General context, key principles and hot topics
1 Identify the highest-profile corporate investigation under way in your country, describing and commenting on its most noteworthy aspects.
Corporate criminal liability was introduced in Spain in December 2010. Since then, there has been a small number of highly significant cases (chief among them being the Bankia case, a securities fraud judged in 2019). The highest-profile corporate investigation currently under way started as a result of the criminal proceedings in the Villarejo case. José Manuel Villarejo, who has been in custody since late 2017, is a former policeman who allegedly provided intelligence that violated privacy laws or used confidential police information about private clients, including some highly important corporations. The Villarejo case is comprised of various judicial proceedings, each focused on the services rendered by Mr Villarejo to one particular client. One single investigating court at the National Court is handling the entire investigation. The different proceedings have evolved separately in each case (in some, the investigating court has dismissed the proceedings while others are still under investigation or even at trial stage).
The case, which is reported widely by Spanish media, has brought the concept and technique of internal investigations to the attention of prosecutors, regulators and even the public.
2 Outline the legal framework for corporate liability in your country.
An amendment to the Spanish Penal Code that introduced corporate criminal liability in Spain entered into force on 23 December 2010. This part of the Penal Code was amended again in 2015 to include the regulation of effective compliance programmes as a corporate criminal defence.
The corporate criminal liability system in Spain follows neither the vicarious liability model (respondeat superior) nor the identification doctrine. The Supreme Court has established that the principle of culpability requires that corporate criminal liability is based on the corporation’s own action (Supreme Court Decision (STS) 154/2016). The conduct inherent to the corporation is not the action of its officers or employees, but instead the existence of a flawed organisation (owing to the lack of an adequate preventive system and compliance corporate culture) that made the crime possible. This is the conduct that gives rise to the corporation’s liability and, as such, has to be proven by prosecutors.
Corporate criminal liability does not exclude individual liability; on the contrary, corporate liability requires the commission of a crime by the corporation’s directors, legal representatives or employees when acting within the scope of the company’s activity, on its behalf, and for its direct or indirect benefit. Notwithstanding this, corporations can be held criminally liable, in certain cases, in the absence of an individual’s criminal conviction.
The offences for which a legal entity can be held criminally liable are limited to a closed list that includes most criminal offences that are relevant for companies (e.g., corruption, fraud, tax evasion, illegal financing of political parties, illegal trade activities and money laundering).
Aside from criminal liability, corporations can also be subject to penalties for the infringement of administrative regulations applicable to their business activity (e.g., tax legislation, anti-money laundering (AML), countering the financing of terrorism or the stock market). In administrative liability cases, having an effective compliance programme is not an affirmative defence to avoid liability.
3 Which law enforcement authorities regulate corporations? How is jurisdiction between the authorities allocated? Do the authorities have policies or protocols relating to the prosecution of corporations?
The authority to investigate and punish criminal offences is allocated to the regional criminal courts according to the territory where the offence was committed. The National Court has territorial jurisdiction over all of Spain and is entrusted with the investigation and conviction of the most serious cases.
Public prosecutors are in charge of prosecuting criminal wrongdoing and lead the criminal investigation in all the cases that have special relevance, with the aid of specialist bodies within the National Police (e.g., the anti-fraud unit), the Civil Guard (e.g., the Central Operating Unit) and the Tax Agency (e.g., the Customs Surveillance Service). Public prosecutors can also conduct preliminary investigations. Within the Public Prosecutor’s Office, specialist divisions are entrusted with the prosecution of specific offences. Chief among them is the Anti-Corruption Public Prosecutor’s Office.
The National Public Prosecutor’s Office has issued two memoranda on the prosecution of legal entities – Circular 1/2011 and Circular 1/2016 – following the 2010 and 2015 amendments to the Penal Code. These protocols provide an authorised interpretation of the law and give instructions to prosecutors as to its application.
The investigation, prosecution and sanctioning powers in connection with an infringement that is not criminal but regulatory are conferred to distinct administrative authorities, such as the Securities Market National Commission (the stock market regulator), the Bank of Spain, the National Commission for Markets and Competition and the Tax Agency, depending on the nature of the infringed legislation.
There is no evidence of specific authorities refraining from pursuing cases in relation to matters subject to investigation that have been conducted by other authorities.
4 What grounds must the authorities have to initiate an investigation? Is a certain threshold of suspicion necessary to trigger an investigation?
Criminal complaints can be filed in a criminal court, with the Public Prosecutor’s Office or the police. In all cases, the threshold to process a complaint and initiate judicial proceedings is particularly low.
Two peculiarities of the Spanish criminal system increase the prevalence of criminal proceedings: (1) any natural or legal person can file a criminal complaint (even if not the victim of the alleged crime) and become a party to the criminal proceedings; and (2) a civil claim for damages caused by the alleged crime can be filed and adjudicated within the criminal proceedings. Consequently, criminal courts are often used as a channel for litigation between private parties.
5 How can the lawfulness or scope of a notice or subpoena from an authority be challenged in your country?
In general, orders and subpoenas issued by a criminal court can be challenged before the same court and a higher court. The grounds for the challenge can vary depending on the case (e.g., a judicial order can be challenged for being over-expansive).
Spanish law does not establish mechanisms to appeal requests issued by public prosecutors when they conduct preliminary investigations.
Decisions issued by prosecutors within a European Investigation Order (Directive 2014/41/EU) cannot be challenged (Article 13.4 of Law 23/2014, which transposes the Directive).
6 Does your country make use of co-operative agreements giving immunity or leniency to individuals who assist or co-operate with authorities?
Except in a few very limited cases (relating to bribery, tax evasion and social security fraud), Spanish criminal legislation does not establish mechanisms similar to leniency agreements. The Penal Code’s only prescription in this respect is a reduced penalty for individuals who confess to having committed a crime before the initiation of criminal proceedings (Article 21.4). Notwithstanding this, co-operation between investigated individuals and public prosecutors is common in practice.
Leniency agreements are accepted in the framework of investigations conducted by the National Commission for Markets and Competition for infringements of competition laws. Additionally, as regards potential sanctions to be imposed by certain administrative authorities, Article 62.4 of the Administrative Common Procedure of the Public Administration establishes the exemption of liability of the person reporting an administrative infringement if certain requirements are met.
