The mandatory whistleblowing channel for companies in Spain, referred to by Law 2/2023 as an internal reporting system, is no longer a future requirement. It is now a current legal obligation for many organisations.
Law 2/2023 on the protection of persons who report regulatory infringements and corruption transposes the EU Whistleblowing Directive and requires secure, confidential and effective reporting channels.
The purpose is to allow employees, collaborators, suppliers and other people connected with the organisation to report infringements or irregularities without suffering retaliation.
In this article we will discuss...
What is a whistleblowing channel?
A whistleblowing channel is an internal means for reporting possible regulatory infringements, conduct contrary to corporate ethics, criminal risks, compliance breaches or corruption-related facts.
It should allow reports in writing or verbally, protect the confidentiality of the whistleblower and affected persons, and support anonymous reports where the organisation enables them under the law.
Which companies are required to have one?
As a general rule, private companies with 50 or more employees must have an internal reporting system. Public sector bodies and certain regulated entities may also be required to implement one.
Some organisations subject to specific regulations, such as anti-money laundering, financial markets, transport safety or environmental protection rules, may be required to have a channel regardless of employee headcount.
Minimum requirements
- Protect the confidentiality of the whistleblower and affected persons.
- Ensure secure management of reports.
- Appoint a person responsible for the internal reporting system.
- Acknowledge receipt within the legal deadline where applicable.
- Follow up and respond within the established time limits.
- Prohibit retaliation against people who report in good faith.
- Keep information only for as long as necessary.
Connection with data protection
A whistleblowing channel involves processing personal data and, in some cases, sensitive information or data about alleged infringements. It must therefore be designed in line with the GDPR and Spanish data protection rules: clear privacy information, appropriate legal basis, access controls, confidentiality, limited retention and security measures.
Organisations should also define who can access reports, how internal investigations are documented and when information must be deleted or blocked.
Why a proper channel matters
- It helps detect irregularities before they cause greater harm.
- It strengthens compliance culture and internal trust.
- It reduces criminal, reputational and employment risks.
- It supports orderly and documented internal investigations.
- It protects both the organisation and the whistleblower against leaks or retaliation.
A whistleblowing channel should not be just a form. It should be part of a real compliance system, with a procedure, a responsible person, deadlines, safeguards and internal training.
Auratech can help you implement or review your whistleblowing channel.