More than 80% of Catalan companies fail to comply with Law 2/2023
Last Wednesday, the 13th of March, marked one (1) year since the Anti-Fraud Office of Catalonia (hereinafter referred to as the Anti-Fraud Office or OAC, for its acronym in Catalan) assumed the responsibilities for the protection of whistleblowers in accordance with Law 2/2023 of 20 February on the protection of persons who report violations of the law and the fight against corruption (hereinafter referred to as Law 2/2023 or the Law), becoming the first autonomic Independent Whistleblower Protection Authority at state level.
As an Independent Authority, the OAC assumed, among others, the functions of managing the external whistleblowing channel, adopting measures for the protection of whistleblowers, being the Register of those responsible for the Whistleblowing Channel and exercising the power to impose sanctions.
On the occasion of its first anniversary, the OAC has shared a summary of the data regarding its functions, which are detailed below:
· Since it was granted these powers, the OAC has received 420 complaints, of which 153 have been referred to the competent bodies. In addition, it is noteworthy that during the first two (2) months of 2024, 202 complaints were received, representing an increase of 60% compared to the same period in 2023, when 126 complaints were received.
· The OAC has also experienced a considerable increase in requests for protection of whistleblowers, with a total of 35 requests received since March 2023: 29 requests in 2023 and 6 more by February 2024. These protection
measures have been requested mainly by persons with a direct link to the reported facts.
· On the other hand, in relation to the OAC’s competences regarding the Register of those responsible for the Whistleblowing Channel, only a total of 1,514 registrations have been received until December 2023, from both public and private entities. This contrasts with data from the Statistical Institute of Catalonia, which reports that the number of companies with more than 50 employees, and therefore subject to Law 2/2023, reached a total of 8,337 as of 1 January 2023.
· It is important to remember that Article 8.3 of Law 2/2023 establishes the obligation to notify the Independent Whistleblower Protection Authority, in this case, the OAC, of the appointment of those in charge of the Whistleblower Channel within the following ten (10) working days. Therefore, assuming that companies with more than 50 employees are obliged by Law 2/2023, the data suggest that approximately 82% of Catalan companies do not comply with this obligation.
In sum, the publication of the data by the Anti-Fraud Office reveals the tendency of the entities subject to Law 2/2023 to forget the obligation to communicate to the Independent Authority the appointment of the person in charge of their Whistleblowing Channel or to comply with the requirements to have the Whistleblowing Channel in accordance with Law 2/2023. While it is true that attention is usually focused on the main obligation established by the Law, which corresponds to the implementation of whistleblowing channels, the set of additional responsibilities imposed by this regulation cannot be ignored. In this sense, to facilitate the implementation of the Register of those responsible for the Whistleblowing Channel, the Anti-Fraud Office has set up a consultation service that has attended more than 300 requests, and additional information is provided through its web page, including frequently asked questions to clarify fundamental doubts.
Finally, it should be noted that the Compliance Department of Molins Defensa Penal offers comprehensive advice on the design and external management of the Whistleblowing Channel, in compliance with all applicable obligations, as well as intervention in its development, in order to ensure the correct resolution and investigation of possible situations that may arise from the Internal Investigations Department.
Molins Defensa Penal, Department of Compliance. compliance@molins.eu
The challenge of corporate sustainability reporting for organizations in relation to the new report “Supporting ESG reporting standards”
In January 2024, the Spanish Association for Standardization (hereinafter, UNE) issued a report entitled “Supporting ESG reporting standards“, with the aim of encouraging the application of specific standards by Spanish organizations in their sustainability reporting.
The purpose of this note is to provide a comprehensive approach to corporate reporting, focusing especially on the benefits inherent to this process and the main aspects regulated in the various reporting areas.
In accordance with the guidelines established by UNE, expressed in the aforementioned report, the aim is to promote the use of UNE, EN, ISO and IEC standards (hereinafter, the standards) by organizations in Spain. The main objective of this initiative is to ensure compliance with the provisions established in the Corporate Sustainability Reporting Directive (EU) 2022/2464 (hereinafter, CSRD).
