In any company or organization, transparency and integrity are key factors. A whistleblowing channel for companies is a tool that allows employees, customers, and suppliers to report irregularities confidentially and securely. Whether it is inappropriate conduct, a violation of laws, or any breach of internal policies, having an effective reporting system helps prevent problems and strengthens trust within the organization. 

Background 

Following the approval of Law 2/2023, of February 20, regulating the protection of individuals who report regulatory violations and the fight against corruption (hereinafter, “Whistleblower Protection Law” or “the Law”), both national and European legislators have established an obligation for the entities specified in this regulation to have an “Internal Reporting Channel” (hereinafter, “IRC”), which is a whistleblowing channel enabling personnel within regulated organizations to report illicit activities of any nature to a Responsible party without fear of retaliation or adverse consequences resulting from such disclosure. 

It should be noted that the approval of this regulation was driven by the European legislator’s obligation to transpose Directive (EU) 2019/1937 of the European Parliament and the Council of October 23, 2019, concerning the protection of individuals who report violations of Union law (hereinafter, “Whistleblowing Directive“). 

Legal Requirements 

Whistleblowers 

Access to the whistleblowing channel for companies:  

Informants may include both internal personnel of the organization and external individuals (Art. 3 of the Law). The IRC must be unique, meaning it must integrate all internal reporting channels that may be established. Therefore, access for whistleblowers cannot be limited to an intranet, employee portal, or similar restricted space. 

Anonymous reporting:  

The system must allow anonymous reports, meaning that whistleblowers should not be required to provide any personal data when submitting a report, such as name, surname, job position, corporate or personal email address, phone number, or IP address. 

Basic Features of the IRC 

According to Art. 5 of the Law, a whistleblowing channel for companies must at least: 

  1. Allow whistleblowers to report information on violations covered by the Law. 
  1. Be designed, implemented, and managed securely to ensure the confidentiality of the whistleblower’s identity and any third parties mentioned in the report, as well as the confidentiality of actions taken during the handling and processing of the report. It must also protect data and prevent unauthorized personnel from accessing it. 
  1. Enable reports to be submitted in writing, verbally, or both. This can be done through any electronic means. Since reports can also be made in person or via postal mail, the IRC must include functionality for the organization to integrate received postal mail, minutes, statements, recordings, or transcriptions of verbal reports. 
  1. Integrate various internal reporting channels within the entity. This means that if there are multiple communication entry points, all must be centralized within a single IRC. 

Information Management Procedure 

Any IRC must ensure that the information management procedure meets the characteristics required by Art. 9 of the Law. It must: 

  1. Allow sending an acknowledgment of receipt to the whistleblower within 7 calendar days of receiving the report. The Law does not explicitly exempt anonymous reports from this obligation. 
  1. Enable communication with the whistleblower and allow requests for additional information. Again, anonymous reports are not explicitly exempted. 

Additionally, it is highly recommended that the system includes an alert feature to help users track deadlines for various actions (new report entry, acknowledgment of receipt, investigation initiation, data deletion, etc.). 

Shared IRC (Corporate Groups and Public Sector) 

The Law permits a single IRC for: 

  • An entire corporate group (Art. 11), where information exchange between the responsible parties of different companies is allowed only if necessary for proper coordination and optimal performance of their functions. 
  • Various public administrations or agencies specified in Art. 14 of the Law. 

Therefore, the system must allow for a single IRC in these situations while maintaining isolated and independent spaces for each responsible entity by default, permitting information exchange only when applicable within corporate groups. 

Roles and Permissions 

Due to the sensitive nature of the information disclosed via the IRC, the system must include predefined access control functionality with minimal privilege settings. Only personnel strictly necessary and authorized by law may manage the information provided by whistleblowers. 

According to Art. 32 of the Whistleblower Protection Law, only the following individuals may access the information: 

  • The system administrator and the person managing it directly. 
  • The human resources manager or the duly designated competent body, only when disciplinary measures could be taken against an employee. In the case of public employees, the body competent to process the matter. 
  • The person responsible for the legal services of the entity or organization, if legal measures are to be adopted in relation to the facts described in the communication. 
  • The data processors who may be appointed. 
  • The data protection officer. 

The specific designation of the Controller’s competent personnel will be at the Controller’s discretion and as stated in its own information management procedure. However, the Client must enable a “panel” or “reserved page” in the solution offered so that the authorized personnel can receive this information. Likewise, it would be required that this personnel be identified and the specific role that they assume and that enables them to access this “privileged section” of the solution offered be stated. 

It should be noted, in this regard, that in addition to those previously mentioned, the information may also be accessed by personnel, whether internal or third parties, required for the application of the relevant corrective measures, that is, those disciplinary measures that are applicable within the organization or for the processing of sanctioning or criminal procedures that may arise from the information sent. In any case, PGPlanning’s clients will be the ones to determine who to give access to the IRC, and it is recommended that for these purposes the development has a type of role and/or permissions “Others” or similar for any case other than those indicated in art. 32 of the Law. 

Record-Keeping (Logbook) 

In accordance with the obligations imposed by the regulations in relation to the storage of information provided through the reporting channels of an IRC, we highlight the provisions of article 26 of the Whistleblower Protection Law, which establishes that the obliged subjects must have a logbook of the information received and of the internal investigations. 

The law does not specify whether this logbook must be part of the IRC or a separate, yet related, record. However, one of the advantages of a SaaS IRC management system should be the generation of this logbook. In such cases, personal data included in the logbook may be retained for a maximum period of 10 years. 

Why Choose PGPlanning’s Whistleblowing Channel? 

  • Experience and Reliability: Years of expertise in implementing HR tool management. 
    • Comprehensive Support: We assist throughout the entire process, from implementation to ongoing maintenance. 

    If you want to ensure transparency and security in your company, contact us, and we will help you implement an effective whistleblowing channel in compliance with current regulations. 

    Visit the whistleblowing channel section on our PGPlanning website and discover how we can optimize your organization’s management.