Mes Advocats
← Previous

23 May 2024 · MES Advocats

The Keys to the Internal Information System

The Keys to the Internal Information System

23 May, 2024

Compliance

MES Advocats

![](https://www.mesadvocats.com/blog/wp-content/uploads/sistema-scaled-e1716569710302.jpg)

The Spanish Law 2/2023, 20th of February, regulating the protection of persons who report regulatory infringements and the fight against corruption (hereinafter “Law 2/2023”), which transposes Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, on the protection of persons reporting breaches of Union law, establishes the obligation to create and implement an Internal Information System.

The Internal Information System is a mechanism that companies must implement within the organization to allow third parties to report legal infringements that occur in a labour or professional context. The implementation of the Internal Information System falls on the governing body or administration of each entity.

Which entities are required to have an Internal Information System?

The obligation to have an Internal Information System change depending on the sector to which each entity belongs. Thus, it is necessary to differentiate between public sector entities and private sector entities. A recent article on our blog analyses in detail the entities required to have an Internal Information System.

What does the Internal Information System include?

Article 5 of Law 2/2023 sets out the minimum requirements that the Internal Information System must meet:

#### 1) Having an internal reporting channel.

Through this channel, the whistleblower can report legal infringements that occur in a labour or professional context as previously mentioned.

The channel must allow communications to be made in writing or verbally (or both). Additionally, the channel must allow for the possibility of making a report through an in-person meeting to be held within a maximum period of 7 days from the request, provided the whistleblower requests it.

Besides the internal reporting channel, the whistleblower can choose to initiate a report through the external reporting channel to the competent authorities, although the internal reporting channel is legally established as the preferred route. Why is it the preferred route? The answer is simple, as proper action within an entity could prevent the negative consequences of the actions under investigation. However, despite this preference, the whistleblower is free to choose the channel they wish to use, whether internal or external, depending on the circumstances and perceived risks of retaliation.

#### 2) Appointing a Responsible Person for the Internal Information System.

The Responsible can be either a natural person or a collegiate body. However, If the entity opts for the latter, it must delegate the management powers of the Internal Information System and the handling of investigation files to one of its members.

In any case, in the private sector, as a general rule, the Responsible Person for the Internal Information System must be a company executive.

If you want more information about the Responsible Person for the Internal Information System, we recommend you read this other article on our blog published a few weeks ago.

#### 3) Having the Internal Information System Policies.

These must be publicized within the entity or organization. If the company has a website, these should be posted on the homepage in a separate and easily identifiable section. Generally, the Internal Information System Policies should include:

–> A guide to the principles governing it.

–> The material and personal scope of application.

–> Establishment of the company’s internal reporting channel.

–> Appointment of the Responsible Person for the system.

–> Protection and support measures for the whistleblower, including the prohibition of retaliation.

–> Protection and guarantees for persons affected by the report.

–> Processing and protection of personal data.

#### 4) Establishing a procedure for managing the received reports.

This must be approved by the company’s governing or administrative body. The Responsible Person for the Internal Information System will be accountable for its proper handling. According to article 9.2 of Law 2/2023, this procedure must include, at a minimum:

–> Identification of the company’s internal and external channels.

–>The mandatory deadlines set by Law 2/2023, such as:

  • - A maximum period of 7 days from receipt of the report to acknowledge receipt.
    • - A maximum period of 3 months from acknowledgment of receipt to complete the internal investigation. This period can be extended by another 3 months in cases of particular complexity.

    –> Provision for the possibility of staying in contact with the whistleblower and, if deemed necessary, requesting additional information.

    –> Requirement to respect the presumption of innocence and honor of individuals involved in a report.

    –> Compliance with data protection rules contained in Law 2/2023.

    –> Recognition of the right of the affected person to be informed of the accusations and to be heard at any time, ensuring communication in a timely and appropriate manner for the investigation.

    –> Guarantee of confidentiality when reports are sent through unofficial channels or to unauthorized personnel, with the obligation that the recipient immediately forwards the report to the Responsible Person for the Internal Information System.

    –> Immediate forwarding of report information to the Public Prosecutor if the facts may be criminal, and to the European Public Prosecutor’s Office if they affect the financial interests of the European Union.

    #### 5) Defining the management of the internal reporting channel.

    Management can be internal, carried out by the company itself, or external, handled by a third party.

    It is common for the internal reporting channel to be managed by law firms – as is the case with Mes Advocats – whose main function is to receive reports. It is also possible to provide legal advice to the company on the management and resolution of received reports.

    What are the requirements for the Internal Information System?

    The implementation of the Internal Information System requires meeting the following requirements:

    –> It must be structured and managed securely. It is absolutely essential to ensure the confidentiality of the whistleblower’s identity and any third party mentioned in the report, as well as the actions taken during its processing.

    –> Allow for anonymous reporting.

    –> Ensure limited access to personal data to persons mentioned in article 32.1 of Law 2/2023.

    –> Maintain a written record of received reports and conducted investigations.

    At MES Advocats, we offer a comprehensive service for the implementation of the Internal Information System, either to implement it and/or audit its compliance with Law 2/2023, or to advise the company on the management, processing, and resolution of received reports. If you need more information or are interested in getting a quote, you can contact us through this link.

    ###

    ![Approved the bill of law to protect the “WHISTLEBLOWERS”](https://www.mesadvocats.com/blog/en/aprovat-el-projecte-de-llei-per-protegir-els-whistleblowers/ "Approved the bill of law to protect the “WHISTLEBLOWERS”")
    ![Who is required to have an internal reporting channel and from when?](https://www.mesadvocats.com/blog/en/quienes-obligados-canal-interno-denuncias-desde-cuando-obligaciones-legales-empresas/ "Who is required to have an internal reporting channel and from when?")
    ![The responsible for the internal reporting channel](https://www.mesadvocats.com/blog/en/responsable-canal-interno-denuncias-funciones-obligaciones-legales-independencia-eficacia/ "The responsible for the internal reporting channel")
    ![Who can report or denounce an irregularity through a company’s internal reporting channel and how can they do it?](https://www.mesadvocats.com/blog/en/quien-puede-informar-denunciar-irregularidades-canal-interno-empresa-garantias-requisitos-legales/ "Who can report or denounce an irregularity through a company’s internal reporting channel and how can they do it?")

    Internat reporting channelBusinessInternal Information System

    ---