88 Questions and answers about Law 2/2023
1. What is the objective of Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption?
Its objective is to protect people who report or denounce violations in their workplace against retaliation they may suffer.
The Law transposes Directive 2019/1937 of the European Parliament on the protection of persons who report infringements of Union Law.
Law 11/2016, creating the Agency for the Prevention and Fight against Fraud and Corruption of the Valencian Community, anticipated the Directive, creating an external complaints mailbox open to all citizens and a statute for the protection of people. that they denounce, whether they are natural or legal persons.
2. ¿Quién puede informar o denunciar una irregularidad en su ámbito laboral ante la Autoridad Independiente de Protección al Informante (AIPI), la cual todavía no se ha creado, o ante las autoridades u órganos autonómicos competentes?
Persons linked by an employment or professional relationship.
In the case of the Valencian Community, the competent authority is the Valencian Anti-Fraud Agency.
- What type of information or complaints fall within the scope of the Law and give the right to protection?
Actions or omissions that may constitute a serious or very serious criminal or administrative offence. For example: passing the questions in an exam, manipulating a contract, building where you can’t, accessing a grant without having the requirements, etc.
In the case of the Valencian Anti-Fraud Agency, they are those facts or conducts that may constitute corruption, fraud, administrative irregularities, behaviors constituting an administrative or disciplinary offense and conducts or activities reprehensible for being contrary to integrity and public ethics. For example: intervening in procedures in which there is a conflict of interest to obtain an advantage, wasting public money, carrying out a contract without previously following a procedure, etc.
- Does the Valencian Anti-Fraud Agency have powers in the private sector?
It could only have such competence if Law 11/2016 on the creation of the Agency is amended, expanding its scope of action.
Therefore, for the private sector, the competent body is the Independent Authority for the Protection of Whistleblowers (AIPI), which has not yet been established.
5. Is Law 2/2023, of 20 February, regulating the protection of people who report regulatory breaches and the fight against corruption, of a basic nature?
Yes. The eighth final provision of the Law states that it is issued by virtue of the exclusive powers of Article 149.1, paragraphs 1, 6, 7, 11, 13, 18 and 23 of the Spanish Constitution, with the exception of Title VIII which is only applicable to the General State Administration and other entities of the state public sector.
- What are the ways and forms to report an infringement in accordance with Law 2/2023?
Through the internal channel that each entity must have, or through the external channel, which in the case of the Valencian Community is that of the Valencian Anti-Fraud Agency.
The Law allows the whistleblower to choose between the internal or external channel, depending on the circumstances and the risks of retaliation that he or she considers.
The complaint may be anonymous or identified, and may be made by any means: written, verbal, by email, post, voice messaging, etc.
- Who can be a whistleblower according to Law 2/2023?
Law 2/2023 uses the term “whistleblower” as a synonym for whistleblower to refer to people in the public or private sector who communicate or disclose information about irregularities of which they are aware in their professional or work environment.
Included are people who work:
- In public administrations, regardless of their employment relationship (career, interim, labour or temporary civil servants).
- In the private sphere.
- Who are doing internships, with scholarships, in training or who are participating in a selection process.
- In companies linked to the administration, whether they are contractors, subcontractors, suppliers, etc.
In any event, these persons who report violations must report in accordance with the requirements of the Act and have reasonable grounds to believe that the information they are providing is true.
8. What do we do if the person filing the complaint is a legal entity?
Complaints can be filed by people who have obtained information about infringements in an employment or professional context, i.e. public employees (career, interim, labour or temporary civil servants), employees, self-employed workers, shareholders, participants and people belonging to the administrative body, trainees or people with scholarships, volunteers or trainees, participants in a selection process, and even contractors, subcontractors, and suppliers.
This literal enumeration of the Law covers both natural and legal persons. For example, a contractor or a supplier, although in these cases the person who files the complaint on behalf of the legal person is always a natural person representing it.
Complaints or information can also be submitted anonymously. The legislator’s will has focused on allowing infractions to surface so that once known, the facts can be reviewed, and not on the person who denounces.
9. Can only internal staff and contractors or subcontractors of the City Council use the internal complaints channel?
The subjective scope of application of Law 2/2023 is set out in Article 3, although we must bear in mind that the Law makes it possible to submit anonymous communications.