The CSRD establishes reporting obligations in the field of sustainability, addressing three (3) specific dimensions: environmental, social and good governance, known as ESG (hereinafter, ESG). The main purpose of these obligations is to comply with the European Green Pact, an initiative launched by the European Commission in 2019, with the aim of promoting a sustainable European market.
The current reporting context is based on the provisions of the European Sustainability Reporting Standards, which intensify the requirements of the European regulatory framework in conjunction with other European Union regulations.
Although it is clear that Spanish organizations will have to devote significant resources and efforts to align their operations with the established standards and comply with the corresponding minimum criteria, compliance with legislative obligations contributes to the generation of competitiveness for the following reasons:
- It facilitates the efficient use and optimization of the resources, efforts and procedures that entities devote to compliance with current regulations.
- It provides a wide range of standards in the field of sustainability that stand as a reliable, solid and recognized source, both qualitatively and quantitatively.
- Standardization is based on consensus and transparency, thus ensuring effectiveness in the implementation of regulations, not only at European level, but also at state, regional and local levels, highlighting its relevance in the field of public procurement.
- It constitutes a facilitating tool in the process of verification of sustainability information, simplifying the work of auditors and verifiers, while providing investors and stakeholders with a comprehensive view of their financial, social and environmental performance, as well as risk management and regulatory compliance.
With regard to the standards that regulate the areas defined by the ESG criteria, those that address the following matters stand out:
- In the environmental area, standards that quantify greenhouse gas emissions and promote the circular economy, facilitating their measurement within the organization, gain relevance. These standards are covered by UNE-EN ISO 14064-1 about Greenhouse gases (inventory) and ISO 59020 about Measurement and evaluating circularity, respectively.
- As for the social dimension, there are regulations aimed at ensuring a stable working environment, as established in the UNE 19604 about social and labour compliance management systems standard; as well as standards that guarantee inclusion, with ISO 30410 about diversity and inclusion, being a support in this area.
- Standards related to good governance provide organizations with specific tools for managing regulatory compliance in areas relevant to criminal law, through the UNE 19601 about Criminal compliance management systems standard, as well as taxation, with the support of the UNE 19602 about tax compliance management systems standard. In addition, these standards facilitate effective risk management, in accordance with the provisions contained in UNE-ISO 31000 about risk management, among other relevant regulations.
After this analysis, it is worth mentioning the relevance of Compliance in the process of standardization and reporting on corporate sustainability. Compliance, as a facilitating tool for responsible business management, stands as a guarantor of transparency, as well as risk management and mitigation, anticipating future challenges in the field of sustainability.
In this sense, the effective integration of regulatory obligations in the area of sustainability and Compliance ensures that the company complies with applicable legal and ethical standards.
In conclusion, the use of standards by Spanish organizations and regulatory compliance are intertwined in the pursuit of sustainable and ethical business management. Effective implementation of both practices not only contributes to the long-term success of the organization, but also fosters the confidence of investors, customers and other stakeholders in the entity.
Molins Defensa Penal, Department of Compliance.
Is there a succession of administrative liability in M&A? Brief commentary on Judgement 179/2023 of 11 December 2023 of the Second Chamber of the Constitutional Court
The Constitutional Court (hereinafter, CC) has dismissed the appeal filed by Banco Santander against the resolutions of the Council of Ministers which, in 2019, imposed a sanction of €1,056,000 on it as the successor to Banco Popular.
The sanction arose following an inspection in 2017 by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences (hereinafter, SEPBLAC) of Banco Popular, S.A., an entity that was subsequently absorbed by Banco Santander, S.A.
As a result of this inspection, on 8 May 2018, a sanction proceeding was opened against Banco Popular, S.A., which resulted in the imposition of a fine of 1,056,000 euros for the commission of a very serious infringement of Art. 51.1. a) of Law 10/2010 on the prevention of money laundering and terrorist financing (hereinafter, LPBC-FT) on its successor Banco Santander, S.A. The offending conduct was the failure to report to SEPBLAC certain transactions that the bank’s employees identified as suspicious of money laundering.
According to the company, the sanctioning agreement violated the right to the legality of sanctions under Art. 25.1 of the Spanish Constitution (hereinafter, SC), in terms of the principle of culpability (no imposition of sanctions without considering the conduct of the sanctioned) and the personality of the penalty (being liable for one’s own actions and not for those of others).