7 What are the top priorities for your country’s law enforcement authorities?
Prosecutions and convictions for corruption have been highly prominent in Spain, and the focus of prosecutors’ investigations and public attention.
‘Corruption’ is a broad concept that includes virtually all crimes committed by public officials (bribery, misuse of public funds, influence peddling, breach of office, etc.).
Prosecution for cybercrime has gained importance as the authorities are paying greater attention to crimes committed via social networks, cyberattacks and ransomware.
8 To what extent do law enforcement authorities in your jurisdiction place importance on a corporation having an effective compliance programme? What guidance exists (in the form of official guidance, speeches or case law) on what makes an effective compliance programme?
Compliance programmes were introduced in the Penal Code in 2015. However, their regulation is limited to Article 31 bis, which establishes the conditions for compliance programmes to be deemed ‘effective’, thus being suitable for the exoneration of a corporation.
Following the 2015 amendment to the Penal Code, the National Public Prosecutor’s Office issued Circular 1/2016, according to which prosecutors need to verify that a compliance programme ‘reflects a corporate commitment that prevents criminal behaviours within the company’. In addition to the requirements set out in Article 31 bis, the Circular considered self-reporting and internal investigations to be features typical of effective compliance programmes.
The Supreme Court has enhanced the importance of compliance programmes as a defence mechanism for corporations (e.g., STS 316/2018 of 26 June). Although, case law tends to consider that this defence mechanism should be discussed during the trial stage rather than the investigation stage of judicial proceedings (e.g., Decision 351/2017,of 15 September, of the National Court on the Bankia case), there has been case law from the National Court dismissing criminal proceedings already at the investigation stage on the grounds of the existence of an effective compliance programme within the company (e.g., Decision 136/2020, of 7 May, of the National Court on the Púnica case).
9 Does your country regulate cybersecurity? Describe the approach of local law enforcement authorities to cybersecurity-related failings.
The EU General Data Protection Regulation (GDPR) imposes a general obligation on the data controller and the data processor to implement ‘appropriate’ measures to protect personal data, as well as the obligation to notify any data breach to the authorities and the concerned data subject. In addition, the Law on Personal Data Protection (Basic Law 3/2018) (LOPDP) sets out a sanction for the infringement of the obligation to secure personal data.
The Spanish Authority for Data Protection (AEPD) has issued Guidelines for the Management and Notification of Security Breaches, the latest version of which were published on 25 May 2021.
10 Does your country regulate cybercrime? What is the approach of law enforcement authorities in your country to cybercrime?
The Penal Code regulates an array of cybercrimes. Those most likely to occur in the context of any business activities include offences against privacy affecting cyber data or perpetrated by means of information technology (IT) tools (Articles 197 bis and 197 ter), fraud consisting of making an unauthorised transfer of any asset by means of a computer or IT manipulation (Article 248.2), damaging IT data (Articles 264, 264 bis and 264 ter), and the unlawful collecting of business information (trade secrets) by using IT instruments (Article 278).
In all these cases, a corporation can be held liable for the commission of the offence, provided that the legal requirements are met (as provided for by Article 31 bis of the Spanish Penal Code).
In May 2010, Spain acceded to the Budapest Convention on Cybercrime of the Council of Europe, setting out a guideline for developing legislation to fight cybercrime.
Both the National Police and the Civil Guard have special units dedicated to cybercrime.
Cross-border issues and foreign authorities
11 Does local criminal law have general extraterritorial effect? To the extent that extraterritorial effect is limited to specific offences, give details.
Spanish jurisdiction is defined in Article 23 of the Basic Law on the Judiciary (LOPJ). A territorial criterion applies, although there are exceptions to this general rule. One exception is the extraterritorial effect established for offences committed overseas by a Spanish national.
The extraterritorial effect of Spanish criminal law is also set out with regard to specific acts committed abroad, irrespective of the nationality of the perpetrator. Those offences either relate to the protection of fundamental values of the Spanish nation or intend to combat particularly egregious actions (e.g., corruption-related offences committed overseas between private parties or in international business transactions, although, in these cases, additional requirements apply for the prosecution of the misconduct).
The Penal Code establishes additional statutory exceptions to the territorial criterion. For instance, money laundering offences can also be prosecuted by the Spanish authorities even when the offence preceding the money laundering activity was committed overseas or when the activity was totally or partially performed outside the Spanish territory.
Corruption falls within the scope of Spain’s jurisdiction regardless of the nationality of the public authority involved in the underlying acts.
12 Describe the principal challenges that arise in your country in cross-border investigations, and explain whether and how such challenges depend on the other countries involved.
The main challenge results from disparities in data protection frameworks, particularly when dealing with countries outside the European Union.
13 Does double jeopardy, or a similar concept, apply to prevent a corporation from facing criminal exposure in your country after it resolves charges on the same core set of facts in another? Is there anything analogous in your jurisdiction to the ‘anti-piling on’ policy as exists in the United States (the Policy on Coordination of Corporate Resolution Penalties) to prevent multiple authorities seeking to penalise companies for the same conduct?
The non bis in idem principle is enshrined in the Spanish Constitution, the European Convention on Human Rights and the rules in the Basic Law on the Judiciary (Article 23.2c). This principle also protects legal entities. The Supreme Court has declared (in a ruling of 14 January 2000) that the principle applies both to domestic and international proceedings (although the European Court of Human Rights has not applied it to rulings issued by courts in different countries). Spain has not made any declaration to limit the application of the non bis in idem principle in the Schengen area.
Anti-piling on policies, in turn, are not necessary because Spanish law forbids the imposition of a regulatory sanction when misconduct previously resulted in a criminal conviction. To guarantee this, administrative sanction proceedings cannot be conducted while criminal proceedings are continuing.
It is not yet clear whether recent EU case law (i.e., rulings in the Menci, Garlsson Real Estate, Di Puma and Zecca cases) will affect Spanish law in the future, other than that, under some conditions, there can be a duplication of ‘criminal proceedings/penalties’ and ‘administrative proceedings/penalties of a criminal nature’ against the same person with respect to the same acts.