It will be the facts or data that are communicated that motivate or not the opening of a procedure.
10. Within the personal scope of application of Article 3, can the councillors of a Corporation be included?
The personal scope of application refers to a work and professional context and, therefore, councillors are included, although they are public authorities who must exercise their functions of control of the municipal government and its management without the need to report in this way.
11. When is the identity of the respondent provided?
The personal scope of application refers to a work and professional context and, therefore, councillors are included, although they are public authorities who must exercise their functions of control of the municipal government and its management without the need to report in this way.
12. What obligations do the entry into force of Law 2/2023 cause?
• Create an Internal Information System (SII) that includes an internal information channel, which must meet certain requirements and guarantees, and must be designed, established and managed securely, allowing the submission and processing of anonymous complaints.
• To provide information on the website or in an easily accessible way about the use and operation of the internal information channel, as well as the principles of the management procedure.
• To regulate the procedure for managing the channel for the diligent processing of communications or complaints in accordance with the Law.
• Define a policy or strategy that sets out the general principles of internal information and whistleblower defence systems and make it known within the organisation.
• Designate a Person in Charge of the Internal Information System, which may be a natural person or a collegiate body.
• Notify the competent authority (in the Valencian Community, the Valencian Anti-Fraud Agency with respect to the public sector) of the appointment of the Head of the Internal Information System.
• To have a record book of the information received and the internal investigations to which they have given rise.
• Inform, in a clear and accessible way, those who communicate through the internal channel about the existence of the external channel.
• Train staff on duties and responsibilities related to the confidential handling of communications.
13. Can I go to the external whistleblowing channel or do I have to report the internal channel first?
The internal channel should be used preferentially, since diligent and effective action within the organization itself could paralyze the harmful consequences.
However, the Law allows the whistleblower to choose the internal or external channel, depending on the circumstances and the risks of retaliation that he or she considers.
In any case, the AVAF is the external channel that can be used in accordance with the provisions of Law 2/2023 and its regional regulatory regulations.
14. If I have a mailbox or channel for filing complaints, do I comply with the obligations of the Law?
It’s not enough. Law 2/2023 obliges each entity to create the “Internal Information System” (SII), which must include the following elements:
• A policy or strategy that contains the general principles of the SII and the defense of the informant.
• A channel or mailbox to receive complaints, which is a safe, accessible tool that allows anonymous complaints to be filed.
• A person responsible for the SII (natural person or collegiate body). In the case of a collegiate body, management functions will be delegated to one of its members.
• A procedure for managing information or complaints.
• The guarantees of protection of whistleblowers, as well as the rights of the people affected by this information or complaint.
https://www.antifraucv.es/wp-content/uploads/2024/07/SII_elementos.pdf
https://www.antifraucv.es/wp-content/uploads/2024/07/Derechos_garantias.pdf
15. Do the measures of the Anti-Fraud Plans in terms of European funds help me to comply with the obligations of Law 2/2023?
No, it is not the same. The Anti-Fraud Plans derive from Order HFP/1031/2021, of 29 September, on the Recovery, Transformation and Resilience Plan in relation to the control of European funds, and Law 2/2023 transposes Directive (EU) 2019/1937 into Spanish law.
In practice, some entities have taken advantage of the anti-fraud committees of the Anti-Fraud Plans or ethics committees to appoint the people who make them up Heads of the SIIs and attribute to them the functions provided for in Law 2/2023. These appointments will be valid in accordance with Law 2/2023, provided that their composition and profiles offer the greatest guarantees of independence and autonomy necessary to exercise their functions, and that they have the necessary preparation and training.
16. What do we do if the complaint is filed by the entity’s registry?
We must immediately redirect it to the internal information system and, in any case, keep it confidential.
Anyone who has access to such information has a duty of secrecy. All staff should be given adequate information and training on this subject. For example, and in a special way, to people who are in the check-ins.
Failure to comply with this duty gives rise to the imposition of very serious penalties: from 30,0001 to 300,000 euros to individuals and up to 1 million euros to legal persons.
17. What do we do if we receive a complaint or information about interpersonal conflicts?
Interpersonal conflicts are expressly excluded in Law 2/2023. The person responsible for the SII will redirect the information to the competent unit of the company or public administration (Law 31/1995 PRRLL).