In broad terms, it argues that:
- There are no links or continuity between the offending entity and the sanctioned entity, as there was a complete break between Banco Popular, S.A., and Banco Santander, S.A.;
- It was the only entity that submitted a bid in the “resolution” of Banco Popular, S.A., a procedure that avoided a public intervention that would have been very costly;
- After the takeover of Banco Popular, S.A., the procedures and persons responsible for the prevention of money laundering changed completely, passing without blemish the inspection carried out by SEPBLAC;
- The sanctioned entity has not obtained any advantage from the infringing conduct, which is unrelated to the banking business.
In the sentence, the Constitutional Court states that:
- The contested sanctioning decision is based on a consolidated jurisprudential criterion, both of the Supreme Court and of the Court of Justice of the European Union, according to which, in cases of merger by takeover, liability for administrative infringements is transferred provided that there is “substantial economic identity“. In other words, liability is transferred when the economic activity in the context of which the infringing conduct was committed continues in the new legal entity, in this case, Banco Santander, S.A., which acquired 100% of the shares of Banco Popular, S.A. and subsequently absorbed the entity as universal successor. Furthermore, to admit that a formal change of legal holder in the exercise of an activity entails the extinction of all liability for infringement would be tantamount to allowing the liabilities incurred by continuing the same activity under a “substantial economic identity” to be avoided (doctrine of the prevalence of substance over form or “lifting of the veil“).
- Despite the fact that there is no express rule in Administrative Law on penalties that includes this principle as in the criminal sphere (Art. 130.2 Criminal Code), it is present in various rules. As far as we are concerned, 55.1 LPBC-FT establishes that “administrative liability for infringement of this law will be enforceable even if the obliged party has ceased its activity or its administrative authorisation to operate has been revoked”.
It should be noted that, in the criminal sphere, Art. 130.2 of the Criminal Code expressly provides that the disappearance of a legal person does not entail the extinction of criminal liability. Therefore, in the case of transformation, merger, absorption or spin-off of a legal person, there is no doubt that criminal liability is transferred to the entity/entities into which it is transformed, merged or absorbed and is extended to the entity/entities resulting from the spin-off. However, the law itself provides that the judge or court may moderate the transfer of the penalty to the legal person, so that in M&A operations, the adoption of an appropriate and effective Compliance methodology is particularly relevant. - Through the en bloc transfer of the business, all the relations of Banco Popular, S.A. passed to the universal successor, including the operations in the management of which the sanctioned conducts were committed and the money laundering prevention obligations inherent to them. Therefore, there is a “substantial economic identity” between the business assets of the defunct Banco Popular, S.A., and those of Banco Santander, S.A., which justifies the succession in liability for infringement.
- In the contested judgment, the change of conduct following the succession has modulated the liability transferred, although not to the point of eliminating the sanction entirely, since the “substantial economic identity” between the absorbed bank and the absorbing bank is not broken.
- The absence of profit does not integrate the offence type applied, consisting of failing to report to SEPBLAC certain transactions identified by the bank’s employees as suspicious of money laundering. The profit obtained as a result of the offence can only be used as a graduation criterion [Art. 59.1 b) LPBC-FT], but it is not a requirement for the offence to be committed or for liability to be passed on to the successor.
In short, the CC concludes that the criterion applied by the Council of Ministers to impose the sanction on Banco Santander, S.A., as successor to Banco Popular, S.A., has not infringed the principles of culpability and personality derived from Art. 25.1 SC, and therefore dismisses the appeal for amparo.
At this point, it is important to emphasize that the implementation of an effective Compliance System, carried out in a preventive manner and not reactive to the commission of the infringement, is the only mechanism that would allow for an exemption from liability. Not only could the commission of the offence be avoided through the implementation of a Compliance System ex ante, but even if the offence has been committed, a sufficiently diligent effort could be accredited to avoid being liable.
Compliance Department of Molins Defensa Penal.
Regarding the delicate balance between Equality and Compliance policies in relation to Protocols against Mobbing and Sexual Harassment
Mobbing and Sexual Harassment offences, as defined in articles 173.1 and 184 of the Spanish Criminal Code, respectively, are cross-cutting risks that can be observed in any environment where people interact and, therefore, in any company, foundation, association, among others, regardless of their activity.