14 Are ‘global’ settlements common in your country? What are the practical considerations?
Global settlements are not common in Spain.
15 What bearing do the decisions of foreign authorities have on an investigation of the same matter in your country?
Pursuant to the non bis in idem principle (which is enshrined in the Spanish Constitution and procedural regulations, as well as in the European Convention on Human Rights), a duplication of criminal proceedings or penalties against the same person with respect to the same acts is prohibited in Spain. Furthermore, the Supreme Court has declared that this principle applies to both domestic and international proceedings. Hence, at least in theory, the existence of a foreign criminal ruling or proceedings on a matter should prevent the Spanish authorities from conducting a new investigation on the same facts against the same individuals.
Economic sanctions enforcement
16 Describe your country’s sanctions programme and any recent sanctions imposed by your jurisdiction.
Spain participates in the mandatory sanctions programmes adopted by the European Union, jointly with other programmes adopted by the United Nations or the Organization for Security and Co-operation in Europe.
For instance, Article 42 of the Spanish Anti-Money Laundering Law (Law 10/2010) establishes that financial sanctions adopted by United Nations Resolutions in relation to the prevention and combating of terrorism and the financing of terrorism, and to the prevention, combating and disruption of weapons of mass destruction and the financing thereof, are applicable in Spain with the consequences established by the Spanish government or in EU Regulations.
Aside from sanctions, export controls apply in relation to specific goods (such as military and double-use good and technologies).
An infringement of the restrictive measures and export controls regime can constitute an administrative offence according to Law 10/2010, or a smuggling offence, which could potentially result in criminal liability for a company and the corresponding natural persons, or an administrative offence (Basic Law 12/95, Article 2).
17 What is your country’s approach to sanctions enforcement? Has there been an increase in sanctions enforcement activity in recent years, for example?
Spanish authorities have not been very active in this area. To date, the Spanish Council of Ministers has not adopted any sanctions in addition to those established by the European Union. However, owing to recent increases and levels of importance in international sanctions adopted by the European Union, Spanish authorities have been more active in the surveillance and enforcement of international sanctions.
18 Do the authorities responsible for sanctions compliance and enforcement in your country co-operate with their counterparts in other countries for the purposes of enforcement?
Article 48 bis of Law 10/2010 expressly establishes co-operation with other EU Member States for the enforcement of sanctions regulations, among other things. In the case of non-EU countries, co-operation is carried out pursuant to international treaties.
19 Has your country enacted any blocking legislation in relation to the sanctions measures of third countries? Describe how such legislation operates.
Law 27/1998 of 13 July implemented Council Regulation (EC) No. 2271/96 of 22 November 1996 (the EU Blocking Regulation) in Spain and established economic fines for infringements.
20 To the extent that your country has enacted any sanctions blocking legislation, how is compliance enforced by local authorities in practice?
Pursuant to Law 27/1998 of 13 July, the concerned Spanish company must notify the European Commission (within 30 days) of any situation in which its economic or financial interests could be affected by the EU Blocking Regulation and refrain from executing any action against the content of these European provisions.
Before an internal investigation
21 How do allegations of misconduct most often come to light in companies in your country?
In our experience, allegations of misconduct most often come to light through media reports, internal audit, private litigation and regulatory inspections.
As whistleblower protection channels have only been implemented by Spanish corporations to any great extent since 2010 (when corporate criminal liability was introduced in Spanish regulations) and increasingly since the 2015 amendment of the Penal Code, it is too soon to test their effectiveness, as well as the effects that Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law might have.
Tax authorities and other administrative bodies are legally obliged to report to the public prosecutor any potential misconduct identified during their inspection procedures.
22 Does your country have a data protection regime?
The data protection regime consists of Article 18.4 of the Spanish Constitution, the Lisbon Treaty, the EU General Data Protection Regulation (GDPR) and the Law on Personal Data Protection (Basic Law 3/2018) (LOPDP), approved on 5 December to comply with the new EU data protection standards. Corporations are excluded from this protection regime.
Law 34/2002 of 11 July and Law 9/2014 of 9 May regulate data protection in relation to information technology services and e-commerce, and telecommunications, respectively.
23 To the extent not dealt with above at question 9, how is the data protection regime enforced?
The main authority responsible for the enforcement of the data protection regime is the Spanish Authority for Data Protection (AEPD), which can impose fines of up to €20 million or, in the case of corporations, up to 4 per cent of global annual turnover. The highest penalty imposed to date on a corporation by the AEPD amounts to €10 million (Resolution issued on 18 May 2022 in the framework of sanctioning proceedings PS/00140/2020).
Decisions adopted by the AEPD can be challenged in administrative courts.
24 Are there any data protection issues that cause particular concern in internal investigations in your country?
Although the Spanish regime on data protection does not include any specific provision on internal investigations, this regime must be borne in mind when conducting an investigation of a company.
The processing of data is only legitimate if based on one of the grounds established in Article 6 of the GDPR. In the case of an internal investigation, a corporation can claim the application of Article 6.1.c, which deems the processing of data to be lawful when carried out to comply with a legal obligation to which the controller is subject. This exception would not permit the processing of data based on non-EU regulations, as that is expressly excluded by the AEPD.
The exchange of information with non-EU countries is permitted only to the extent that the non-EU country has in place an equivalent data protection regime. If it does not, the exchange can be carried out only in the exceptional cases established in Article 49 of the GDPR. As Article 49.1.e permits the transfer of personal data when necessary for the establishment, exercise or defence of legal claims, this provision could be claimed to permit the transfer of data to a non-EU country. However, the validity of this argument must be assessed in each case.
25 Does your country regulate or otherwise restrict the interception of employees’ communications? What are its features and how is the regime enforced?
Spain restricts the interception of employees’ communications, both through the interpretation and application of workers’ rights by courts and through statutory provisions in data protection law.