18. What if it is information about alleged workplace harassment?
Harassment has its own specific procedure under Law 31/1995 PRLL, which must be followed in the company or public administration.
19. Can I be fined if I do not comply with the accessibility guarantees or do not provide the essential information of the Internal Information System?
Yes. Serious infringements are actions or omissions that limit the rights and guarantees provided for in the Law and any attempt or effective action to obstruct the submission of information or to prevent, frustrate or slow down its follow-up. Failure to comply with the obligation to adopt measures to guarantee the confidentiality and secrecy of information is also punishable.
In any case, the Law includes as a minor infringement any breach of the obligations provided for therein that is not classified as a very serious or serious infringement.
20. Who is responsible for exercising the sanctioning power of Law 2/2023?
It is the responsibility of the Independent Authority for the Protection of Whistleblowers, A.A.I., and, in the case of the Valencian Community, of the AVAF with respect to the entities included in its scope of application.
All this, without prejudice to the disciplinary powers that the competent bodies may have within the internal scope of each organisation.
21. Is non-compliance with the obligation to implement the Internal Information System punishable?
Yes. Article 63.1 (g) of the Law considers as a very serious infringement intentional actions or omissions that involve “failure to comply with the obligation to have an internal information system in the terms required by this Law”.
The penalties for very serious infringements are for individuals from 30,001 to 300,000 euros, and for legal entities from 600,001 to 1,000,000 euros. In addition, public reprimand, prohibition of obtaining subsidies or other benefits and prohibition of contracting with the public sector may be agreed. In the event of a sanction for a very serious infringement of a legal person, publication may be added in the BOE after the final resolution in administrative proceedings.
22. Will the sanctioning regime of Law 2/2023 be able to concur with another disciplinary regime?
Yes. The exercise of the sanctioning power provided for in Law 2/2023 is autonomous and may concur with the disciplinary regime of civil servants, statutory or labour personnel that is applicable in each case.
23. What are the implications of the implementation of an internal information system in relation to the Register of Processing Activities?
The approval of an Internal Information System entails the creation of a new processing activity or updating of existing ones in accordance with the Register of Processing Activities of the entity (RAT).
24. How is the 50 employees in private sector entities calculated?
To determine whether the entity has 50 or more workers, the provisions of Article 3 of Royal Decree 901/2020, of 13 October, which regulates Equality Plans, could serve as a guide.
25. Are there any exceptions to the calculation of 50 workers?
Regardless of the number of workers, the following private sector entities must have an internal information system:
• Where they fall within the scope of the European Union acts relating to financial services, products and markets, prevention of money laundering or terrorist financing, transport security and environmental protection referred to in Parts I.B and II of the Annex to Directive (EU) 2019/1937 of the European Parliament and of the Council, of 23 October 2019.
• Political parties, trade unions, business organisations and foundations created by them, provided that they receive or manage public funds.
26. What is the implementation period of the Internal Information System (SII) for administrations, agencies, companies and other obligated entities?
The deadline expired on June 13, 2023.
27. What is the implementation period of the Internal Information System (SII) for municipalities with less than 10,000 inhabitants?
Until December 1, 2023.
28. What is the implementation period of the Internal Information System (SII) for municipalities with more than 10,000 inhabitants?
The deadline expired on June 13, 2023
29. What is the implementation period of the Internal Information System (SII) for private sector legal entities with 249 or fewer workers?
Until December 1, 2023
30. What is the implementation timeline of the Internal Information System for private sector legal entities with 250 or more employees?
The deadline expired on June 13, 2023
31. What is an Internal Information System?
An internal information system is a structure that aims to ensure that employees, public or private, can report irregularities within the organization itself, so that they can be monitored.
The Internal Information System is made up of:
• An internal channel for receiving information or complaints.
• A procedure for the management of such information or complaints,
• A person responsible for management and processing.
The System must offer full guarantees of independence, confidentiality, security and that those who come to the channel do not suffer reprisals.
The internal information system must be part of the organisation’s integrity strategy, as well as promoting good public governance and safeguarding the general interest through ethical commitment, making it possible to eliminate bad practices and consolidate citizens’ trust in their institutions.
In any case, the administrative body or governing body of each entity or body will be responsible for the implementation of the Internal Information System, after consultation with the legal representation of the workers, and will have the status of controller of the processing of personal data in accordance with the provisions of the regulations on the protection of personal data.