The purpose of this note is to carry out a modest analysis concerning the impact that the interaction between all regulations that shape the legal framework applicable to this subject has on business organizations and, in particular, on the balance between Equality and Compliance functions in relation to the Protocols against mobbing and sexual harassment.
Firstly, in accordance with article 31 bis of the Spanish Criminal Code, the above defined criminal offenses are included among the types of conducts that may entail corporate criminal liability. This relatively recent possibility was introduced by means of the Spanish Organic Law 10/2022, of September 6, on the Integral Protection of Sexual Freedom (hereinafter, Organic Law 10/2022).
Although, clearly, the corporate criminal liability arising from these offenses cannot be attributed automatically nor objectively, the situations in which entities with a regular economic activity could be held criminally liable for these conducts are not at all far-fetched.
Illustratively, an entity could be criminally liable for the offence of mobbing or sexual harassment if it became aware of the existence, within it, of behaviours possibly involving those types of harassment and, however, decided to take no action in this regard. Such a decision may be based on the interest in preserving the integrity of the individual or individuals who have engaged in such conduct; on mere indifference; or on the benefit that the resignation of the individual suffering the harassment in question can report to the company – in other words, saving the expenses associated with his or her dismissal.
As for the legal framework that applies, in accordance to article 12 of the Organic Law 10/2022, companies must promote workplace conditions that prevent the perpetration of sexual offenses and other forms of misconduct against sexual freedom and moral integrity at work, focusing, especially, on sexual harassment and gender-based harassment.
Likewise, business organizations must establish specific measures to prevent such conducts and to deal with any complaints or claims that may be brought by those who have been victims of such crimes, including those suffered within the digital sphere.
The above policies tend to be regulated within the framework of Protocols meant to address mobbing or sexual harassment incidents, since these documents fall somewhere between being considered as part of Gender Equality Plans and Compliance Management Systems.
Although this matter may lead to tensions between both areas, their collaboration is imperative in order to ensure the protection of informants, efficient management and resolution of potential mobbing and sexual harassment incidents, as well as compliance with the various applicable standards and regulations.
In this regard, the fact that equality standards are not the only ones affecting this matter must be kept in mind. As it will be further developed below, the Spanish Law 2/2023 of February 20th, regarding the protection of individuals reporting legal and regulatory violations and the fight against corruption (hereinafter, Law 2/2023), lays down a series of requirements that companies must take into consideration, in particular, when defining communication channels concerning possible situations of mobbing or sexual harassment in their Protocols.
Thus, the implementation of Law 2/2023 has led to the imposition of different legal obligations applicable to companies with more than fifty (50) employees (art. 10 Law 2/2023), among other entities, in relation to their internal ethics or whistleblowing channels.
The purpose of these obligations is none other than to ensure the protection of those who report particular irregularities. Specifically, and among others, the communication of actions or omissions that may constitute serious or very serious criminal or administrative offenses (article 2.1.b) Law 2/2023) is covered by Law 2/2023.
Since, as introduced above, both mobbing harassment and sexual harassment conducts may constitute criminal offenses, communications issued via internal channels concerning these behaviours should undeniably be deemed to fall under the scope of protection of Law 2/2023.
Protection under Law 2/2023 has, among others, the following effects in relation to internal communications regarding possible situations of mobbing or sexual harassment:
- First, specific obligations will exist in relation to a first handling (non-investigation) of any communications received. Among others, in terms of confidentiality, data protection, notification of receipt with a required minimum content within a period of seven (7) natural days, documentary record with a series of formalities, etc.
Given that these guarantees must be present in all channels that enable communications regarding infringements that fall within the objective scope of Law 2/2023, it is advisable to have a single communication channel for this purpose. That is, a single Ethics Channel that allows the communication of any breach of standards, regardless of the subject matter.
All the above notwithstanding the fact that this issue may only affect the communication phase, with subsequent processing and investigation of the communications being conducted by specialized agencies, such as the Equality Commissions, regarding mobbing and sexual harassment.