As to case law, labour courts have adopted a set of standards that are similar to those established by the European Court of Human Rights in the Barbulescu II ruling (Grand Chamber, Barbulescu v. Romania, 5 September 2017) and are also followed by the AEPD and by criminal courts (e.g., Supreme Court Decision (STS) 489/2018 of 23 October and STS 328/2021 of 22 April). According to these standards, (1) the employer must have informed employees of the possibility of their correspondence being monitored (normally through a written policy), with the result of limiting the expectation of privacy in the use of corporate email, and (2) accessing an employee’s email must be grounded on a legitimate aim and comply with the proportionality test.
As to statutory restrictions, the LOPDP includes a number of ‘digital rights’, among them the ‘right to privacy in the use of digital devices in the workplace’ (Article 87). Pursuant to this Article, employers are permitted to access the contents of the digital devices provided by the company to employees only if that access is for the sole purpose of controlling the observance of labour or statutory duties or guaranteeing the devices’ integrity. Employers must establish criteria for the use of digital devices (and inform employees about them), which must guarantee the minimum standards of privacy protection according to social customs and constitutional rights.
Provided that the standards described above are met, the consent of employees is not necessary to conduct the monitoring, although consent could act as an additional guarantee for the employer to prove the lawfulness of reviewing emails. Notwithstanding this, the validity of consent has been limited in some fields (in particular, in the context of data protection).
Dawn raids and search warrants
26 Are search warrants or dawn raids on companies a feature of law enforcement in your country? Describe any legal limitations on authorities executing search warrants or dawn raids, and what redress a company has if those limits are exceeded.
Search warrants are common in corruption cases. In other white-collar cases, the use of judicial production orders is more common.
The Criminal Procedure Law (LECr) and its interpretation by the Supreme Court establishes legal limits on raids and, since 2015, a specific regulatory framework applies to searches and seizures of computers, devices for telephonic or electronic communication, devices for mass storage of information and electronic data repositories (Articles 588 bis to 588 septies).
The investigating judge’s ruling can be challenged before the same court and a higher court. Evidence obtained in breach of the legal limits can be suppressed from the trial.
27 How can privileged material be lawfully protected from seizure during a dawn raid or in response to a search warrant in your country?
In practice, the exclusion of privileged material does not usually occur during a dawn raid, but rather at a second stage, when the contents of the seized devices are transferred to the judicial records. Nevertheless, it is advisable to warn the court clerk and the police during a search of the existence of privileged material and to include that warning in the minutes of the search written by the court clerk and signed by the representative of the searched corporation.
Material that is unnecessary for the investigation and affects the privacy of the defendant or third parties is normally suppressed (Basic Law on the Judiciary, Article 236 quinquies and LECr, Article 586 ter i). This mechanism can also be used to suppress privileged material. Furthermore, Article 118.4 of the LECr expressly establishes the confidentiality of communications between a defendant and his or her lawyer and their suppression from the judicial file, except in the event of indicia of the lawyer’s co-operation in the commission of the criminal action.
28 Under what circumstances may an individual’s testimony be compelled in your country? What consequences flow from such compelled testimony? Are there any privileges that would prevent an individual or company from providing testimony?
The Spanish Constitution guarantees the right against self-incrimination (Article 24.2). This right also protects legal entities (LECr, Articles 409 bis and 786 bis).
Defendants in criminal proceedings have the right to testify in court, both during the investigation stage and at the trial. When exercising this right, defendants have no obligation to tell the truth and cannot be convicted of perjury.
Witnesses are obliged to appear in court, give testimony and tell the truth (LECr, Article 410), with a few exceptions (LECr, Article 416). A witness’s failure to appear before a court can lead to the imposition of a fine and, under certain circumstances, a conviction for either obstructing justice or severe disobedience.
Whistleblowing and employee rights
29 Describe the whistleblowing framework in your country. What financial incentive schemes exist for whistleblowers? What legal protections are in place for whistleblowers?
The regulation of compliance programmes in the Penal Code has been interpreted in a manner that has made whistleblower protection channels compulsory in order for a company to be entitled to benefit from this defence (e.g., the National Public Prosecutor’s Office’s Circular 1/2016).
No financial incentives are established for individuals who report misconduct. Taking into account the Supreme Court’s doctrine on evidence, this practice would severely limit whistleblowers’ credibility as witnesses.
Labour law protects whistleblowers from both unfair dismissal and unfair treatment by the company resulting from an internal complaint.
Regarding anonymous reporting, this is allowed under the Law on Personal Data Protection (Basic Law 3/2018) and the Anti-Money Laundering Law. The Criminal Section of the Supreme Court has accepted anonymous corporate reporting as a valid means to trigger an internal investigation and follow-up criminal proceedings (Ruling 35/2020 of 6 February).
Directive (EU) 2019/1937 has not yet been transposed into Spanish legislation but, at the time of writing, the process is under way.
30 What rights does local employment law confer on employees whose conduct is within the scope of an investigation? Is there any distinction between officers and directors of the company for these purposes?
Spanish labour law vigorously protects workers from unfair treatment or dismissal. This protection also extends to the context of an investigation. Furthermore, there is a general consensus that investigated individuals should enjoy the right to defence in internal investigations.
31 Do employees’ rights under local employment law differ if a person is deemed to have engaged in misconduct? Are there disciplinary or other steps that a company must take when an employee is implicated or suspected of misconduct, such as suspension or in relation to compensation?
Article 31 bis of the Penal Code establishes that one requirement for an effective compliance programme is a disciplinary system that adequately punishes failures to comply with the programme’s measures.
As to labour law, an employer is entitled to sanction (including through dismissal) employees who have been involved in misconduct within the scope of their professional activities. The sanction would be grounded on the infringement of the principle of good faith that governs labour relations.
In the event that an employee is suspected of having been involved in wrongdoing, the employer would generally be entitled to arrange the suspension of the employee’s activities within the company (although the specific circumstances should be taken into consideration).
32 Can an employee be dismissed for refusing to participate in an internal investigation?
Labour law allows employers to give instructions to employees, including instructions for an employee to provide information about his or her actions within the company.
A lack of co-operation could lead to the imposition of disciplinary measures against an employee, although multiple factors would have to be analysed, the most important being the employee’s obligation to co-operate in internal investigations – or similar procedures – in the employment contract or the company’s internal regulations. Other factors to take into consideration include the severity of the disobedience and the employee’s position within the company. Labour courts tend to be highly protective of employees in conflicts with employers.
