A change in Spanish legislation means organisations are now permitted to receive anonymous reports about legal or regulatory breaches from employees and contracted third parties.

The Organic Law on Data Protection and Guarantee of Digital Rights (3/2018) took effect in Spain on 7th December 2018. This legislation incorporates the GDPR principles alongside other amendments to existing legislation.

Read full legal text (in Spanish)

Summary of provisions

Although Spain’s updated legislation does not make whistleblowing mechanisms mandatory (as recommended by the EU in its proposed whistleblower protection directive), it does provide greater clarity on issues relating to organisational whistleblowing.


Under the new law, internal “complaints” procedures can accept anonymous reports from employees or contracted third parties about behaviours contrary to the regulations and laws applicable to it (Art 24(1)).


Employees and third parties must be made aware of the existence of the complaints system.

Data access

Access to personal data within the systems will be limited to those who develop the functions of internal compliance and control. Only when disciplinary measures or judicial proceedings are being implemented against the worker should access beyond these groups be permitted.

Data retention

Data must only be retained for as long as necessary for the investigation. In any case, after three months data should only be retained if required for evidence of commission of a crime. If it does not constitute evidence of a crime, the information of the report should not be kept within the system.


Aside from the change in stance on anonymous reporting, organisations affected by these changes should take note of the revised data access provisions. As such, ensuring only the permitted internal functions have access to personal data should be addressed at the earliest opportunity.

As ever, we recommend comprehensive legal advice is sought prior to implementing changes to your whistleblowing policy or procedures.