- On the other hand, it is mandatory to allow the submission of anonymous communications (art. 7 Law 2/2023), an issue that has traditionally been controversial in relation to the Protocols against mobbing and sexual harassment.
In this sense, including in internal regulations the obligation of identifying those reporting possible cases of mobbing or sexual harassment must be considered as a direct contravention of the guarantees established in Law 2/2023 (an issue that may be subject to punishment, as will be explained in the paragraphs below).
This, regardless of the fact that, in the event of having insufficient information to process an anonymous communication, such communication may be archived due to the impossibility of its proper handling.
Furthermore, it should be noted that, strictly speaking, the inclusion of the complainant’s identification is not a condition required to process any communication concerning mobbing or sexual harassment.
For instance, among others, when reporting a situation of harassment in which the informant is not involved, or when reporting a situation of environmental harassment (i.e., conducts that create a degrading or intimidating environment, in general), the identity of the complainant is not, at all, a key element for its correct processing and resolution.
Finally, it should be noted that non-compliance with Law 2/2023 is subjected to significant economic sanctions. In particular, the limitation of the right to submit anonymous communications can be understood as a serious or very serious infringement, corresponding to the following sanctions:
- Serious infringements are subjected to a fine of up to thirty thousand euros (€30,000) for individuals and up to six hundred thousand euros (€600,000) for legal entities.
- Very serious infringements are subjected to a fine of up to three hundred thousand euros (300,000 euros) in the case of individuals and up to one million euros (1,000,000 euros) in the case of legal entities.
In conclusion, the various regulatory obligations described in this note imply that companies, foundations, associations and other types of entities must find a balance in the development of their Protocols, specifically when dealing with situations of mobbing and sexual harassment.
Although the intervention of specialized members with a profound sensitivity and vast experience in these matters is undoubtedly positive, such intervention must be coordinated alongside the Compliance Department, which is usually responsible for the Ethics Channel, in accordance with the standards established in Law 2/2023. All the above, in order to ensure a thorough protection of the informants, as well as compliance with all the applicable legislation.
Finally, it is worth mentioning that Molins Defensa Penal can provide advice on the drafting or revision of Protocols to deal with cases involving mobbing and sexual harassment, which comply with the applicable standards, through its Compliance Department; as well as advising or assisting in its implementation, in order to ensure the appropriate response and investigation of those cases involving mobbing or sexual harassment, in compliance with the complex regulatory framework that applies, through its Internal Investigations Department.
Guillem Gómez Casalta
Lawyer and Coordinator of the Compliance Department of Molins Defensa Penal.
The new Foreign Extortion Prevention Act
Last December, the United States Congress passed the new Foreign Extortion Prevention Act (hereinafter, FEPA).
Complementing the Foreign Corrupt Practices Act (hereinafter, FCPA), the FEPA establishes, for the first time, criminal liability for foreign officials who solicit or accept bribes from persons or entities covered by the FCPA.
As is the case with the FCPA, the FEPA is not limited in scope to the territory of the United States. The FEPA extends to the solicitation or acceptance of bribes by foreign officials when they have a nexus to the United States.
These regulations should be taken into consideration in the design, implementation and review of Compliance Systems of public sector entities (or entities related to the public sector) that have a relationship with U.S. entities, carry out activities that may be of national interest to the United States, among other issues.
The full content of the Foreign Extortion Prevention Act can be accessed through the following link: https://www.congress.gov/bill/118th-congress/senate-bill/2347/text
Compliance Department of Molins Defensa Penal.
The deadline for adapting the use of cookies has expired
The deadline for implementing the necessary changes for the use of cookies, according to the criteria set out in the Guide on the Use of Cookies, has expired, after a transitional period of six months.
On 11 July 2023, the Spanish Data Protection Agency (AEPD) published a new version of its Guide on the Use of Cookies, with the aim of adapting it to the Guidelines 03/2022 of the European Data Protection Board (EDPB) on deceptive design patterns.
These Guidelines 03/2022 set out the best practice recommendations for both website, software or platform owners and users on how to detect and avoid such deceptive patterns that breach the requirements of the General Data Protection Regulation (GDPR).
As stated in these Guidelines 03/2022 “deceptive design patterns aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices. Data protection authorities are responsible for sanctioning the use of deceptive design patterns if these breach the GDPR requirements”.