Commencing an internal investigation
33 Is it common practice in your country to prepare a document setting out terms of reference or investigatory scope before commencing an internal investigation? What issues would it cover?
Terms of references have become more common in Spain recently, although there is still no standard practice in this regard.
34 If an issue comes to light prior to the authorities in your country becoming aware or engaged, what internal steps should a company take? Are there internal steps that a company is legally or ethically required to take?
Article 31 bis of the Penal Code requires that the supervision of the programme be entrusted to a body within the legal entity with autonomy and independence and that the body should be informed of any issue that comes to light. Large Spanish companies normally have a protocol detailing what should be done if wrongdoing or any breach of internal rules is detected.
35 What internal steps should a company in your country take if it receives a notice or subpoena from a law enforcement authority seeking the production or preservation of documents or data?
If an order suggests that a corporation may be under investigation or that any of its employees, officers or directors may have engaged in illegal acts, the best practices in compliance suggest that the corporation should attempt to investigate the facts. Further, recent practice shows that the authorities would expect the company to conduct an internal investigation.
Nevertheless, legal persons are protected by the right against self-incrimination. This constitutional guarantee is normally interpreted as implying that corporations cannot be obliged to produce documents that may incriminate them (but obviously may be subject to search warrants).
Article 588 octies of the Criminal Procedure Law establishes that the Public Prosecutor’s Office or the police can issue an order for the preservation of data or information stored in computer systems for up to 90 days to allow a judicial order to be issued during that time.
36 At what point must a company in your country publicly disclose the existence of an internal investigation or contact from a law enforcement authority?
Corporations are obliged to publish specific non-financial information, including the main risks associated with anti-bribery matters (Commercial Code, Article 49.6). An internal investigation or contact from a law enforcement authority about corruption may trigger this disclosure obligation.
Listed companies are obliged to publish an annual corporate governance report (Corporations Law, Articles 538 and 540). The corporate governance report must include information about the main risks that can affect the achievement of business objectives and the risks that have materialised during the year (Circular 5/2013 of the Securities Market National Commission (CNMV)).
This information must also be included in any prospectus of securities issues.
Finally, if information about an internal investigation, were it to be made public, is likely to have a significant effect on the prices of the financial instruments issued by the company in question (or on the price of related derivative financial instruments), the company will be subject to the rules on the disclosure of inside information established in Regulation (EU) 596/2014 on market abuse (Article 17) and to disclosure obligations under the Securities Markets Law (Articles 225 to 229).
A public notice issued by the CNMV reminds listed companies of their obligation to comply with these obligations when they may be involved in allegedly irregular practices, remarking that information regarding these risks disclosed by issuers should be sufficiently detailed to allow the market and investors to comprehend the significance and relevance of the facts and risks.
37 How are internal investigations viewed by local enforcement bodies in your country?
Internal investigations are increasingly encouraged by the National Public Prosecutor’s Office (according to Circular 1/2016, providing that evidence to law enforcement authorities obtained during an internal investigation will be regarded by prosecutors as proof of the corporation’s ethical commitment and, as such, may lead to exoneration of criminal responsibility) and by the CNMV (in its proposal of 14 January 2020 of an amendment to the Code of good practices for corporations).
38 Can the attorney–client privilege be claimed over any aspects of internal investigations in your country? What steps should a company take in your country to protect the privilege or confidentiality of an internal investigation?
According to the Basic Law on the Judiciary (Article 542.3) and the new Lawyers’ General Statute (Article 22.1), privilege protects all facts or information known by lawyers as a result of their professional activity.
This definition of privilege is particularly broad. The Lawyers’ Deontological Code includes within the scope of privilege (1) any confidential information or proposal received by a lawyer from his or her client, from a counterparty and from other colleagues, (2) any documents sent or received by a lawyer as a result of any of the forms of his or her professional activities, and (3) any communications exchanged between lawyers, including negotiations, whether oral or written.
The Deontological Code is not positive law but rather a professional code of conduct that binds lawyers to a set of ethical standards that courts may or may not apply in their interpretation of the law.
There has been a tendency in case law to try to limit the scope of privilege protection to that accepted in the regulation of anti-money laundering (AML) and countering the financing of terrorism. As from the Second AML Directive (Directive 2001/97/EC), the European Union has established that lawyers are obliged to report suspicions of money laundering unless they are ascertaining the legal position of a client or representing a client in legal proceedings (or in relation to legal proceedings, including legal advice on the initiation or avoidance of legal proceedings, see Article 22 of the Anti-Money Laundering Law).
There is no specific regulation on how privilege operates in the context of internal investigations, although there are no legal grounds to conclude that these same contents should not be protected by privilege. Indeed, an internal investigation is a technique to ascertain the legal position of the client and to defend the client in legal proceedings (criminal or regulatory), whether actual or potential.
It is customary to attempt to protect confidentiality through external counsel, but it is not clear to what extent external lawyers’ intervention guarantees privilege.
39 Set out the key principles or elements of the attorney–client privilege in your country as it relates to corporations. Who is the holder of the privilege? Are there any differences when the client is an individual?
Privilege (or professional secrecy) is conceived as both a right and a professional duty of lawyers, legally protected to guarantee the client’s right of defence.
The lawyer is entitled to claim privilege to avoid disclosing documents or communications relating to his or her professional activities and to refuse to act as a witness in a judicial case when that testimony refers to the lawyer’s activities as legal counsel.
None of the legal provisions on privilege makes any distinction between clients who are legal or natural persons.
40 Does the attorney–client privilege apply equally to in-house and external counsel in your country?
According to resolutions issued by the European Court of Justice, in-house lawyers are not holders of legal privilege (Ruling in Case C-550/07 P, Akcros Chemicals Ltd v. the European Commission). However, to date, this restrictive interpretation of attorney–client privilege has only been established in competition law cases, and it is unclear whether it will be extended to other areas. Regarding domestic regulations, the new Lawyers’ General Statute (approved by Law 135/2021 of 2 March and in force since 1 July 2021) expressly includes legal privilege as one of the principles applicable to in-house lawyers. There is no specific and clear Spanish case law in this regard.
