Mes Advocats
← Previous

30 May 2024 · MES Advocats

The role of the external third party in the management of the internal whistleblowing reporting channel

The role of the external third party in the management of the internal whistleblowing reporting channel

30 May, 2024

Compliance

MES Advocats

![](https://www.mesadvocats.com/blog/wp-content/uploads/pexels-olly-3760093-scaled-e1717090655471.jpg)

Under Law 2/2023, companies and/or public entities must have implemented an internal information system that incorporates a whistleblowing reporting channel, through which anonymous or identified communications about infractions that have occurred in a work or professional context can be channeled.

This reporting channel can be managed with the company’s and/or public entity’s own means, although the regulation also allows this task to be entrusted to an external third party (Art. 6), as long as it offers adequate guarantees of respect for independence, confidentiality, data protection, and the secrecy of communications.

However, in the scope of the General State Administration, regional administrations, and cities with a Statute of Autonomy, as well as of the entities that make up the local administration, the outsourcing of the management of the whistleblowing reporting channel can only be agreed upon in cases where insufficient own means are accredited (Art. 15).

The external third party is usually a law firm such as MES Advocats.

The external management of the internal whistleblowing reporting channel should not be confused with the external information channel, as the latter is managed by the Independent Authority for Whistleblower Protection or the corresponding regional body, and coexists with the internal reporting channel. The whistleblower can choose to use either, although the internal reporting channel is considered the preferred route.

What requirements must meet the external third party to manage the whistleblowing reporting channel?

The company and/or public entity must previously sign an agreement with the external third party as a data processor.

What limits exist in the management of the whistleblowing reporting channel by the external third party?

The management carried out by the external third party cannot undermine the guarantees and requirements established by the law for this system, nor can it imply an attribution of responsibility for it to anyone other than the person responsible for the internal information system.

What does the management of the whistleblowing reporting channel by an external third party consist of?

Art. 6 of Law 2/2023 makes it clear that management of the system by an external third party is considered to be “the reception of communications.”

Similarly, Art. 15 of this legal text, referring to the management of the reporting channel by an external third party for certain entities of the public sector, states that the management “will only include the procedure for receiving communications about infractions and, in any case, will be exclusively instrumental.”

For its part, Art. 12 of Law 2/2023, which regulates shared means in the private sector, refers to the “management and processing of communications.”

So, should the external third party only limit itself to receiving communications on behalf of the company or public entity?

The answer seems to be affirmative. From the literal text of Law 2/2023, it can be interpreted that it is the responsibility of the company or public entity to maintain confidentiality, respond to the whistleblower, and address the reported infraction until the process is completed.

Can two or more companies use the same external third party to manage their whistleblowing reporting channel?

In the private sector, and as long as the guarantees provided in Law 2/2023 are respected, those companies with between 50 and 249 employees can opt to share the internal information system and the resources intended for the management and processing of communications, including the external third party (Art. 12).

What benefits does outsourcing the management of the whistleblowing reporting channel to a third party provide?

Having an external third party, usually an independent law firm, manage a company’s and/or public entity’s whistleblowing reporting channel offers whistleblowers enhanced guarantees of respect for the principles of confidentiality and independence, which will likely prevent the whistleblower from using other reporting channels, such as the external channel or the media.

Additionally, the company and/or public entity will save management costs, as the external third party will be responsible for performing an initial filter on the received communication, ensuring that processing only begins if it meets all the requirements established by Law 2/2023.

Can the external third party commit any infractions in the context of its management?

The sanctioning regime provided in Law 2/2023 does not specify infractions directed at the external third party, although it is evident that the third party can commit many of the infractions legally provided by assuming the external management of the reporting channel.

For example, the external third party may violate the confidentiality and anonymity guarantees provided in the law and/or perform any action or omission aimed at revealing the identity of the whistleblower when he or she have opted for anonymity, even if the actual revelation does not occur.

In such a case, the external third party would be committing a very serious infraction, which can be sanctioned with fines ranging from €30,001 to €300,000 if it is a natural person, and from €600,001 to €1,000,000 if it is a legal entity.

Additionally, the Independent Authority for Whistleblower Protection, responsible for exercising the sanctioning power, can impose public admonition, prohibition of obtaining public subsidies or other tax benefits for up to 4 years, and prohibition of contracting with the public sector for up to 3 years.

It should be noted that when sanctions are imposed on legal entities for very serious infractions that are equal to or greater than €600,001, they will be published in the Official State Gazette (BOE) once the resolution is final in administrative proceedings, including information about the nature of the infraction and, if applicable, the identity of the persons responsible.

The external third party could also fail to comply with the obligation to adopt measures to ensure the confidentiality and secrecy of the information, in which case it would be committing a serious infraction that can be sanctioned with fines ranging from €10,001 to €300,000 if it is a natural person, and from €100,001 to €600,000 if it is a legal entity.

In any case, any breach of the obligations provided in Law 2/2023 that is not classified as a very serious or serious infraction will be considered a minor infraction, in which case the external third party can be sanctioned from €1,001 to €10,000 if it is a natural person, and up to €100,000 if it is a legal entity.

At MES Advocats, we offer a comprehensive service regarding the whistleblowing reporting channel, whether to implement it, audit its compliance with Law 2/2023, or manage the channel as an external third party. We also offer advice to the company and/or public entity in processing and resolving the received information.

If you need more information or are interested in obtaining a quote, you can contact us through this link.

###

![What benefits can having a whistleblowing channel bring to my company even if it’s not legally obligated?](https://www.mesadvocats.com/blog/en/beneficios-canal-denuncias-empresa-reputacion-prevencion-riesgos-transparencia/ "What benefits can having a whistleblowing channel bring to my company even if it’s not legally obligated?")
![The responsible for the internal reporting channel](https://www.mesadvocats.com/blog/en/responsable-canal-interno-denuncias-funciones-obligaciones-legales-independencia-eficacia/ "The responsible for the internal reporting channel")
![Who can report or denounce an irregularity through a company’s internal reporting channel and how can they do it?](https://www.mesadvocats.com/blog/en/quien-puede-informar-denunciar-irregularidades-canal-interno-empresa-garantias-requisitos-legales/ "Who can report or denounce an irregularity through a company’s internal reporting channel and how can they do it?")
![The Keys to the Internal Information System](https://www.mesadvocats.com/blog/en/les-claus-del-sistema-intern-dinformacio/ "The Keys to the Internal Information System")

Internat reporting channel

---