The protection regime of Title VII will be applicable to persons who make a public disclosure of actions or omissions when their protection conditions are met and, in addition, any of those provided for in article 28 of Law 2/2023.
General conditions of protection of the informant (art. 35)
Specific protection conditions of Public Disclosure (art. 28).
a) They have reasonable grounds to believe that
the information referred to is truthful at the time
of the communication or disclosure, even if
they do not provide conclusive evidence, and that
the aforementioned information falls within the scope of application
of Law 2/2023.
b) The communication or disclosure has
been made in accordance with the requirements
provided for in Law 2/2023.
a) That the communication has been made first
through internal and external channels, or
directly
through external channels, without
appropriate measures having been taken on this matter
within the established period.
b) That there are reasonable grounds to believe
that either the infringement may constitute an
imminent or manifest danger to the
public interest, in particular when an
emergency situation occurs, or there is a risk of
irreversible damage, including a danger to the
physical integrity of a person; or,
in the case of communication through an
external channel of information, there is a risk of
retaliation or there is little likelihood that
the information will be treated effectively due to the
particular circumstances of the case, such as the concealment
or destruction of evidence, the collusion of an
authority with the perpetrator of the infringement, or
that the latter is involved in the infringement.
The previous conditions, to benefit from the protection provided for in cases of public disclosure, will not be required when the person has disclosed information directly to the press in accordance with the exercise of freedom of expression and truthful information.
12.- PERSONAL DATA PROTECTION The following is the personal data protection regime that will govern this procedure for managing information in the Internal Information System.
12.1.- Legal regime for the processing of personal data Data processing will be governed by the provisions of Regulation (EU) 2016/679 (GDPR); Organic Law 3/2018 (LOPD); Organic Law 7/2021, of May 26, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties (hereinafter, EL 7/2021); as well as the provisions of Law 2/2023.
12.2.- Lawfulness of personal data processing The processing of personal data necessary for the application of Law 2/2023 will be considered lawful. The processing of personal data, in cases of internal communication, will be understood as lawful under articles 6.1.c) GDPR; 8 LOPD; 7 and 11 EL 7/2021. The processing of personal data resulting from a public disclosure will be presumed to be covered by the provisions of articles 6.1.e) of the GDPR and 11 of EL 7/2021. The processing of special categories of personal data for reasons of essential public interest may be carried out in accordance with the provisions of article 9.2.g) GDPR.
12.3.- Information on the protection of personal data and exercise of rights When personal data is obtained directly from interested parties, they will be provided with the information referred to in articles 13 RGPD and 11 LOPD. Informants and those who make a public disclosure will also be expressly informed that their identity will in any case be confidential and will not be communicated to the persons to whom the facts reported refer or to third parties. The person to whom the facts reported refer will not in any case be informed of the identity of the informant or of the person who has made the public disclosure. Interested parties may exercise the rights referred to in arts. 15 to 22 RGPD. These rights are those called “ARC-POL”, referring to the right of Access, Rectification, Cancellation, Opposition, Portability, Forgetfulness (or deletion) and Limitation. In the event that the person to whom the facts related in the communication or to whom the public disclosure refers exercises the right to object, it will be presumed that, unless proven otherwise, there are compelling legitimate reasons that legitimize the processing of their personal data.