32. Which entities are required to have an internal information system?
In the public sector: all administrations and public entities.
The following may share the Internal Information System and the resources allocated to investigations and processing:
• Municipalities with less than 10,000 inhabitants.
• Entities belonging to the public sector that have less than 50 workers linked to or dependent on bodies of the territorial administrations
In any case, it must be ensured that the systems are independent of each other and that the channels appear differentiated.
In the private sector: natural or legal persons with 50 or more workers.
The internal information system and the resources for the management and processing of communications may be shared by legal entities in the private sector with between 50 and 249 employees.
33. What are the requirements that the management procedure of the Internal Information System (SII) must meet?
• Identify the internal information channel (website, bulletin board, banners, etc.).
• Include clear and accessible information about external channels.
• Send acknowledgement of receipt to the informant, without jeopardizing confidentiality.
• Determine the maximum period for responding to the investigation actions.
• Enable communication with the informant and request additional information from him/her.
• Inform the affected person, as well as to be heard at any time, respecting the presumption of innocence and their honour.
• Protect personal data.
• Refer to the Public Prosecutor’s Office facts that may constitute a crime, and to the European Public Prosecutor’s Office if they affect the interests of the European Union.
34. What happens if an entity already has an Internal Information System (SII)?
It may be used to comply with Law 2/2023 by adapting to the requirements established therein.
35. Is it possible for the Internal Information System (SII) to be managed by an external third party?
In the field of public administrations , it may only be agreed that a third party will receive the information.
In any case, the insufficiency of own resources must be justified in accordance with the Law on Public Sector Contracts.
The Valencian Anti-Fraud Agency offers information and advice on how to install internal channels at no economic cost, for which it is necessary to sign a collaboration protocol beforehand.
36. Within the Internal Information System (SII) can various channels coexist in addition to the channel provided for in Law 2/2023?
Yes, as long as they appear differentiated so that confusion is not generated.
37. Can the same channel act at the same time as an internal channel of one organism and as an external channel of another?
No. Internal channels must always be part of the structure of the body or entity, and external channels will depend on the competent administrative authority, whether state or regional.
38. Should public bodies with functions of investigation of infringements have an internal channel and also an external channel?
Yes. The external channel must be created for the communications of non-compliances that people outside the organization wish to make and whose investigation depends on the entity.
39. What media can be shared in the public sector?
Municipalities with less than 10,000 inhabitants can share the information reception tool among themselves or with other administrations that exercise their powers in the same autonomous community. In this case, the channels of the different public entities must appear differentiated so that confusion is not generated.
However, each local entity will have its Person Responsible for the SII.
As an example of shared media in the Valencian public sector, the Council of the Generalitat has approved the text of a standard agreement through which entities of its linked public sector that have less than 50 workers can apply for membership.
40. What media can be shared in the private sector?
In private companies and groups of companies, it is allowed to share the SII and the person in charge, regardless of the number of workers.
41. Can the management of the Internal Information System be outsourced?
Only the implementation and maintenance of the channel, understood as a mailbox or channel for receiving information (computer tool), can be outsourced.
42. Is it necessary to negotiate the Internal Information System with the workers’ representatives?
Prior consultation with the legal representation of the workers is necessary, not collective bargaining (in public administrations the matters subject to negotiation are listed in article 37 of the TREBEP).
Consultation is mandatory but not binding.
It is considered a good practice that consultation can be made to all workers, especially in small municipalities.
43. How can the obligation of Law 2/2023 to carry out a consultation with the legal representation of workers be complied with in small and understaffed municipalities?
Firstly, the workers’ representatives must be correctly summoned. If they do not show up for the meeting, minutes must be drawn up.
The mayor, as the senior manager of all staff, may then gather the workers to inform them of the SII, and minutes will be drawn up after the meeting.
In addition, all the documentation of the SII must be sent to all workers through communication from the electronic file manager, opening a hearing period for allegations (the email of each employee’s work is an informal channel).
Finally, the SII must be approved, stating in the file all the above circumstances and then its implementation must be carried out and all the information must be transferred to both the legal guardians of the workers and the workers themselves.
44. What anonymization criteria must be taken into account to comply with the requirements of Law 2/2023?
The tool used as a channel to receive the information must allow anonymity. The AVAF uses free free software that meets the specifications of the Law and advanced requirements in technological security; it prevents the tracking of the computer’s IP through the TOR application.
