Internal investigations: recent developments in Spain

Friday 2 September 2022

Adriana de Buerba
Pérez-Llorca, Madrid

Patricia Leandro Vieira da Costa
Uría Menéndez, Madrid

Guillermo Meilán
Pérez-Llorca, Madrid

Forbidden investigative activities: limits on the control and monitoring of corporate electronic devices and communication channels

To date, the Spanish Supreme Court’s Criminal Section (SSC) has issued very few rulings that specifically analyse the limits on controlling corporate electronic devices and communication channels used by employees in the framework of an internal investigation.[1] Although a wider range of precedents is needed to have a solid case law in the Spanish criminal jurisdiction, the SCC has already drawn some important red lines on the matter that must be observed.

In this regard, some SCC precedents have set a clear separation between the right to the inviolability of communications and the rights to privacy and data protection. Following that interpretation, the inviolability of communications can only be limited by judicial authorisation –and this prevents access to all ongoing communications and emails that have not been opened by the addressee. By contrast, the rights to privacy and data protection can be subject to negotiation between employer and employee, and this allows access, among others, to emails that have been received and opened by the employee, web traffic data, data on the use of computer equipment to access other network services such as web pages etc.

Having said this, regarding access to those data and communications not affected by judicial authorisation, SSC’s case law – which has embraced the doctrine of the European Court of Human Rights (ECHR) – requires the company to have expressly informed the employee, in advance and in writing, about the rules for the use of electronic devices and communication channels and their possible control and monitoring by the company, as well as the objective pursued by this surveillance. Once this requirement is met, the monitoring of corporate devices and communications must satisfy the following additional requirements.

Well-founded suspicion or indication of employee non-compliance

A legitimate reason must justify the monitoring of corporate devices and communications. This requirement is closely linked to the proportionality test analysed below, in that the more serious the suspected breach, the more justified the corporate monitoring will be – even if there is a slight interference with the employee’s expectation of privacy.

Satisfaction of a proportionality test

In the event of a well-founded suspicion of non-compliance by an employee, corporate monitoring of such devices and communications will be deemed legitimate if it satisfies the following three-pronged test:[2]

  1. appropriateness test: the monitoring measure must be the most appropriate to reveal the alleged non-compliance of the employee;
  2. necessity test: the least intrusive measure must be used with respect to the employee’s rights, such that if a particularly burdensome measure is adopted, it can be proven that it was the strict minimum required to discover the employee’s alleged non-compliance; and
  3. strict proportionality test: to weigh up, in the specific case, whether in the conflict between the legitimate business interest in controlling certain risks or possible irregularities and respecting the employee’s right to privacy, the former should prevail.[3]

Furthermore, in addition to all of the above, the monitoring must be carried out in the least intrusive way possible in terms of the employee’s privacy. To this end, the monitoring should be carried out: through ‘blind’ selective searches, using keywords or similar methods that enable the information that is pertinent to the investigation to be found; during a limited period and with a limited scope; and using the least intrusive electronic system possible (eg, via the company’s server and not via the employee’s computer equipment).

Criminal liability regime of a company’s director when an employee commits an offence

In Spain, the regime of attribution of criminal liability is of a personal nature. That is to say, such liability can only be attributed to a person when their own acts or omissions result in an offence. In the case of a company, it is linked to the adoption of corporate decisions or the omission to adopt them. Although in these cases it is usually linked to a person holding a certain position within the company, the same criminal liability can arise if the person carries out such conduct without formally holding such a position (ie, a de facto director).

If an offence committed by an employee is discovered in the framework of an internal investigation and the relevant directors are not implied in said unlawful conduct, two scenarios can be envisaged for them in terms of potential criminal liabilities: (1) the offence was committed by the employee before its internal discovery – that is to say, the offence and its effects are previous to the findings of the internal investigation; or (2) the offence is being committed by the employee at the time it is internally discovered or it will produce effects after its discovery.

In the first scenario, a director will not face criminal liability. They should adopt adequate and proportionate measures against the offender (ie, taking appropriate disciplinary measures or dismissing the employee) and may only be subject, potentially, to civil liabilities. However, in scenario (2) above, a director may potentially face criminal charges if they wilfully do not take any action against the offender or tries to conceal the facts.

In this regard, in relation to the offence committed by the employee, said director may be considered as an accessory or a necessary cooperator of the employee (ie, someone who co-operates in the commission of an offence by means of an act without which the offence could not have been committed). But they may also be considered as criminally liable for other independent offences that may arise as a result of the impact of the initial unlawful conduct. Examples of when this could happen include where the illicit conduct of an employee alters the content of the company’s annual accounts or of other documents that should record its legal or financial status and, despite this circumstance, the director approves said documents with that false information; or where the illicit conduct of an employee causes the company to include false economic-financial information in the prospectuses used to issue any financial instruments or information that must be published according to the stock market laws and, despite these circumstances, the director allows it.

Brief analysis of certain aspects of the Spanish Draft Bill for the transposition of the EU Whistleblowing Directive

On 4 March 2022, the Spanish Government publicly announced the Draft Bill on the protection of persons who report legal breaches and on the fight against corruption (the ‘Draft Bill’), for the transposition of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019, on the protection of persons who report breaches of Union law (the ‘Directive’).