12.4.- Processing of personal data in the Internal Information System Access to the personal data contained in the Internal System will be limited, within the scope of their powers and functions, exclusively to: A. The System Manager and whoever manages it directly. B. The head of human resources or the duly designated competent body, only when the adoption of disciplinary measures against a worker could proceed. C. The head of the legal services of the entity and body, if the adoption of legal measures in relation to the facts related in the communication is appropriate. D. The data processors who may be designated. E. The data protection officer. The processing of data by other persons, or even their communication to third parties, will be lawful when it is necessary for the adoption of corrective measures in the entity or the processing of sanctioning or criminal procedures that, where appropriate, proceed. In no case will personal data that are not necessary for the knowledge and investigation of the actions or omissions that are the subject of the Internal Information System be processed, proceeding, if appropriate, to their immediate deletion. Likewise, all personal data that may have been communicated and that refer to conduct that is not included in the scope of application of Law 2/2023 will be deleted. If the information received contains personal data included within the special categories of data, it will be deleted immediately, without proceeding to the registration and processing of these. The data that are the object of processing may be kept in the information system only for the time necessary to decide on the appropriateness of initiating an investigation into the reported facts. If it is proven that the information provided or part of it is not truthful, it must be immediately deleted from the moment this circumstance is known, unless this lack of veracity may constitute a criminal offence, in which case the information will be kept for the time necessary for the judicial procedure to be processed. In any case, after three months have passed since the receipt of the communication without any investigative actions having been initiated, it must be deleted, unless the purpose of the conservation is to leave evidence of the operation of the system. Communications that have not been acted upon may only be recorded in an anonymized form, without the blocking obligation provided for in art. 32 LOPD being applicable.
Employees and third parties must be informed about the processing of personal data within the framework of the Information Systems referred to in this article.
12.5.- Preservation of the identity of the informant and the affected persons.
Whoever submits a communication or carries out a public disclosure has the right not to have their identity disclosed to third parties.
The Internal Information Systems, External Channels and those who receive public disclosures will not obtain data that allows the identification of the informant and must have adequate technical and organizational measures to preserve the identity and guarantee the confidentiality of the data corresponding to the affected persons and any third party mentioned in the information provided, especially the identity of the informant in the event that he or she has been identified.
The identity of the informant may only be communicated to the Judicial Authority, the Public Prosecutor’s Office or the competent administrative authority within the framework of a criminal, disciplinary or sanctioning investigation.
Disclosures made under this section shall be subject to safeguards established in the applicable regulations. In particular, it shall be communicated to the informant before revealing his identity, unless such information could compromise the investigation or the judicial procedure. When the competent authority communicates this to the informant, it shall send him a letter explaining the reasons for the disclosure of the confidential data in question.
13.- PROTECTION MEASURES
The following are the different measures of the protection regime offered to the informant and to the person affected by the communication.
13.1.- Conditions of protection
Persons who report or disclose violations covered by the Internal Information System have the right to protection provided that the following circumstances are met:
A. They have reasonable grounds to believe that the information referred to is true at the time of the report or disclosure, even if they do not provide conclusive evidence, and that the aforementioned information falls within the scope of application of Law 2/2023.
B. The report or disclosure has been made in accordance with the requirements set out in Law 2/2023.
Those persons who report or disclose:
A. Information contained in communications that have been inadmissible through any internal information channel or for any of the following reasons are expressly excluded from protection:
1. When the facts reported lack all plausibility.
2. When the facts reported do not constitute an infringement of the legal system included in the scope of application of Law 2/2023.
3. When the communication is manifestly unfounded or
there are, in the opinion of the A.A.I., rational indications that it was obtained through the commission of a crime. In the latter case, in addition to the inadmissibility, a circumstantial report of the facts deemed to constitute a crime will be sent to the Public Prosecutor’s Office.
4. When the communication does not contain new and significant information about infringements compared to a previous communication in respect of which the corresponding procedures have been concluded, unless new factual or legal circumstances arise that justify a different follow-up. In these cases, the Independent Authority for the Protection of the Informant, A.A.I., will notify the resolution with reasons.
B. Information related to claims about interpersonal conflicts or that only affect the informant and the persons to whom the communication or disclosure refers.
C. Information that is already fully available to the public or that constitutes mere rumors.
D. Information that refers to actions or omissions not included in the list of matters or infractions subject to communication of the Internal Information System.
Persons who have communicated or publicly disclosed information on actions or omissions included in the list of subjects covered by the Internal Information System anonymously but who have subsequently been
identified and meet the conditions provided for in Law 2/2023, shall be entitled to the protection contained therein.