This tool is available to the administrations and the Valencian public sector through the signing of a protocol. We recommend its use and facilitate its implementation through a few small instructions in a simple, fast and free way.
In the event that the whistleblower chooses to identify himself/herself, the guarantee of confidentiality extends to the confidentiality of his/her identity. The identity of any other third party mentioned in the communication and in the actions carried out during the management and processing is also preserved.
The protection of personal data is very demanding in the Law. The criteria of the Spanish Data Protection Agency https://www.aepd.es/documento/guia-basica-anonimizacion.pdf and the practical guidelines found on its website may be useful https://www.aepd.es/guias/orientaciones-riesgo-brechas-masivas-aapp.pdf
45. Should the complainant be informed of the existence of external channels?
Yes. Information shall be provided on the existing external reporting channels to the competent authorities and to the institutions of the European Union.
In the case of the Valencian Community, the external information channel of Law 2/2023 is the AVAF with respect to the entities included in Article 3 of Law 11/2016, of 28 November, of the Generalitat. The AVAF Complaints Mailbox can be accessed through the following link: https://www.antifraucv.es/buzon-de-denuncias-2/
Other external channels of information are:
• National Anti-Fraud Coordination Service
• Court of Auditors
• European Anti-Fraud Office
• Public Prosecutor’s Office or European Public Prosecutor’s Office
• Labour Inspection
• National Commission on Markets and Competition or competent body at regional level
• AEAT or ATV
• Ombudsman or Catalan Ombudsman
46. How and where should the information from the Internal Information System be provided?
The information must be on the bank’s website, specifically on the homepage, in a separate and easily identifiable section. In the case of not having a website, it must be easily accessible to all possible users of the internal channel.
Adequate, clear and easily accessible information will be given on the existence, use and operation of the channel and on the essential principles of the management procedure.
47. How to preserve the identity of the informant in small entities?
The person in charge of SII must act with the utmost rigour and caution in complying with confidentiality and the duty of secrecy and secrecy. The identity or any circumstance that could identify the informant should never be revealed.
The person in charge of the SII is responsible for the diligent processing of the information management procedure and must carry out his/her functions objectively, independently and autonomously. They may not receive instructions of any kind and must have all the personal and material means necessary to carry out their task.
48. If the complainant chooses to present his or her communication in the internal channel first, can this have negative consequences?
No. The Law provides for the preferential nature of the internal channel, but the whistleblower is free to choose the channel (internal or external), depending on the circumstances and the risks of reprisals that he or she considers.
Diligent and effective action by the internal channel within the organisation itself could paralyse the harmful consequences of the actions under investigation.
49. Am I obliged to keep an Information Register?
Yes. Every internal information channel must have a record book of the information received and the internal investigations to which it has given rise.
This register must in all cases guarantee the confidentiality requirements provided for in this Law, as well as be in a secure database.
50. Who has access to the record book of information received and internal investigations? Is this book public?
No, it is not public. Access is restricted exclusively to the person responsible for the SII.
As an exception, the competent judicial authority may have access to a reasoned request by order and within the framework of a judicial procedure.
51. Who is responsible for keeping and managing the logbook of information received and internal investigations?
To the person responsible for the SII.
52. What minimum data should the logbook of information received and internal investigations have?
• Date of receipt of the information.
• Alphanumeric identification code.
• Actions carried out.
• Measures adopted.
• Closing date.
53. Who can be the Heads of Internal Information Systems (IHR)?
Individuals or collegiate bodies. If it is a collegiate body, it must delegate to one of its members the powers of managing the Internal Information System and processing investigation files.
They must carry out their functions independently and autonomously with respect to the rest of the entity’s bodies, reporting directly to the governing body. In addition, it must offer full guarantees of confidentiality and security with respect to the information it handles.
54. Who should appoint the person responsible for the Internal Information System (IHR)?
The governing body or administrative body of the entity.
55. Which profile is most suitable to fulfill the functions of Internal Information System Manager (IHR)?
In entities or bodies in which there is already a person responsible for the function of regulatory compliance or integrity policies, he or she may be designated as the Head of the System, provided that he or she meets the requirements established in the Law.