41 Does the attorney–client privilege apply equally to advice sought from foreign lawyers in relation to investigations in your country?
Regulations do not distinguish between Spanish and foreign lawyers. In practice, it is understood that the attorney–client privilege also applies to communications with foreign lawyers.
42 To what extent is waiver of the attorney–client privilege regarded as a co-operative step in your country? Are there any contexts where privilege waiver is mandatory or required?
The concept of waiver of the attorney–client privilege has not been developed in Spain. In fact, the client’s sole consent to the disclosure of information or documents does not release the lawyer from the obligation of professional secrecy (Deontological Code, Article 5.8).
43 Does the concept of limited waiver of privilege exist as a concept in your jurisdiction? What is its scope?
This concept has not yet been recognised in Spain.
44 If privilege has been waived on a limited basis in another country, can privilege be maintained in your own country?
This concept has not yet been recognised in Spain.
45 Do common interest privileges exist as concepts in your country? What are the requirements and scope?
This concept itself is not recognised in Spain. However, attorneys advising multiple parties are entitled to share communications and documents, which are in turn subject to privilege. Common interest agreements are used in internal investigations.
46 Can privilege be claimed over the assistance given by third parties to lawyers?
Recent judicial cases show that it is not yet clear to what extent external lawyers’ intervention guarantees confidentiality. Best practices suggest involving an external lawyer in the engagement of any third party (e.g., a forensic firm) and in any communication and production of documents process.
47 Does your country permit the interviewing of witnesses as part of an internal investigation?
No statutory provision refers to this possibility. In practice, it is common to interview witnesses as part of an internal investigation.
Although dependent on the specific circumstances of the case at stake, the evidentiary value of interviews in criminal proceedings may be limited, especially if the interviewee is not assisted by a lawyer.
48 Can a company claim the attorney–client privilege over internal witness interviews or attorney reports?
Since the interviewee is not the client, it is doubtful that interviews are protected by privilege, considering the general rules applicable on legal privilege (i.e., Basic Law on the Judiciary, Article 542.3; new Lawyers’ General Statute, Article 22.1; Lawyers’ Deontological Code, Article 5).
49 When conducting a witness interview of an employee in your country, what legal or ethical requirements or guidance must be adhered to? Are there different requirements when interviewing third parties?
Interviews in an internal investigation can be conducted in different ways depending on their purpose. There is no specific regulation or general standard concerning the requirements to be met when conducting interviews.
In practice, it is common to issue warnings similar to those established in other jurisdictions (e.g., to inform the interviewee who allegedly committed the misconduct of the right to be assisted by a lawyer).
Further, Upjohn warnings are usually issued at the beginning of interviews as an ethical (and preventive) measure to avoid potential confusion about the interviewer’s role and legal duties.
The requirements do not differ when interviewing third parties.
50 How is an internal interview typically conducted in your country? Are documents put to the witness? May or must employees in your country have their own legal representation at the interview?
If any documents are produced, this is usually done during an interview as a means to seek an employee’s assistance in an investigation.
The attendance of a lawyer assisting the employee is not a compulsory requirement in Spain, although it may in some circumstances be a good option (e.g., to strengthen the evidentiary value of the interview in subsequent criminal proceedings).
Reporting to the authorities
51 Are there circumstances under which reporting misconduct to law enforcement authorities is mandatory in your country?
Articles 259 and 262 of the Criminal Procedure Law impose a general obligation on any individual who witnesses an offence (or knows of the existence of an offence through his or her professional activity) to report misconduct. However, the consequences set out for the infringement of this obligation are purely symbolic (a maximum fine of less than €2) and the obligation is never enforced in practice. Only civil servants have an actual obligation to report misconduct of which they become aware in the course of their professional activities. If they fail to do so, they may be held criminally liable and face a penalty of professional debarment.
However, reporting misconduct is mandatory pursuant to anti-money laundering and countering the financing of terrorism (Anti-Money Laundering Law, Article 63 read with Article 18) and market abuse regulations (Regulation (EU) No. 596/2014, Article 16.2).
An obligation to self-report does not exist for either legal or natural persons as a result of the right against self-incrimination granted by Article 24.2 of the Spanish Constitution.
52 In what circumstances might you advise a company to self-report to law enforcement even if it has no legal obligation to do so? In what circumstances would that advice to self-report extend to countries beyond your country?
The Penal Code considers self-reporting a mitigating circumstance for both legal and natural persons. In addition, according to the National Public Prosecutor’s Office Circular 1/2016, prosecutors are instructed to request exoneration of criminal responsibility for the corporation that self-reports a criminal offence.
However, public prosecutors are not the only accusing parties – a feature that adds an additional element of complexity to settlements, compared with other jurisdictions.
Regulators increasingly expect corporations to act transparently and co-operatively when allegations of criminal conduct are known.
Taking into consideration all these factors, self-reporting and co-operation are highly recommended in serious criminal cases. If the alleged criminal conduct has multi-jurisdictional implications, this advice may extend to other countries, although this possibility depends on the characteristics of the legal system and law enforcement in those countries.
53 What are the practical steps needed to self-report to law enforcement in your country?
The general way to self-report is to conduct the necessary meetings to explain the facts to prosecutors and to file the complaint with them, initiating the necessary co-operation and negotiation.
Responding to the authorities
54 In practice, how does a company in your country respond to a notice or subpoena from a law enforcement authority? Is it possible to enter into dialogue with the authorities to address their concerns before or even after charges are brought? How?
It is generally advisable that companies seek external legal counsel to respond to a notice or subpoena, even when the corporation is not yet formally an investigated party.
It is possible to approach the prosecutor or the investigating judge to discuss the deadline for the request or understand its scope.
55 Are ongoing authority investigations subject to challenge before the courts?
Authority investigations in Spain take place within the context of criminal proceedings conducted by a criminal court. The decisions adopted by the court as part of the investigation can generally be challenged before that court and a higher court.
56 In the event that authorities in your country and one or more other countries issue separate notices or subpoenas regarding the same facts or allegations, how should the company approach this?
