The criminal courts in Spain have sole jurisdiction to prosecute criminal corporate conduct. The investigation and prosecution of criminal offences, therefore, falls to the examining magistrates' courts, which are responsible for conducting the preliminary investigation stage in criminal proceedings. In this role they are assisted by the state law enforcement bodies.
The examining magistrates' courts conduct preliminary enquiries that are primarily aimed at gathering information and documentation that may serve as evidence (searches, interception of communications, etc.). In these enquiries they may adopt precautionary measures to ensure that the proceedings are conducted effectively (preventive or provisional detention, bonds or attachments).
Judges are required to investigate any indication of a crime and are not restricted as to what may be found, having broad powers for the purpose. They have a duty to ascertain the facts and circumstances that allow the conduct in question to be regarded as criminal, and then to (1) investigate the defendant (identification and gathering of personal details), (2) determine the damage caused and (3) identify the person responsible.
Any investigative measures that violate fundamental rights (for instance, the interception of personal communications and searches of and dawn raids on private premises) may only be agreed to in exceptional circumstances and are subject to authorisation by the court. In addition, it is necessary to ascertain what criminal act is being investigated, and whether the use of that measure of investigation is justified and proportional within the context of the investigation. The court must oversee the organisation and implementation of the measure.
Additionally, officials of the Public Prosecutor's Office, within the scope of their duties, may carry out investigations that result in the referral of the case in question to the relevant court authority.
Given also that the role of the Public Prosecutor's Office includes the actual filing of criminal actions, the public prosecutor may appear in the criminal proceedings and lead public prosecution.
Other government agencies (such as the tax authorities, the National Securities Market Commission, the employment authorities or the Bank of Spain) may bring proceedings against individuals or companies in relation to other corporate conduct, adjudge them responsible for offences provided for by law and impose penalties. These agencies are able to require the production of documents and to interview individuals, as long as there is no violation of the subject's fundamental rights.
During any administrative proceedings conducted by the aforementioned government agencies, if it is suspected that the activity constitutes a criminal offence, proceedings will be stayed and the case immediately referred to the Public Prosecutor's Office or to the court.
The government's criminal policy unquestionably has an impact on the prosecutorial role. This policy is influenced not only by national needs or priorities but by the international obligations that must be fulfilled by the government; however, the effects of the policy do not extend beyond the day-to-day work of the courts and investigations.
Act 5/2010 of 22 June 2010 introduced for the first time the criminal liability of legal entities.
Accordingly, under Article 31-bis of Act 5/2010, a legal entity could be held criminally liable, 'in the cases provided for in this Code',2 for:
- offences committed on its behalf or for its benefit by its legal representatives and de facto or de jure directors; and
- offences committed on its behalf and for its benefit by persons who, in the fulfilment of their duties and subject to the authority of the aforementioned individuals, would have performed the criminal acts as a result of a lack of due control over them.
Notwithstanding the foregoing, Act 1/2015 of 30 March amending the Penal Code, which entered into force on 1 July 2015, modified the above-mentioned Article 31-bis, making corporate entities liable as follows. In the cases provided for in this Code,3 these entities will be criminally liable for:
- offences committed for and on behalf of them and to their direct or indirect benefit, by their legal representatives or by those persons who, acting individually or as members of a body of the legal entity, are authorised to take decisions on behalf of the legal entity or have organisational or management powers therein; and
- offences committed in the performance of corporate duties and for and on behalf of them and to their direct or indirect benefit, by those persons who, being subject to the authority of the persons referred to in the foregoing paragraph, have been able to carry out the offences as a result of the failure by the latter to fulfil their duties of supervision, monitoring and control of the activity of the former, bearing in mind the specific circumstances of the case.
The latest reform of the Criminal Code was passed by Act 1/2019 and entered into force on 13 March 2019. It didn't change the wording of the referred Article but extended the corporate criminal liability to public misappropriation offences4 and terrorism crimes.5
As a result of these provisions, legal entities may be held to be criminally liable and must, therefore, ensure that they have suitable corporate compliance programmes in place that provide for the possibility of investigation of any internal wrongdoing, but there is no obligation to report the conduct discovered by the company. Under Article 31-quater, the criminal liability of a legal entity may, however, be mitigated in the following circumstances:
- disclosure of the offence to the authorities prior to learning that proceedings have been brought;
- cooperation by providing evidence to the investigation that is new and decisive for shedding light on the criminal liability;
- reparation or mitigation of any damage caused by the offence prior to the criminal trial; or
- prior to the trial, taking effective measures to prevent and detect any possible offences that could be committed in the future using the resources of the legal entity.
This would be reflected by a reduction in the penalty imposed in accordance with the rules set out by Article 66 of the Criminal Code, which is proportionate to the extent of the cooperation provided but will not totally exempt the company from liability.
In conclusion, although no obligation of self-reporting is established, it could have very positive results for the legal entity and must be decided on a case-by-case basis.
From a criminal standpoint, it is advisable as well as necessary that the company cooperates with the public offices in charge of the case. Such public–private cooperation will lead to a win-win situation.
In addition, although the lack of collaboration with the authorities is permitted as part of the rights of defence of the entity under investigation, according to case law this conduct will prevent the legal person from appearing in court as a private prosecution.
ii Internal investigations
As already indicated, as a result of the entry into force of Act 5/2010 and the introduction of the criminal liability of legal entities, an increasing number of companies are implementing corporate compliance programmes that set out suitable monitoring and control measures for preventing criminal conduct on the part of their directors, legal representatives or employees.