Each entity has to assess the suitability of the corresponding person, who offers the greatest guarantees of independence and autonomy necessary to exercise their functions and with the necessary preparation and training.
56. What happens if there is a conflict of interest of the Person in Charge of the Internal Information System (IHR)?
They must abstain from the procedure in accordance with the provisions of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector.
It is recommended that the governing body or administrative body has pre-established a system of substitutes.
57. What is the deadline within which the Valencian Anti-Fraud Agency must be notified to the Head of the Internal Information System (RSII)?
10 working days from their appointment.
58. What are the regulations governing the Register of Persons Responsible for the Internal Information System (RSII) in the Valencian Community?
The applicable regulation is Resolution No. 504/2023 of the Director of the Agency, which creates the Register of Heads of Internal Information Systems (DOGV No. 9601, of 23.05.2023).
59. How and to whom should the appointment and, where appropriate, the dismissal of the person responsible for the internal information system be notified?
It must be notified to the Independent Authority for the Protection of Whistleblowers, A.A.I. of the State, or, where appropriate, to the competent authorities or bodies of the Autonomous Communities, within the scope of their respective competences.
The AVAF must be notified in the case of entities that make up the public sector of the Valencian Community, within ten working days of the appointment or dismissal (the dismissal will always be motivated). We have a specific procedure in the electronic office: https://sede.antifraucv.es/carpetaciudadana/tramite.aspx?idtramite=16811.
60. What must be provided to make the communication to the Valencian Anti-Fraud Agency of the Head of the Internal Information System (RSII)?
• The completed electronic office procedure form.
• Copy or certificate from the governing body that accredits the designation of the natural person or collegiate body.
61. And the private sector of the Valencian Community, how and to whom should it notify the appointment and, where appropriate, the dismissal of the person responsible for the internal information system?
The AVAF does not have jurisdiction over the private sector referred to in Law 2/2023 although, in the absence of a specific authority, state or regional, the AVAF records in its register the appointment or dismissal of the person responsible for the SII, which can be communicated through the specific procedure of the electronic office:
https://sede.antifraucv.es/carpetaciudadana/tramite.aspx?idtramite=16811
62. Can the person responsible for the SII require information or data outside their administration or entity to carry out their checks?
The person responsible for the SII may request the collaboration of another public administration or entity in the event that it is essential for the correct resolution of the communication.
63. Could the person responsible for the SII be a lawyer from the administration’s Legal Services? If so, would it have to abstain for legal defense in legal proceedings that are caused by a communication previously processed through the SII?
Yes. This circumstance is not among the reasons for abstention from Law 40/2015 (Article 23).
64. Which is the competent body that must approve the information management procedure and the appointment of the IHR?
The administrative body or governing body of each entity or body according to its organisational structure and competences.
By way of example or guidance:
• In a town hall: the mayor, the Local Government Board or the municipal plenary.
• In an autonomous body: the Presidency, the Council or the Management.
• In a public law entity: the Presidency, Governing Council or the Management.
• In a public company: the General Meeting or the Board of Directors.
• In a foundation: the Board of Trustees or the Governing Board.
• In a chamber of commerce, industry and navigation: Plenary, the Executive Committee or the Presidency
• In professional associations: General Assembly or the Governing or Executive Board.
• In public universities: The Governing Council, the Rector, the Board of Directors.
65. What is the legal nature and content of the information management procedure?
The Law does not indicate this, although it includes some minimum requirements, such as respect for the rights and guarantees of the informants and those affected.
In practice, some municipalities consider it to be a regulatory rule and follow its processing (article 133 Law 39/2015) and other municipalities, usually the smallest, approve the procedure by Decree or Resolution of the Mayor’s Office (article 21.1.s of Law 7/1985, of April 2, Regulating the Bases of the Local Regime).
66. The importance of the interview in the information management procedure
Sometimes, interviewing the person affected by the communication or complaint provides relevant information and data and is very useful for the investigation. It is a recommended practice that can be carried out by the persons responsible for the SII within the instruction of the procedure, always with absolute respect for the presumption of innocence and maintaining confidentiality and secrecy.
67. In what cases is the inadmissibility of the communication received in the internal channel admissible?
• When the facts reported lack any plausibility.
• When the communication is manifestly unfounded or lacking in substance, or is manifestly false, or is based solely on opinions or formulated in a vague or excessively generic manner.