The best way to answer separate requests can only be assessed in each particular case. Nevertheless, assuming that co-operation between different countries’ authorities is highly probable, the best approach probably consists of three elements: (1) informing each authority of the requests made by the other country’s authority; (2) attempting to limit the scope of each request to what is relevant and legally admissible in each country; and (3) ensuring consistency in the answers to the different requests.
57 If a notice or subpoena from the authorities in your country seeks production of material relating to a particular matter that crosses borders, must the company search for and produce material in other countries to satisfy the request? What are the difficulties in that regard?
If the authorities’ capacity to investigate and prosecute an extraterritorial matter is well established in Spanish law (as in cases of foreign corruption), the company must comply with the request, searching documents and data and producing them in the proceedings (with a caveat regarding the right against self-incrimination). Complications will arise if there are any legal restrictions in the country of origin of the evidence.
58 Does law enforcement in your country routinely share information or investigative materials with law enforcement in other countries? What framework is in place in your country for co-operation with foreign authorities?
Co-operation between Spanish and foreign authorities is increasingly common and enhanced by different mechanisms:
- the mutual recognition system within the EU criminal justice system;
- mutual legal assistance treaties;
- exchange of information in the application of the Organisation for Economic Co-operation and Development’s Common Reporting Standard;
- exchange of information in the application of double taxation treaties; and
- co-operation agreements between regulators of multiple countries.
Spanish statutes on specific activities expressly regulate international co-operation (e.g., Article 61 of Law 10/2014 for banking supervision authorities, Articles 244 to 247 of the Securities Market Law for co-operation between securities regulators and Article 48 bis of the Anti-Money Laundering Law for co-operation between anti-money laundering and counter terrorism financing authorities).
59 Do law enforcement authorities in your country have any confidentiality obligations in relation to information received during an investigation or onward disclosure and use of that information by third parties?
Regulators (such as the Securities Market National Commission (the stock market regulator), the Bank of Spain and the Commission for the Prevention of Money Laundering and Monetary Offences) normally have confidentiality obligations, as established in their own statutes. These confidentiality obligations cannot restrict the authority of criminal law enforcement authorities (normally, investigating judges) to request whatever information or documentation they consider necessary.
As regards criminal investigations, the investigation stage is confidential (Criminal Procedure Law, Article 301) and only the parties to the proceedings have access to judicial records. However, leaks to the media are extremely common in Spain.
60 How would you advise a company that has received a request from a law enforcement authority in your country seeking documents from another country, where production would violate the laws of that other country?
As a general rule, a company should refrain from producing for Spanish authorities any documents from other countries when production would violate local law. Instead, the conflict should be explained to the authorities and alternative ways to gather the information must be considered. Spanish authorities will normally understand this limitation, as territorial overreach is unusual in practice.
61 Does your country have secrecy or blocking statutes? What related issues arise from compliance with a notice or subpoena?
There are no blocking statutes in Spanish law, except in connection with EU trade sanctions, as Spain participates in the mandatory sanctions programmes adopted by the European Union.
There are secrecy obligations for some types of information, such as for banking records (Law 10/2014, Article 83) and personal data (Law on Personal Data Protection (Basic Law 3/2018) (LOPDP), Article 5), that may restrict voluntary production. This hurdle is normally avoided by submitting a request to the authorities, within the framework of co-operation, for a production order issued by an investigating judge.
62 What are the risks in voluntary production versus compelled production of material to authorities in your country? Is this material discoverable by third parties? Is there any confidentiality attached to productions to law enforcement in your country?
With the exception regarding secrecy obligations (e.g., banking records, pursuant to Law 10/2014, Article 83, and personal data, pursuant to LOPDP, Article 5), the risks of voluntary production and compelled production of material are similar. In both cases, the material produced may be discoverable by third parties (normally through a judicial production order). Confidentiality protection, if any exists, does not differ if production is voluntary or compelled.
Prosecution and penalties
63 What types of penalties may companies or their directors, officers or employees face for misconduct in your country?
Corporations can be subject to a wide range of penalties, including fines, dissolution of the legal entity, suspension of the business activity, closing of premises, debarment from the corresponding business activity, exclusion from public subsidies and public contracts, and judicial monitoring of the company to safeguard employees’ or creditors’ rights (Penal Code, Article 33.7). Only fines are compulsory in the event of conviction; other penalties are not, and have not been, imposed by courts to date, as far as we know. Disgorgement of profits is increasingly significant but is not considered a penalty.
Regarding directors, officers and employees, a criminal conviction can result in imprisonment or a fine (or both).
In addition to criminal penalties, the civil liability of the individual and the corporation can be ruled on within the criminal proceedings.
In addition to the penalties established in the Penal Code, the Public Contracts Law (Law 9/2017) establishes a prohibition against entering into public contracts for individuals and corporations who have been convicted for, among other offences, bribery, tax evasion, money laundering, offences against the environment and offences against labour rights, for a maximum of five years (Articles 71 and 72). This prohibition results from the transposition of the EU Public Procurement Directive (Directive 2014/24/EU). However, the transposition of the Directive into Spanish law has been rather restrictive given that, contrary to the Directive, it has excluded compliance programmes as a way to avoid the application of a prohibition when it derives from a criminal conviction.
64 Where there is a risk of a corporate’s suspension, debarment or other restrictions on continuing business in your country, what options or restrictions apply to a corporate wanting to settle in another country?
A settlement in another country, if it leads to a conviction, may have adverse effects on proceedings in Spain and could trigger exclusion from public procurement.
65 What do the authorities in your country take into account when fixing penalties?
Courts will take into account the severity of the facts and the potential existence of the aggravating and mitigating circumstances laid out in the Penal Code. In the case of corporations, mitigating circumstances include self-reporting of the offence to the authorities, co-operation with the authorities’ investigation, implementation of remediation measures and adoption of compliance measures to detect potential future offences (Penal Code, Article 31 quater).
The Penal Code does not establish general aggravating circumstances applicable to any corporate offence. However, for some offences, the specific circumstances of the case can lead to a more severe penalty (e.g., when the damage resulting from the offence exceeds a specific threshold).