For this reason, the AEPD has incorporated the CEDP’s recommendations into its latest Guide version that includes the following new criteria, among others:
- The actions to accept or reject cookies must be presented in a prominent place and format, both actions must be at the same level, and it must not be more complicated to reject than to accept them. Therefore, banners with only the “ACCEPT” and “CONFIGURE COOKIES” options are no longer valid, and the “REJECT ALL COOKIES” button should be clearly visible and accessible, not hidden or difficult to use.
- The cookie policy must be clear and transparent about the use of cookies on the website, software or platform. The information contained in the policy should be clear and concise, using language simple and understandable to users.
- As regards personalisation cookies, if the user decides to use them, it is not necessary to ask for his consent, provided that the data are not used for other purposes (for example, if the user chooses the language of the website by clicking on the appropriate option).
Consent must be obtained for the use of cookies for other purposes, such as personalising advertising content or profiling users.
These new criteria, which ensure greater transparency in the obligations of the website, software or platform owner using cookies, represent a further step forward in the field of personal data protection and privacy. Therefore, the door is now open to the application of sanctions and fines for non-compliance with the deadline set by the AEPD for compliance with these criteria.
Author: Melanie Díaz
Molins Defensa Penal, Department of Compliance.
Current developments in Compliance: the publication of the UNE 19603 on Compliance Management Systems regarding free competition
Recently, the Spanish Association for Standardisation (UNE) has published the standard UNE 19603, Compliance Management Systems in matters of free competition (hereinafter, UNE 19603).
This standard provides the necessary guidelines to establish, develop, implement, evaluate, maintain and continuously improve a Compliance Management System in this area (or its inclusion in a Compliance Management System with a broader perspective), establishing the requirements that these systems must meet in order to be certified by an independent authority.
This standard, like any technical standard issued by the UNE, establishes issues regarding the determination and documentation of the context of the organisation; leadership, roles and responsibilities; planning of actions and objectives; resources to be allocated, due diligence processes, training and other generalities; operational guidelines; monitoring, measuring and auditing; and, finally, among others, actions to be taken for the continuous and reactive improvement of the Compliance Management System in the area of free competition.
Thus, the different blocks of anti-competitive conduct that can be observed in an organisation, which seek to be prevented by means of the different elements that make up a Compliance Management System that includes free competition issues, are as follows:
- Collusive behaviour.
- Abuse of dominant position.
- Distortion of competition by unfair practices.
- Economic concentrations of non-communicated or non-authorised organisations.
- State aid which exceeds regulatory limits and/or may restrict free competition.
It should be noted that participation in the above conducts is subject to significant penalties of different nature:
- Financial penalties of an administrative nature that can reach multi-million euro amounts – among many others, cases such as that of the automotive cartel, sanctioned with 171 million euros in 2015.-;
- The prohibition on contracting with the public sector.
- Criminal convictions in particularly serious cases (through the offences of price-fixing and market manipulation, regulated in Article 284 of the Spanish Criminal Code, among others).
For all of the above reasons, the UNE 19601 standard is a useful tool for managing the competition risks to which all types of entities may be exposed, but especially those which, due to their size or the sector in which they participate, among other cases, have a greater capacity to affect free competition.
Finally, it should be noted that the services offered by the Compliance Department of Molins Defensa Penal include the design, development and implementation of Compliance Systems in matters of Competition Law, whether these systems are independent or integrated into a broader regulatory compliance system.
Molins Defensa Penal, Department of Compliance.
ComplianceKeys – Monográfico/Monogràfic/Monograph
Desde el Departamento de Compliance de Molins Defensa Penal se ha preparado el presente monográfico de todos los ComplianceKeys publicados en nuestro web y en las redes sociales hasta la fecha. Como se puede comprobar, este serie de ComplianceKeys trata cuestiones básicas y de interés en materia de Compliance que esperamos puedan ser de utilidad.
Descargar PDF – Monográfico ComplianceKeys
Des del Departament de Compliance de Molins Defensa Penal s’ha preparat el present monogràfic de tots els ComplianceKeys publicats en el nostre web i en les xarxes socials fins a la data. Com es pot comprovar, aquest sèrie de ComplianceKeys tracta qüestions bàsiques i d’interès en matèria de Compliance que esperem que puguin ser d’utilitat.