• When the facts reported do not constitute an infringement of the legal system included in the scope of application of Law 2/2023.
• When there are reasonable indications that the communication has been obtained through the commission of a crime, in which case, in addition to the inadmissibility, a detailed account of the facts will be sent to the Public Prosecutor’s Office.
• When it is manifestly repetitive, unless new factual or legal circumstances are found that justify a new assessment. This cause shall be understood to exist when it does not contain new and significant information with respect to previous communications previously inadmissible or duly investigated.
• When it is being investigated by the judicial authority.
68. If there are indications of a crime, when should we send the information to the Public Prosecutor’s Office?
At the same moment that it is known that the facts may constitute a crime. Like this:
• At the time the communication is received, in which case the correct thing to do is to reject the communication and send it to the Public Prosecutor’s Office.
• Later, during the investigation, in which case the proceedings will be finalized and sent to the Public Prosecutor’s Office.
69. How should we send the information to the Public Prosecutor’s Office?
With all the relevant elements to enable the investigation of the facts denounced.
70. How can it be guaranteed that no right of defence of the person concerned is violated during the investigation?
Preserving their identity and guaranteeing the confidentiality of the facts and data of the procedure. In addition, the presumption of innocence, the right of defence and the right of access to the file must be very rigorous.
71. Within what period of time must the respondent be answered?
The maximum period for responding to the informant of the investigation proceedings may not exceed three months from the receipt of the communication, except in cases of special complexity that require an extension of the period, in which case it may be extended to a maximum of another three months.
72. Can there be an appeal against the actions of the person responsible for the SII?
No. The actions and report prepared by the Responsible Person in relation to the communications, information or complaints submitted to him or her will not be appealable in administrative or contentious-administrative proceedings.
The decisions adopted by the entity’s decision-making body following the internal investigation actions carried out by the person in charge of the SII shall also not be appealable in administrative or contentious-administrative proceedings, without prejudice to the administrative or contentious-administrative appeal that may be lodged against the eventual resolution that puts an end to the sanctioning procedure that may be initiated on the occasion of the events reported.
Reports and procedures must focus in any case on strengthening integrity infrastructures and information culture within organizations and, where appropriate, on ventilating possible responsibilities where appropriate.
73. Do the officials who carry out the internal investigation in an administration have the status of agents of the authority?
No. However, the civil servants of the external channel have the status of authority: the state authority and the analogous autonomous authorities (AVAF).
74. Who can access the protection measures included in the Law?
In addition to informants or complainants, those related to them who may be harmed or reprisal, such as family members or co-workers, will be able to access.
75. What about retaliation?
Acts of retaliation, including threats and attempted reprisals, are expressly prohibited.
Retaliation is understood to be any act or omission prohibited by law, or that directly or indirectly involves unfavourable treatment that places the people who suffer them at a disadvantage compared to others in the work or professional context, solely because of their status as informants.
76. What are the most common retaliations?
• Opening of disciplinary proceedings and dismissal.
• Degradation or denial of promotions and substantial modifications of working conditions.
• Damages, including reputational damages, or financial loss, coercion, intimidation, harassment or ostracism.
• Denial or cancellation of licenses, permits, or training.
• Discrimination, or unfavorable or unfair treatment.
77. What are the measures to protect against retaliation?
The best protection is anonymity.
The Law requires the creation and implementation of secure channels that guarantee confidentiality by admitting both anonymous and identifying complaints.
The persons who communicate this information do not incur liability, provided that access to the information does not constitute a crime and except for the legal responsibilities that may arise. For example: providing information in a distorted way or through illicit or null evidence.
In judicial proceedings or before another authority, relating to the damage suffered by the whistleblower, once the whistleblower has reasonably demonstrated that he has suffered damage, it will be presumed that it is a retaliation (reversal of the burden of proof).
In legal proceedings in which the whistleblower may be immersed, he or she will have the right to argue in his or her favour, having made a complaint or provided information.
In any case, protection does not exempt the complainant from the responsibilities that he or she may have incurred for acts other than the complaint.
78. What are the support measures established by Law 2/2023 for the person who reports or reports?
• Free information and advice, on available procedures and remedies, protection from retaliation and the rights of the person affected.
• Effective assistance by the competent authorities to any authority involved in their protection against retaliation, including certification that they are eligible for protection under this Law.
