Compliance8 minEquipo Lexiel
Whistleblowing channel Law 2/2023: practical step-by-step implementation guide
Law 2/2023 requires organisations with 50+ workers to have a whistleblowing channel. We analyse the 7 steps to implement it: designate the responsible person, create the policy, choose the technical channel, guarantee confidentiality and protect the whistleblower. Fines up to €1,000,000.
canal denuncias Ley 2/2023 implementaciónwhistleblowing EspañaA.A.I.protección denunciante represaliaDirectiva UE 2019/1937
Who must comply
Companies with 50+ workers (since 1 December 2023), regulated sector companies regardless of size, political parties/unions managing public funds, municipalities over 10,000 inhabitants. Group channel option for 50-249 employee companies.
7 implementation steps
- Designate System Manager (Art. 8): independent, competent (compliance/legal/HR), can be internal or external. 2. Whistleblowing policy: scope (Art. 2 EU/Spanish law infringements), who can report (employees, ex-employees, interns, suppliers, contractors), confidentiality guarantees, response timelines. 3. Technical channel: online encrypted anonymous mailbox recommended; must offer anonymous reporting option. 4. Response deadlines: receipt acknowledgement 7 business days; action communication 3 months (+ 3-month extension for complex cases). 5. Confidentiality (Art. 24): identity disclosure prohibited except with consent, for defence rights, or by judicial order. 6. Anti-retaliation (Art. 36): prohibits dismissal, demotion, negative evaluations, public tender exclusión; burden of proof reversal. 7. A.A.I. registration: internal channels do not require registration with the Independent Informant Protection Authority.
Penalties: Non-implementation: €1,000,000 (company). Retaliation: €300,000. Identity disclosure: €300,000.
Try Lexiel free · 28 days
Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.
LEX-BLOG