Complaint boxes: What, Who, When, Where and Why

1. Anti-fraud complaint mailboxes: basic concepts

We are facing a new legal obligation. Directive 1937/2019 of the European Parliament and of the Council, of October 23, 2019, regarding the protection of people who report violations of Union Law, establishes the need to promote internal and external reporting channels: “ Member States shall promote communication through internal complaint channels before communication through external complaint channels.” (article 7.2). The rule establishes a preference for internal reporting channels over external ones, “Member States shall promote communication through internal reporting channels (…), provided that the infraction can be dealt with effectively internally and provided that the complainant consider that there is no risk of retaliation.” (article 7.2). This need to promote the implementation of internal complaint channels is complemented by the need to articulate the appropriate complaint and follow-up procedures, after consulting the social partners and in accordance with them when established by national law.

However, the complainant may go directly to the external channel if, after the internal complaint, the appropriate measures are not taken; if it is presumed that the complaint to his superiors will not produce effects; or when there is imminent or manifest danger to the public interest.
For its part, the Draft Law transposing Directive 2019/1937 (hereinafter, APL), refers to internal information systems, opting for this less forceful terminology, almost a euphemism, and providing that these internal information systems information are the preferential channel to report on the actions or omissions provided for in article 2, in short, on infringements of Union Law provided for in the Directive (article 4 APL). The administration or government body of each entity or body will be responsible for the implementation of the internal information system, after consultation with the legal representation of the workers (art. 5 APL). The management of internal information systems may be carried out within the entity itself or by going to an external third party. (art. 6 APL). In addition, all internal information channels will be integrated into the internal information system.

The Preliminary Draft also refers to the anonymization or confidentiality of the informant (understood as “complainant”). Thus, it establishes that the internal information channels must allow the presentation and subsequent processing of anonymous communications (art. 7.3 APL). For its part, the procedure for managing internal communications (understood as “complaints”) is the one established in art. 8 APL, to which we refer. In any case, it will be necessary to follow the evolution of the text already in the phases of the Bill, reports and processing in parliament.

What does seem clear is that the vast majority of public and private entities must have them: “Member States shall ensure that legal entities in the private and public sectors establish channels and procedures for internal reporting and follow-up (…)” (art. 8.1 Directive). According to the Directive itself, the establishment of a complaints channel or mailbox is mandatory for legal entities in the private sector with more than 50 workers. Member States may require it from entities with less than 50 workers, but this decision is left to national regulatory development. At the moment, the aforementioned draft law generally regulates the obligation only for private legal entities with 50 or more workers. The same does not happen in the public sector, where reporting channels will be mandatory. In this case, the Directive once again establishes the possibility for Member States to exempt municipalities with fewer than 10,000 inhabitants or with fewer than 50 workers, as well as other legal entities in the public sector with fewer than 50 workers. But here the preliminary bill does not exempt any public sector entity from the obligation, and given that the difficulties of small municipalities can be solved with the sharing of resources and, above all, with the action of support and assistance of Provincial Councils, Cabildos and Councils, it is more than likely that the obligation will remain.


2. The complaints mailbox of the Valencian Anti-Fraud Agency: a model to reproduce

How to articulate the aforementioned obligation to create and maintain a mailbox for complaints in our public sector entities? Our particular proposal is the model of the Valencian Antifraud Agency. Our complaints mailbox, in this case internal and, as an anti-fraud office, also external in the sense explained above, has been in operation since 2018. It is based on the Globaleaks platform and was originally adapted to the current technology and legislation by Xnet, this form could be used and replicated in different institutions and organizations in Spain quickly, agilely and without cost.

The tool can be downloaded from the website of its creator where you can access its main features and which we would like to group into four groups:

1.At the user level: simple management from a web interface, translated into more than 60 languages, fully configurable and customizable with the corporate colors and logos of the different administrations. It also allows its adaptation to the casuistry of each project, allowing anonymous reporting, creation of advanced questionnaires, private conversations and exchange of information and statistical reports.

2.On a technical level: long-term maintenance guaranteed by the developer (LTS), fully autonomous application (no need for web servers or other applications), built using light navigation technologies, integrated backup system, configuration automated access through the TOR private network and prepared to be integrated with other web pages and intranets.