• Legal assistance in criminal proceedings and cross-border civil proceedings in accordance with Community law.
• Financial and psychological support, exceptionally, after the assessment of the circumstances.
All this, regardless of the assistance that may correspond according to Law 1/1996 on free legal aid, for the representation and defence in legal proceedings arising from the presentation of the communication or public disclosure.
79. Is a person who, having participated in an irregularity, communicates or reveals it publicly, entitled to protection?
Yes. The requirements to have the protection measures indicated by the Law are:
• To communicate or disclose infringements within its scope of action.
• Have reasonable grounds that the information is truthful when communicated or disclosed.
• To make the communication or disclosure in accordance with the Law.
80. Can legal persons be protected?
Yes. The Law expressly provides for the application of whistleblower protection measures to legal entities in which they work or maintain relationships in a work context, or in which they hold a significant stake.
81. Is there a right to protection measures when reporting on conduct that is not included in the material scope of the Law?
No. The Law expressly excludes from protection those actions or omissions that are not included in its scope of application.
82. What rights and guarantees do whistleblowers have in the SII and in the external channel?
https://www.antifraucv.es/wp-content/uploads/2024/07/Derechos_garantias.pdf
83. What rights and guarantees do affected persons have in the SII and in the external channel?
https://www.antifraucv.es/wp-content/uploads/2024/07/Derechos_garantias.pdf
84. What is the scope of the granting of the Whistleblower Protection Statute regulated by Law 11/2016?
Complainants to whom the AVAF grants protection status shall have the following rights:
• To legal advice in relation to the complaint made and advice on the procedures that may be brought against the complainant on the basis of the complaint.
• That their complaint is not considered a breach of the duty of secrecy.
• To be aware of the status of the processing of their complaint and the results of the investigation.
• To psychological care and support.
• To allege in their defense in any process that is followed against them that they have filed a complaint or have disclosed certain information.
• To the reversal of the burden of proof in the event of retaliation.
• To compensation for damages caused, including moral damages.
• To their workers’ compensation.
• To their personal and family safety.
The person protected by the AVAF has the duty to cooperate in the investigation that is carried out, at the request of the Agency, the Public Prosecutor’s Office or the judicial authority.
85. Who should provide these support measures?
The AVAF in the territory of the Valencian Community and with respect to the administrations and the Valencian public sector.
86. Who is the Independent Authority for the Protection of Whistleblowers in the Valencian Community?
The Agency for the Prevention and Fight against Fraud and Corruption (Valencian Anti-Fraud Agency or AVAF) is the authority in the Valencian Community with respect to its scope of action, which is the public sector (Article 3 of Law 11/2016). This function is attributed by virtue of the provisions of Article 14 of Law 11/2016, of 28 November, of the Generalitat, on the creation of the Agency.
Likewise, by virtue of Law 3/2024, of 27 June, of the Generalitat, amending the aforementioned Law 11/2016, the whistleblower enjoys the protection established in State Law 2/2023, of 20 February, regulating the protection of persons who report on regulatory and anti-corruption breaches and, additionally, in this Law and its implementing regulations.
Consolidated text of Law 11/2016
87. Why does an administration or public entity need to sign a collaboration protocol with the Valencian Anti-Fraud Agency?
The Agency facilitates, through the signing of protocols, help and advice for the implementation of a free whistleblowing channel, as well as offering training and information on the application of Law 2/2023.
If your administration or public entity is interested in subscribing to a protocol, you can send an email to juridico@antifraucv.es
To see the protocol model click here: https://www.antifraucv.es/wp-content/uploads/2024/07/Propuesta-Protocolo_AVAF_CAS-VAL.pdf
88. Is it necessary for a public sector entity, attached or linked to a public administration of the Valencian Community, to sign a protocol with the Valencian Anti-Fraud Agency?
If your public sector entity is attached to or linked to a public administration that has already signed a protocol with the Agency, it will not be necessary to sign a new protocol to obtain this collaboration. However, if you wish, you can sign a specific protocol.
If it is a consortium, it will not be necessary to sign a protocol if it has already been signed by the public administration participating in the consortium in a majority way.
You can download all the questions and answers in pdf in the following LINK
You can also consult the online workshop on the
Internal Information Systems after Law 2/2023.