Main definitions in the field of Compliance


  • Corrective action: Action to eliminate the causes of a nonconformity or noncompliance and prevent its recurrence.
  • Senior management: Person or group of persons who direct and control an organization at the highest level.
  • Audit: Systematic and independent process for obtaining evidence and evaluating it objectively to determine the extent to which audit criteria are met.
  • Competent authority: Any authority designated to receive complaints and to respond to complainants, and/or designated to perform Compliance functions, in particular with regard to follow-up.
  • Internal reporting channel: Any internal reporting channel available to an entity to enable reporting of breaches of European Union law.
  • Competence: The ability to apply knowledge and skills to achieve the intended results.
  • Compliance/Fulfillment: The fulfillment of the organization’s compliance obligations, both external and self-imposed.
  • Conflict of interest: A situation in which business, financial, family, political, personal or external interests could interfere with the judgment of the organization’s members when carrying out their duties in the organization.
  • Compliance: Fulfillment of a requirement.
  • Work context: Present or past work activities in the public or private sector through which, regardless of the nature of those activities, individuals may obtain information about violations and in which those individuals could suffer retaliation if they disclosed such information.
  • Compliance culture: Values, ethics, beliefs and behavior that exist in an organization and that interact with the organization’s structures and control systems to produce norms of behavior that lead to compliance.
  • Whistleblowing: The verbal or written communication of information about violations.
  • External whistleblowing: The verbal or written communication of information about violations to the competent authorities.
  • Internal whistleblowing: The verbal or written communication of information about violations within a legal entity in the private or public sector.
  • Whistleblower: A natural person who publicly communicates or discloses information on violations obtained in the context of his or her work activities.
  • Performance: Measurable result.
  • Effectiveness: Degree to which planned activities are carried out and planned results are achieved.
  • Outsourcing: Agreement whereby an external organization performs a function or process of the organization.
  • Facilitator: A natural person who assists a whistleblower in the whistleblowing process in a work context, and whose assistance must be confidential.
  • Compliance function: Person or group of persons with responsibilities and authorities for the operation of the compliance management system.
  • Public official: Any person holding a legislative, administrative or judicial office, whether appointed by succession or elected, or any person exercising a public function, including for a public agency or for a public company, or any officer or agent of a public national or international organization or any candidate for public office.
  • Information about violations: Information, including reasonable suspicions, about actual or potential wrongdoing, which has occurred or is very likely to occur in the organization in which the whistleblower works or has worked or in another organization with which the whistleblower is or has been in contact in connection with his or her work, and about attempts to conceal such wrongdoing.
  • Violations: Actions or omissions which: (i) are unlawful and relate to the acts and activities of the European Union, or (ii) distort the object or purpose of the rules laid down in the acts and activities of the European Union.
  • Infringements: Actions or omissions that: (i) are unlawful and relate to the acts and policy areas of the European Union, or (ii) distort the object or purpose of the rules laid down in the acts and policy areas of the European Union.
  • Investigation: All those actions aimed at verifying the verisimilitude of the facts reported through the Internal Information System.
  • Measurement: The process of determining a value.
  • Continuous improvement: Recurrent activity to improve performance.
  • Members of the organization: The members of the governing body, managers, employees, workers or temporary employees or under collaboration agreement and volunteers of an organization and the rest of persons under hierarchical subordination of any of the above.
  • Non-conformity: Non-compliance with a requirement.
  • Non-compliance with Compliance: Non-compliance with Compliance obligations.
  • Objective: Result to be achieved.
  • Compliance Obligations: Requirements that an organization is obliged to comply with, as well as those that an organization voluntarily chooses to comply with.
  • Organization: A person or group of persons having their own functions with responsibilities, responsibilities and relationships for the achievement of their objectives.
  • Compliance Body: Body of the organization endowed with autonomous powers of initiative and control entrusted with the responsibility of supervising the operation and observance of the compliance management system.
  • Governing body: A person or group of persons having ultimate responsibility and authority for the activities, governance and policies of an organization to whom senior management reports and is accountable.
  • Stakeholder: Person or organization that may affect, be affected, or be perceived to be affected by a decision or activity.
  • Person concerned: A natural or legal person referred to in the complaint or public disclosure as the person to whom the infringement is attributed or with whom the infringement is associated.
  • Personnel: Individuals in a relationship recognized as an employment relationship under national law or practice, or in any contractual relationship whose activity is dependent on the organization.
  • Policy: Intentions and direction of an organization as formally expressed by its top management.
  • Compliance Policy: The will of an organization, as formally expressed by its senior management or governing body, in relation to its Compliance objectives.
  • Procedures: Specific way of carrying out an activity or process.
  • Information management procedure: Procedure that establishes the necessary provisions so that the Internal Information System and the existing internal information channels comply with the requirements.
  • Process: A set of interrelated or interacting activities that use or transform inputs to produce outputs.
  • Register of information: Book-record of the information received and of the internal investigations to which they have given rise, guaranteeing, in any case, confidentiality.
  • Retaliation: Any action or omission that is prohibited by law, or that, directly or indirectly, involves unfavorable treatment that places the persons who suffer it at a particular disadvantage with respect to another in the work or professional context, solely because of their status as informants, or because they have made a public disclosure, unless there is objective justification.
  • Requirements: Established need or expectation, usually implicit or mandatory.
  • Head of the internal information system: Individual or collegiate body appointed by the administrative or governing body of the organization, responsible for the internal information system, in particular, for its management and the processing of investigation files, independently and autonomously from the rest of the organizational bodies of the entity or organization.
  • Response: The information provided to complainants on the actions planned or taken to follow up on their complaint and the reasons for such follow-up.
  • Public disclosure or public disclosure: The making of information about violations available to the public.
  • Risks: Effect of uncertainty on objectives.
  • Compliance Risk: Probability of occurrence and the consequences of non-compliance with an organization’s compliance obligations.
  • Criminal risk: Risk related to the development of conduct that could constitute a crime, according to the regime of criminal liability of legal entities established in the Spanish Criminal Code or, in the case of entities without legal personality, with the regime of accessory consequences established in the same legal text.
  • Penalties: Consequences foreseen in cases of commission of infractions.
  • Complaint follow-up: Determination of the status of a process system or activity. That is, any action taken by the recipient of a complaint or any competent authority in order to assess the accuracy of the allegations made in the complaint and, where appropriate, to resolve the reported violation, including through measures such as internal investigations, inquiries, prosecutions, recovery actions, or the closing of the proceeding.
  • Management system: A set of interrelated or interacting elements of an organization that establishes policies, objectives and processes to achieve those objectives.
  • Internal reporting system: Preferred channel for reporting actions or omissions that may constitute breaches of European Union law or infringements of a serious or very serious criminal or administrative nature.
  • Business partner: Any party, other than members of the organization, with whom the organization has, or expects to establish, any type of business relationship.
  • Third party: Person or body that is independent of the organization.


 ISO 37301:2021 Compliance management systems.
 UNE 19601:2017 Criminal Compliance Management Systems.
EU Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons reporting breaches of criminal law.
2019 on the protection of persons reporting breaches of Union law.
of the Union.

 Draft law regulating the protection of persons who report on infringements normativeboe.en/doue/2019/305/L00017-00056.pdfs and combating corruption, dated 23 September 2022.

Update cookies preferences