Descarregar PDF – Monogràfic ComplianceKeys
The Compliance Department of Molins Criminal Defence has prepared this monograph of all the ComplianceKeys published on our website and social networks to date. As you can see, this series of ComplianceKeys deals with basic issues of interest in the field of Compliance that we hope will be useful.
Download PDF – ComplianceKeys Monograph
The shared function of Legal & Compliance in Spain and the United States. Is it possible to unify in the same person or department?
Despite the long history of criminal liability of legal entities, both in the United States and, to a lesser extent, in Spain, and the development of different self-regulatory norms and standards regarding ethical and regulatory Compliance, it does not exist today an explicitly positivized legal obligation that resolves the problem associated with the possibility or correctness of combining legal and Compliance functions in the same person or department.
In this sense, we have studied the different positions held by regulations, public authorities, academic doctrine and the main international standards and frameworks, both in the United States and in Spain, in order to reach a conclusion that sheds more light on the correct configuration of the Compliance function.
Firstly, it is worth analysing in general terms the main problems associated with the combination of legal and Compliance functions that may hinder the pursuit of the objectives that any Compliance System should pursue (prevention, detection and effective reaction to breaches of regulations). These problems are, among others, as follows:
- Potential conflicts of interest;
- Collision in the performance of their duties (“what can be done” versus “what must be done, even if it can be done“);
- Loss of attorney-client privilege.
Generally speaking, both the authorities and the academic doctrine in the United States and Spain recommend that the two functions should, as far as possible, be separated.
On the one hand, in relation to Spanish legislation, article 31 bis 2.2º of the Criminal Code establishes as a requirement, for the purposes of obtaining an exemption from criminal liability, that the supervision of the operation and compliance of the Compliance System must be entrusted to a body of the legal entity with autonomous powers of initiative and control. This is also provided for by the Attorney General’s Office which, in Circular 1/2016 on the criminal liability of legal entities following the reform of the Criminal Code through Organic Law 1/2015 of 30 March, establishes that, in order to ensure the highest levels of autonomy and avoid any conflict of interest, there must be an operational separation between the governing body and those involved in the Compliance function.
Thus, in Spain, although there is no express regulatory provision that prohibits the Compliance and legal functions to be carried out by the same person or department, this combination is not advisable from the perspective of ensuring that the Compliance System is assessed as effective.
On the other hand, in the same way, in the United States this issue is not positivised either. However, most of the resolutions and recommendations of judicial authorities and other public authorities, such as the Office of Inspector General (OIG), have clearly opted for the need to establish a separation between the two roles. Thus, Chapter 8 of the U.S. Sentencing Guidelines 2023 states that the Compliance function should be delegated to individuals in senior management who have appropriate resources and authority and direct access to the governing bodies.
In addition, it is common that, within the framework of the issuance by the OIG of a State Settlement Agreement and Release, companies are required, as was the case with the corporate integrity agreement reached by PFIZER INC. in 2009, to designate a Compliance Officer who meets certain requirements, including that he/she must not be the General Counsel or the Chief Financial Officer, nor be subordinate to him/her.
It seems clear, in this regard, that it must be concluded that the Compliance function and the legal function are complementary, but not equivalent, with serious benefits for both functions to be unbundled, as far as possible. In addition, in order to ensure proper collaboration between the two roles, it is recommended to
- include the legal function in the Compliance function’s reports to the governing body, provided that they do not involve it; and
- notify the legal function of those issues that may involve any type of liability for the legal entity, guaranteeing at all times the autonomy of the Compliance function.
If it is not possible to implement an absolute functional separation between the legal and Compliance functions, it is necessary to
- establish a direct vertical reporting line of Compliance issues to the governing body by the Compliance function;
- ensure that the Compliance function has its own resources, independent of the legal function; and
- engage external advisors for the development of certain issues that may involve a conflict of interest (e.g. management of the ethics or whistleblowing channel); and
Authors: Guillem Gómez & Annia Alventosa.
Department of Compliance of Molins Defensa Penal.