Persons who report to the relevant institutions, bodies or agencies of the European Union infringements that fall within the scope of Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019, shall be entitled to protection in accordance with the provisions of Law 2/2023 under the same conditions as a person who has reported through external channels.
13.2.- Prohibition of retaliation
Acts constituting retaliation, including threats of retaliation and attempts at retaliation against persons who submit a communication in accordance with the provisions of Law 2/2023, are expressly prohibited.
Retaliation is understood to mean any acts or omissions that are prohibited by law, or that, directly or indirectly, involve unfavorable treatment that places the persons who suffer them at a particular disadvantage with respect to another in the work or professional context, solely due to their status as informants, or for having made a public disclosure.
For illustrative purposes, retaliation is considered to be those that are adopted in the form of:
A. Suspension of the employment contract, dismissal or termination of the employment or statutory relationship, including the non-renewal or early termination of a temporary employment contract once the probationary period has passed, or early termination or cancellation of contracts for goods or services, imposition of any disciplinary measure, demotion or denial of promotions and any other substantial modification of working conditions and the non-conversion of a temporary employment contract into an indefinite one, in the event that the worker had legitimate expectations that he would be offered an indefinite job; unless these measures were carried out within the regular exercise of management power under the labor or regulatory legislation of the corresponding public employee status, due to circumstances, facts or proven violations, and unrelated to the presentation of the communication.
B. Damages, including those of a reputational nature, or economic losses, coercion, intimidation, harassment or ostracism.
C. Negative evaluation or references regarding work or professional performance.
D. Inclusion in blacklists or dissemination of information in a certain sectoral area, which hinder or prevent access to employment or the contracting of works or services.
E. Refusal or cancellation of a license or permit.
F. Refusal of training.
G. Discrimination, or unfavorable or unfair treatment.
The person whose rights have been violated due to their communication or disclosure after the two-year period has elapsed may request protection from the competent authority
which, exceptionally and in a justified manner, may extend the period of protection, after hearing the persons or bodies that may be affected. The denial of the extension of the protection period must be motivated.
Administrative acts that aim to prevent or hinder the submission of communications and disclosures, as well as those that constitute retaliation or cause discrimination after the submission of those under the protection of Law 2/2023, will be null and void and will give rise, where appropriate, to disciplinary or liability corrective measures, which may include the corresponding compensation for damages
to the injured party.
Furthermore, the Independent Whistleblower Protection Authority, A.A.I., may, within the framework of the sanctioning procedures it instructs, adopt provisional measures in the terms established in article 56 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations.
13.3.- Support measures
People who report or disclose violations that are the subject of the Internal Information System, through the procedures provided for in Law 2/2023, will have access to the following support measures:
A. Complete and independent information and advice, which are easily accessible to the public and free of charge, on the procedures and resources available, protection against retaliation and the rights of the affected person.
B. Effective assistance by the competent authorities before any relevant authority involved in their protection against retaliation, including certification that they can benefit from protection under Law 2/2023.
C. Legal assistance in criminal proceedings and cross-border civil proceedings, in accordance with Community legislation.
D. Financial and psychological support, exceptionally, if so decided by the Independent Authority for the Protection of the Informant, A.A.I., after assessing the circumstances arising from the presentation of the communication.
All this, regardless of the assistance that may correspond to the protection of Law 1/1996, of January 10, on free legal assistance, for representation and defense
in judicial proceedings arising from the presentation of the communication or public disclosure.
13.4.- Protective measures against retaliation
It will not be considered that persons who communicate information about the actions or omissions included in Law 2/2023, or who make a public disclosure in accordance with
herein, have infringed any restriction on disclosure of information, and they will not incur liability of any kind in relation to said communication or public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure of said information was necessary to disclose an action or omission under Law 2/2023; all this without prejudice to the fact that the protection provided for therein for workers who report violations of Labor Law in the field of health and safety at work shall be understood without prejudice to its specific regulations. This measure shall not affect criminal responsibilities.
