Do people who report an infringement within the scope of Law 2/2023, through the internal channel of a non-obligated entity, enjoy protection against this entity?

Yes. The subjective rights recognized to the reporting person, both in the Directive and in Law 2/2023, do not depend on whether or not this channel is part of an Internal Information System, or whether he reported directly or through an external channel. Therefore, in this case, the reporting person is also protected, and any type of retaliation, direct or indirect, arising from the alert is prohibited.

As for the protection measures for these people, there are certain minimums that should be met within the framework of any channel and which, on the other hand, do not derive solely from the new regulations, but were already largely part required from the regulations in force at the time of entry into force of Law 2/2023, of February 20. These minimums are:

  • The measures and guarantees associated with the protection of personal data; also the guarantee of the confidentiality of the identity of the person reporting and of the person affected by the communication, as well as the actions that take place in the management and processing of the communication in the terms required by the Law, and that there is no unauthorized personnel who can access.
  • Guarantee that communications can be effectively handled within the organization
  • Guarantee that the internal channels allow the possibility of submitting, and subsequently processing, communications anonymously

Likewise, it is necessary to offer an absolute guarantee of the protection of whistleblowers within the entity, and that the people who use the channel have clear and sufficient information about the characteristics of the channel and whether or not it is a channel adapted to requirements of the Directive and the transposition rule, since this can determine the assessment made by the potential whistleblower. It is also necessary to ensure that they have information about the external channels to which they can address the alert.