Compliance and data protection: integration and governance
Properly managing the protection of personal data within an organization is of vital importance today. We are constantly witnessing administrative sanctions and reputational judgments to which those organizations that do not comply with the regulations in this area and/or have not adapted their activities to the minimum standards provided by the regulations are exposed.
Therefore, incardinating within our Compliance System the provisions of Regulation (EU) 2016/679 of April 27, 2016, the Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights, as well as the guidelines developed by the Spanish Data Protection Agency and the guidelines issued by the European Data Protection Committee, is to assume a proactive stance in the adoption of what such regulations foresee and call Privacy by design and Privacy by default.
Starting from what we know as Compliance System, having in mind from the design of the same or incorporating in our already developed system the regulation on data protection, will allow us to integrate the obligations, requirements and recommendations that the regulation, guidelines and directives in this area affect us, with the ultimate purpose of strengthening our ethical and compliance culture, extending it to those areas in which we can also be affected by unforeseen compliance risks.
Returning to the concepts of Privacy by design and Privacy by default, on the one hand, whenever we plan to carry out a new activity in our organization, one of the first questions we should ask ourselves is whether we are going to process personal data in such activity, in order to take into account the minimum requirements and recommendations and to adapt and implement the necessary technical and organizational measures, and thus avoid compliance and reputational risks from the outset, from the design of the activity.
On the other hand, if we take into account in the development of our activity, in which we plan to process personal data, privacy by default, this will lead us to apply from the beginning the principles of data minimization and purpose limitation, thus ensuring that we can guarantee compliance in this area.
In this sense, it is not enough to have a privacy Policy, a cookies Policy, an activity log and various policies that we often do not know we have or how they can help us manage our business, but it is necessary to conduct an internal review of the activities we perform to know in which of them we actually treat personal data and under what premises and with what security measures we are doing it. Based on this evaluation, we will be able to determine those aspects that we have to adapt, adequate and/or update to ensure an effective compliance that guarantees that we are applying the technical and organizational measures required by the regulation.
By including data protection regulations within our Compliance System, we will be able to assess the risks to which our organization may be exposed following the governance model used for the incorporation of the other regulations that affect us, and develop proactive, preventive and reactive responses through policies, protocols and procedures that serve as a guide and reference in the way of developing the ethical and compliance culture that the members of the organization must also observe with respect to privacy and personal data protection.
The constant development of the activities that an organization can carry out, as well as the use of personal data and the processing activities that are carried out on them, have made the regulation on the protection of personal data to be transversally applicable to the organization and therefore, this is linked to the compliance function, being therefore one more regulation as indicated above – as relevant as the others – to be taken into account within our Compliance System.
Thus, the regulatory evolution in the area of personal data protection that we have witnessed in recent years arises from the need to have a technologically resistant regulation that allows us to safeguard the rights and freedoms of individuals from the processing of personal data that is carried out in the new digital society, as a result of the development and evolution of technology.
Therefore, it is necessary to know how we are managing our personal data processing activities, in terms of the technical and organizational measures we have implemented, as well as to verify the use we make of technology in accordance with what the regulation provides and in particular, to be able to demonstrate that the measures we have adopted at any given time, continue to be robust enough to ensure at least the confidentiality, integrity and availability of the personal data we process.
We cannot lose sight of the fact that, for the vast majority of organizations, the processing of personal data is an essential asset, and the fact of being able to guarantee that they use it securely and correctly reinforces their reputation and the trust of the public and their business partners.
In short, as tasks to be carried out to ensure compliance with data protection and the involvement of the entire organization in order to internalize this ethical and compliance culture, we can list the following, without being exhaustive:
- Determining the governance and appointment of the Data Protection Officer (in the cases provided for by the regulation, and/or on a voluntary basis).
- Risk assessment of personal data processing activities.
- Inventory of processing and analysis of the basis of lawfulness.
- Risk analysis and impact assessments.
- Register of processing activities.
- Privacy Policy and corporate privacy Policy.
- Review of informative clauses and data processor Contracts.
- Procedures for exercising rights, security breaches, data preservation, etc.
- Manage the relevant security measures, involving all members of the organization.
- Training and awareness of the members of the organization.
- Follow-up and continuous monitoring.
Compliance Department of Molins Criminal Defense.