Further statutory criteria to determine the appropriate penalty within the range established by application of the aggravating and mitigating factors apply with regard to corporations. To that end, among other criteria, courts must take into account the need to impose the penalty to deter future offences within the corporation, the possible consequences that the penalty imposed on the legal entity might have on its employees and the position within the company of the individual or body that failed to comply with the control duties to prevent the wrongdoing (Penal Code, Article 66 bis).
Resolution and settlements short of trial
66 Are non-prosecution agreements or deferred prosecution agreements available in your jurisdiction for corporations?
Spanish regulations do not establish any legal instruments similar to deferred prosecution agreements (DPAs) or non-prosecution agreements (NPAs).
67 Does your jurisdiction provide for reporting restrictions or anonymity for corporates that have entered into non-prosecution agreements or deferred prosecution agreements until the conclusion of criminal proceedings in relation to connected individuals to ensure fairness in those proceedings?
As there are no DPAs or NPAs, there is no regulation on reporting restrictions or anonymity. Any settlement that a company may reach within the context of criminal proceedings will involve an admission of guilt and thus be reflected in a court’s ruling, which will form part of the public record. The names of individuals are redacted from courts’ decisions and rulings, because of data protection, but not the names of corporations. If there is a public interest in the case, the ruling will normally be available on the internet without any redaction.
68 Prior to any settlement with a law enforcement authority in your country, what considerations should companies be aware of?
No settlement is possible without an admission of guilt. However, even under these circumstances, a corporation may potentially be interested in reaching a settlement to benefit from a reduced penalty and to be able to negotiate the specific type of penalty to be imposed.
If an offence has resulted in damage to third parties (either authorities, such as the tax authority, or private parties), it is advisable that those parties be involved in the negotiation process. If they are not, the affected third parties could bring (or continue to pursue) criminal actions against the corporation irrespective of the settlement reached with the public prosecutor.
69 To what extent do law enforcement authorities in your country use external corporate compliance monitors as an enforcement tool?
Monitorships are one potential penalty for corporations convicted of a criminal offence (Penal Code, Article 33.7.g), although with a very limited scope (to safeguard employees’ and creditors’ rights after an offence has been committed). To date, no monitorship has been imposed on any corporation.
70 Are parallel private actions allowed? May private plaintiffs gain access to the authorities’ files?
Any natural or legal person in Spain can file a criminal complaint (even if not the victim of the alleged crime) and become a party to the criminal proceedings, thus gaining access to the authorities’ files.
Publicity and reputational issues
71 Outline the law in your country surrounding publicity of criminal cases at the investigatory stage and once a case is before a court.
During a judicial investigation, only the parties to the proceedings are entitled to access the judicial file. However, leaks to the media are endemic.
Trials are public and, in high-profile cases, are broadcast live on the internet.
72 What steps do you take to manage corporate communications in your country? Is it common for companies to use a public relations firm to manage a corporate crisis in your country?
Large corporations tend to have an internal department in charge of the company’s communication strategy. In situations of corporate crises, corporations may also seek external specialist support from public relations firms.
73 How is publicity managed when there are ongoing related proceedings?
Any communication should be reviewed by the public relations team and by the legal team to avoid the communication affecting the proceedings or clashing with the company’s defence strategy in a judicial case.
Duty to the market
74 Is disclosure to the market in circumstances where a settlement has been agreed but not yet made public mandatory?
The existence of this obligation has to be analysed in light of commercial and corporate regulations, which oblige corporations to publish specific non-financial information (i.e., Commercial Code, Article 49.6 and, for the particular case of listed companies, Corporations Law, Articles 538 and 540).
Environmental, social and corporate governance (ESG)
75 Does your country regulate ESG matters?
Environmental matters are regulated by a wide array of national, regional and local laws that are constantly changing. Social matters (e.g., gender equality in corporate decision-making bodies) tend to be regulated by centralised initiatives.
Corporate governance is mainly regulated by means of the Commercial Code and the Corporations Law. In addition to these, listed companies are subject to the Securities Market Law, the Code of good practices for corporations and the instructions issued by the Securities Market National Commission (the stock market regulator).
76 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address ESG matters?
The Spanish government has initiated the procedure to develop a new piece of legislation relating to the protection of human rights, sustainability and due diligence in transnational corporate activities, the aim of which is to impose several supply chain due diligence obligations on companies in the line set forth in the Proposal of Directive (EU) on Corporate Sustainability Due Diligence dated 23 February 2022.
77 Has there been an increase in ESG-related litigation, investigations or enforcement activity in recent years in your country?
Any natural or legal person can file a criminal complaint (even if not the victim of the alleged crime) and become a party to criminal proceedings. For this reason, associations tend to be very active on ESG-related matters and, in particular, in the prosecution of environmental offences. However, there has not been a particular increase in this regard in recent years.
78 Do you expect to see any key regulatory or legislative changes emerge in the next year or so designed to address corporate misconduct?
The legislative process to draft and pass a new Criminal Procedure Law was initiated in 2021. This potential new regulation could have a tremendous effect on criminal proceedings, as well as on the defence of corporations (e.g., the investigation stage could be handed to the Public Prosecutor’s Office instead of investigating courts, as is now the case). However, the draft is still under discussion and it is unclear whether it will be passed in the short term.
Furthermore, Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law will probably be transposed into the Spanish legal system in the coming months. In particular, a draft act has already been prepared, which includes several issues that may affect the way internal investigations arising from a whistleblower’s report should be conducted, such as the time limit of the investigation or the rights of the person under investigation. In addition, a draft law on the ‘right to defence’ is currently under discussion, which may also address relevant issues such as the scope and limits of the attorney–client privilege.
Additionally, the outcome of internal investigations has started to be used by companies for their defence in criminal proceedings. Therefore, in the coming years, we will get to see public prosecutors’ and courts’ reactions to internal investigations (e.g., whether, and under what circumstances, they acknowledge their content as valid evidence).
Finally, it will be interesting to see how case law develops regarding the role of compliance programmes as the grounds for dismissal or acquittal of corporations, and whether the judicial decisions support recent precedents dismissing criminal proceedings already at the investigation stage on the grounds of the existence of an effective compliance programme within a company.
 Jaime Alonso Gallo is a partner at Uría Menéndez Abogados, SLP.