The Draft Bill came late, as Member States should have brought into force ‘laws, regulations and administrative provisions’ necessary to comply with the Directive by 17 December 2021. In fact, prior to the announcement of the Draft Bill, on 27 January 2022 the EU Commission sent a letter of formal notice to Spain, for lack of transposition of the Directive (as well as to other 24 Member States).

Although the Draft Bill is still preliminary (as the final Bill that will be subjected to the Spanish Parliament may differ), there are some aspects thereof worth mentioning.

Firstly, the material scope of the Draft Bill is much broader than the one of the Directive. The Directive’s material scope (article 2) includes the protection of persons reporting breaches of Union law related to:

  • public procurement;
  • financial services, products and markets and prevention of money laundering and terrorist financing;
  • product safety and compliance;
  • transport safety;
  • protection of the environment;
  • radiation protection and nuclear safety;
  • food and feed safety, animal health and welfare;
  • public health;
  • consumer protection;
  • protection of privacy and personal data, and security network and information systems;
  • breaches affecting the financial interests of the Union (article 325 of Treaty on the Functioning of the European Union (TFEU)); and
  • breaches relating to internal market (article 26(2) of TFEU), including breaches of Union competition and State aid rules, as well as breaches relating to the internal market in relation to acts which breach the rules of corporate tax.

In addition to the foregoing, the Draft Bill also provides protection to persons reporting any criminal offence, any serious administrative breach or any other legal breach that may harm the general interest (and that lack specific regulation).

On the other hand, the Directive envisages three possible reporting channels:

  • internal reporting channels (ie, whistleblowing channels within legal entities);
  • external reporting channels, whereby reports are received by an independent authority (to this effect, the Draft Bill creates the new ‘Independent Authority for the Protection of Informers’, attached to the Spanish Ministry of Justice); and
  • public disclosures (ie, disclosures to the press), which is deemed as a subsidiary reporting channel as it should only be used when ‘the person has first reported internally and externally, or directly externally’ (except in cases of emergency or when it is clear that external reporting channels will not be effective).

In this regard, as to the debate on whether whistleblowers should first report internally in order to gain protection against possible retaliations, the Explanatory Memorandum of the Draft Bill expressly indicates that although internal channels are preferred, it is up to the whistleblower to decide whether to report internally or externally, in view of the specific circumstances of the case and of the risk of retaliation.

As to the possibility of anonymous reports, the Directive establishes that it should be possible for Member States to decide whether legal entities in the private sector and competent authorities shall be required to accept and follow up on anonymous reports. In this sense, the Draft Bill foresees that anonymous reports, made internally or externally, must necessarily be accepted.

Additionally, regarding internal reporting channels, the Draft Bill imposes on the relevant public and private entities the obligation to designate a person or committee in charge of the internal reporting channel. In case of a committee, one of the members thereof shall have powers to manage the internal reporting channel and to conduct internal investigations. The designation and termination of this person (or of the members of the mentioned committee) shall be notified to the ‘Independent Authority for the Protection of Informers’. Moreover, this person or committee shall be independent and autonomous. In particular, in the case of private entities, the Draft Bill specifies that this person (or the member of the designated committee with the aforementioned powers to manage the internal reporting channel) should be a manager of the company (‘alto directivo’) that carries out this role in an exclusive matter and with independence from the company’s directors. However, if due to the nature and dimensions of the company it is not possible to designate a manager to carry out this exclusive role, it would be possible to make this role compatible with other ordinary activities. In this latter case, possible situations of conflict of interest shall be avoided. Additionally, in those entities where there is already a compliance officer or committee, this person or committee could be designated for this role established by the Draft Bill, providing that the mentioned requirements are fulfilled.

Furthermore, in relation to record keeping of the reports, the Directive states that Member States shall ensure that legal entities in the private and public sector and competent authorities keep records of every report received, in compliance with the relevant confidentiality requirements. In particular, reports shall be stored for no longer than it is necessary and proportionate in order to comply with the requirements imposed by the Directive or other requirements imposed by Union or national law. The same provision was included in the Draft Bill, but with the specification that personal data records should not be kept for more than ten years.

Lastly, as to penalties that may be imposed on companies and individuals, the Directive imposed on Member States the obligation to provide for effective, proportionate and dissuasive penalties on those who hinder or attempt to hinder reporting, who retaliate or bring vexatious proceedings against whistleblowers or who breach the duty of confidentiality of the identity of reporting persons. In this sense, the Draft Bill envisages possible fines on natural persons that may go up to €300,000; and on legal entities that may go up to €1m. Additional penalties could also be imposed according to the Draft Bill, such as public reprimands, debarment from obtaining public aids or tax benefits for up to four years, debarment from contracting with the Public Administration for up to three years, as well as publication of penalties imposed on legal persons equal or higher than €600,000.


[1]     See Judgments of the Spanish Supreme Court (Criminal Section) Nos 56/2022 of 24 January [ECLI:ES:TS:2022:132]; 328/2021 of 22 April [ECLI:ES:TS:2021:1486]; 489/2018 of 23 October [ECLI:ES:TS:2018:3754]; and 528/2014 of 16 June [ECLI:ES:TS:2014:2844].

[2]     See ECHR Judgment of 17 October 2019 (Applications Nos 1874/13 and 8567/13): López Ribalda and Others v Spain.

[3]     See ECHR Judgment of 5 September 2017 (Application No 61496/2008): Bărbulescu v Rumania II.