The foregoing extends to the communication of information made by representatives of workers, even if they are subject to legal obligations of secrecy or not to disclose confidential information. All this without prejudice to the specific protection rules applicable in accordance with labor regulations.
The informants shall not incur liability with respect to the acquisition or access to information that is communicated or disclosed publicly, provided that such acquisition or access does not constitute a crime.
Any other possible liability of the informants arising from acts or omissions that are not related to the communication or public disclosure or that are not necessary to disclose an infringement under Law 2/2023, will be enforceable in accordance with the applicable regulations.
In proceedings before a court or other authority relating to the damages suffered by the informants, once the informant has reasonably demonstrated that he/she has communicated or made a public disclosure in accordance with Law 2/2023 and that he/she has suffered damage, it will be presumed that the damage occurred as a retaliation for reporting or making a public disclosure. In such cases, it will be up to the person who took the harmful measure to prove that this measure
was based on duly justified reasons not linked to the communication or public disclosure.
In legal proceedings, including those relating to defamation, copyright infringement, breach of confidentiality, infringement of data protection regulations, disclosure of business secrets, or claims for compensation based on labor or statutory law, persons who have the status of informants, authorized to submit communications, in accordance with the personal scope of application of Law 2/2023, will not incur any liability of any kind as a result of communications or public disclosures protected by it. These persons will have the right to allege in their defense and within the framework of the aforementioned legal proceedings, having communicated or made a public disclosure, provided that they had reasonable grounds to believe that the communication or public disclosure was necessary to bring to light an infringement under Law 2/2023.
13.5.- Measures for the protection of the affected persons
During the processing of the file, the persons affected by the communication will have the right to the presumption of innocence, the right of defense and the right of access to the file in the terms regulated in this law, as well as the same protection established for informants, preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure.
13.6.- Cases of exemption and mitigation of the administrative sanction
In addition to the measures set out, an express provision is contemplated in those cases in which the author or participant in an administrative infraction that is the subject of the information communicated, is the one who reports its existence to the competent administrative body to resolve it.
Although this falls outside the scope of the internal business sphere, it is considered necessary to include it in this protocol, in order to encourage the disclosure of these behaviors, in the event that they occur, by those involved.
To this end, when a person who had participated in the commission of the administrative offence that is the subject of the information is the one who reports its existence by presenting the information and provided that the information was presented prior to the fact that the initiation of the investigation or sanctioning procedure had been notified, the competent body to resolve the procedure, by means of a reasoned resolution, may exempt him from compliance with the administrative sanction that would correspond to him provided that the following points are proven in the file:
A. Having ceased to commit the offence at the time of presentation of the communication or disclosure and identifying, if applicable, the rest of the persons who have participated in or facilitated it.
B. Having cooperated fully, continuously and diligently throughout the entire investigation procedure.
C. Having provided truthful and relevant information, means of proof or significant data for the accreditation of the facts investigated, without having proceeded to the destruction of these or their concealment, nor having revealed their content to third parties, directly or indirectly.
D. Having proceeded to repair the damage caused that is attributable to him.
When these requirements are not met in full, including partial repair of the damage, the competent authority will have the discretion, after assessing the degree of contribution to the resolution of the case, to mitigate the sanction that would have corresponded to the offense committed, provided that the informant or author of the disclosure has not been previously sanctioned for acts of the same nature that gave rise to the initiation of the procedure.
The mitigation of the sanction may be extended to the rest of the participants in the commission of the offence, depending on the degree of active collaboration in clarifying the facts, identifying other participants and repairing or mitigating the damage caused, assessed by the body responsible for the resolution.
These cases of exemption and mitigation of the sanction will not be applicable to the offences established in Law 15/2007, of 3 July, on the Defence of Competition.