3.At a legal level: it complies with the standards of ISO 37002:2021 (Management systems for reporting irregularities) as well as with Community Directive 2019/1937 on the protection of whistleblowers of corruption. It complies with the European GDPR data protection regulation allowing data retention policies to be configured, in the same way it guarantees the custody of the complainant’s identity (if provided) by protecting access to complaints as well as by the absence of registration of the IP addresses of those who make these communications.

4.At the security level: it guarantees access through HTTPS protocols and the TOR network. It is continuously exposed to different pentesting tests to guarantee and improve its security. It allows access through double authentication factor, all the content provided is encrypted and only accessible to authorized recipients. It leaves no trace in the browser cache, has anti-spam mechanisms and offers support for the exchange of messages through PGP (Encryption and Signing of messages).

Lastly, at the level of specific support and maintenance, there are several public forums for the tool where it is possible to consult and propose new doubts that are usually resolved by the developers themselves. If more personalized support and direct attention is necessary, although it is not necessary, it is possible to contract a more specific maintenance with the developer, although with the information available and the existing user community, most doubts are resolved quickly. In the same way, product updates are constant and its distribution and application are free, which guarantees the integrity of the platform and its continuous improvement and adaptation to current technology and regulations.

In summary, we are faced with the solution that, in terms of functional and economic efficiency, will offer the best response to the obligations imposed by articles 7 and 10 of Directive 2019/1937 in terms of the obligation to have internal complaint channels and external. The tool is adaptable to both needs and complies with the technical and security measures that guarantee the protection of the complainant’s identity and access to the reported information only to those users who are authorized to do so.

Victor Almonacid Lamelas. Director of Prevention, Training and Documentation of the AVAF
Javier Alama Izquierdo. Head of the AVAF Information Systems Service

VAERSA ​​and the Valencian Anti-Fraud Agency sign a collaboration agreement to develop a framework of integrity and public ethics

Valencia, July 13, 2022.- The public company of the Generalitat Valenciana Valenciana D’Aprofitament Energètic de Residus, S.A. (VAERSA) and the Valencian Anti-Fraud Agency have signed a collaboration agreement for the implementation of fraud and corruption prevention activities and the promotion of ethics and public integrity.
The agreement is the first that the Agency signs with a public company and has been signed by the general director of VAERSA, Ferran Vicent García, and by the director of the Agency, Joan Llinares.
Among the actions contemplated by the agreement is that of complying with the requirements of the European Directive 2019/1937 regarding the protection of people who report violations of Union Law with the recognition by VAERSA ​​as an external channel of their complaints to the Agency’s Complaints Mailbox and adhere to it.

In order for the Agency’s Complaints Mailbox to act as an external channel for VAERSA ​​complaints, this entity undertakes to include in a visible place on its website, or any other support it deems appropriate, the link to the AVAF Complaints Mailbox along with clear and precise information about its function and purpose.

The UPV hosts the second day of the interuniversity course “Prevention of corruption risks in public management”


Last Wednesday, July 6, 2022, the second session of the course organized by the Valencian Anti-Fraud Agency in collaboration with the five Valencian public universities took place in the Auditorium of the Polytechnic University of Valencia.

Jesús Marí Farinós, manager of the UPV, welcomed those present in the room and the participants connected online from the University of Valencia, the Jaume I University of Castelló, the Miguel Hernández University of Elche and the University of Alicante. The manager thanked the Valencian Antifraud Agency for its work and willingness to collaborate in holding this initiative.

Delia Cuenca Antolín, services inspector of the General Services Inspection of the Generalitat Valenciana (IGS-GVA), was the first of the speakers at the session and focused her presentation on the IGS-GVA methodology for making maps of risks and self-assessment of risks in public procurement.

José Luis Gaona, services inspector at the IGS-GVA, detailed the methodology used by the General Services Inspection, in relation to personnel management, and focused on the existing risks in the matter, such as, among others, the absence of planning, not detecting private activities, or singular remuneration systems.

More than 300 people followed, both in person and online, the conference on June 6 of the first interuniversity course on “Prevention of corruption risks in public management” held at the UPV and aimed at rectory teams, members of commissions of integrity and PAS personnel.

The Valencian Anti-Fraud Agency thanks the conference speakers, Delia Cuenta and José Luis Gaona, for their predisposition and collaboration in holding this course and the Universitat Politècnica de València for all their work and infrastructure provided for the success of the conference.

The next session of the course will take place at the Miguel Hernández University of Elche on September 15, 2022 with the participation as speakers of Pilar Moreno and Mª Amparo Oliver, training technicians from the Valencian Anti-Fraud Agency.