14.- PROCEDURE FOR REPORTING SOME FACTS The following is a summary and schematic presentation of the complaint management process, to facilitate understanding and monitoring of the previous information. 14.1.- Sending the complaint The complaint can be submitted anonymously or by providing identifying information, as preferred by the person making the complaint, this being one of their rights. The preferred channel for making communications regarding serious or very serious administrative infractions, as well as those crimes of which they may be aware, that have occurred or affect the company, is the DESCOMPLICA’T external mailbox. https://www.descomplicat.com/es/denuncias/sistema-interno-de-informacion.html
Without prejudice to the above, you may decide to go directly to the Head of the Internal System or to a third party from the company. In the latter case, this third party must inform the Internal System Manager immediately and avoid its dissemination, in compliance with the confidentiality duties. The loss of this confidentiality is considered a very serious infraction. The complaint can be submitted in writing, verbally or by requesting a face-to-face meeting (the meeting will take place within 7 days of your request). In the case of verbal complaints (including the face-to-face meeting), it must be documented with prior consent, either with a recording or through a complete and accurate transcription. In the event that it is transcribed, the possibility of checking its content, rectifying it and accepting it with your signature will be offered.
14.2.- Admission for processing Once the complaint has been received, either in writing, verbally or through a face-to-face meeting, it will be assessed whether it meets the requirements for it to be admitted and managed, or not. It may happen that the communication is about something completely unrelated to the Internal System (advertising, commercial information, etc.), and in this case it will be deleted. It may also be that the complaint is related to another channel or communication channel of the company, and in this case it will be sent to the corresponding channel. Finally, it may be that the information is related to the complaint of facts or conduct that may constitute an administrative infraction or a crime (for example: harassment, sexual harassment, assault, violation of labor rights, etc.), in which case, it will be admitted for processing, an Identification Code will be assigned to the file of its processing and it will be registered in the Internal System. This Identification Code serves to guarantee confidentiality and anonymity. It will be used in all writings and communications corresponding to the processing of the complaint made. 14.3.- Receipt of receipt Unless it is deemed that confidentiality may be jeopardized, once the complaint has been accepted for processing, a document accrediting the receipt of the complaint will be sent to the informant, within 7 calendar days following its receipt. The fact of sending it or not, does not imply a violation of the rights of the informant, it only affects the moment of calculating when the research phase begins, because you have, at most, three months to conclude it and notify the results (unless an extension of three months is deemed necessary, due to the complexity of the case). 14.4.- Research Once the previous 7-day period for acknowledging receipt has ended, the fact-finding phase will begin. The exact period for processing and notification will be 3 months, without prejudice to the fact that, if a complaint is being processed regarding a circumstance of harassment or sexual harassment, it must be resolved with the utmost speed and diligence, ensuring that it is resolved as soon as possible to guarantee the rights and well-being of the affected person. At this point, the informant, witnesses, possible acquaintances and the person being reported will be called to give a statement on the facts being investigated, with full respect for the anonymity and confidentiality that both the informant and the accused enjoy. The accused will enjoy the following rights: – Respect for their right to the presumption of innocence and honor will be respected and demanded. – You will have the right to be informed of the actions or omissions attributed to you and to be heard at any time. – The right to defend yourself, being able to present your version, present as many allegations and evidence as you deem relevant, as well as appear assisted by a lawyer. – The right to access the file, anonymized and without being able to access the complainant’s complaint. – The right to confidentiality and preservation of your identity.
14.5.- Completion of the investigation
Once the investigation is completed, the Head of the Internal System will prepare a report of conclusions and, based on it, will request the adoption of corrective, reparative or disciplinary measures that it deems relevant, from the company’s Management.
14.6.- Notification of the resolution to the parties
Once the Management has determined the measures to be applied, the informant and the person reported will be notified of a summary of the facts, the results of the investigation, the conclusion reached and the measures that will be adopted.