A very important part of a corporate compliance programme, which allows a business to ascertain whether sufficient controls are in place, is without doubt the internal investigation of any irregular conduct that becomes known within the company.
In other words, corporate compliance programmes must include specific measures for the prevention and detection of possible criminal offences. It should be stressed that the reform introduced by Act 1/2015 expressly set the requirements for an effectual corporate compliance programme, including reporting channels facilitating the detection of possible risks and infringements to the body entrusted with monitoring the operation and observance of the prevention model.
Thus, internal investigations are a necessary consequence of the corporate criminal liability introduced by Act 5/2010 that could be mitigated or exempted with an appropriate compliance programme in force.
For these purposes, in recent years it is becoming increasingly common for businesses to establish direct communication or reporting channels with their employees so that the latter have a means of reporting any conduct that they deem could constitute misconduct or illegal activity, or a breach or violation of laws or regulations (internal regulations of the company or legal regulations), and that has had or could have a negative impact on the business, without being afraid that disciplinary or discriminatory measures or any other actions of retaliation will be taken as a result of having reported the conduct.
In this regard, the business must establish clear and accessible communication channels that enable information to be received correctly and promptly by the relevant persons. Different information sources may be used for warning of possible irregular conduct; for example, work carried out by the internal audit department, whistle-blowing, exit interviews, rumours and employee satisfaction surveys.
That being said, there are three ways of conducting internal investigations: (1) periodical reviews of the measures implemented for the prevention and detection of possible criminal offences within the company; (2) an internal investigation started because of irregular conduct of which the entity has become aware; and (iii) a defensive investigation once a criminal proceeding has been initiated.
Nonetheless, there are no specific provisions on how to conduct internal investigations in our legal system, so they are not particularly regulated yet. Therefore, once possible irregular conduct is known, the company will investigate it in accordance with the rules set out in its guidelines on internal investigations. Normally, the person in charge of starting the internal investigation is the compliance officer.6
Corporate investigations can be conducted by both internal and external counsels. The assistance of an outside counsel will be determined according to the nature of the facts reported, the positions the wrongdoers hold and the expertise required for conducting the investigation, among others.
When there is suspicion of the committing of a crime, it is always advisable to retain an outside counsel to assure independence during the course of the investigation, to guarantee the authorities the objectivity of the results achieved, as well as to preserve professional secrecy in the exchange of documentation and information.
Only outside legal counsel communications will be totally protected by professional secrecy in Spain. There is not a legal provision regarding in-house counsels – which are bound to the company (the client) by means of an employment relationship – and, therefore, are not considered independent. In this regard, although it may be thought that in-house counsels' communications with the entity are not protected under legal privilege, that is an issue being discussed that is not yet clear.
The professional secrecy of lawyers is enshrined in the right to personal privacy7 and the right to a fair defence,8 and releases them from the obligation to report events of which they are aware as a result of the explanations of their clients,9 and to testify regarding those events that the accused has disclosed in confidence to his or her lawyer as the person entrusted with his or her defence.10 This exemption applies to the production of documents in criminal proceedings at the request of the court, and to any other measure of investigation authorised by the court for the purposes of seizure of the requested documents.
With regard to forensic professionals and external auditors who also participate and produce reports during the internal investigation, they are not strictly protected by privilege, but by the confidentiality of the information learned. Nonetheless, if they are engaged by an outside legal counsel and as part of the right of defence of the client, it could be argued that the privilege is maintained.
However, it is quite difficult to construe that other professionals besides lawyers are entitled to claim professional secrecy to refrain from being cross-examined by the court.
Thus, the question is not yet clear in Spain and, therefore, there is still much work to be done in this regard.
As per the internal investigation process, the interviewing of the persons involved, the gathering of information, the inspection – if possible, by independent third parties – of the company's computers and servers, and the request of documentation, including any documents in the possession of third parties, etc., is fundamental and must be recorded properly. Particularly relevant is the maintenance of the chain of custody when gathering information from electronic devices during the internal investigation to be able to use it as evidence if a criminal proceeding is initiated, as well as to avoid declarations of invalidity of such evidences.
As regards the interviewing of employees and the possibility of being accompanied by a lawyer, this will depend on the policy existing at the company regarding internal investigations. In any event, it is customary, especially at the beginning of the investigation, for employees to be informed in detail of the reason for the interview, but not to retain their own lawyers. The most widespread practice is guided by the provisions of employment law, consulting with both the compliance officer and the human resources responsible regarding the specific case in question to ensure that the investigation is appropriate and proportionate and respects the rights of all parties involved.
The most recent Spanish law affecting internal investigations is Act 1/2019 of Business Secrets, which entered into force on 13 March 2019, transposing the Directive 2016/943 of the European Union. The aim of the said law is to guarantee the competitivity of the legal entities regarding investigation and innovation as well as the safe transfer of knowledge. Act 1/2019 of Business Secrets defines a 'business secret' as any information or knowledge that: (1) is secret (only certain employees may know about); (2) has an actual or prospective value within the company; and (3) has been duly protected with measures to remain secret. To protect the information received from a client or provider, the compliance programme of the company should include appropriate measures. Moreover, the signing of a confidential agreement between the parties should always be followed with operational measures that guarantee the maintenance of the secrecy. In such regard, Article 2.3.b regulates an exemption where the secret of the information or knowledge could be lifted: the measures, procedures and remedies provided should not restrict whistle-blowing activity. Therefore, the protection of trade secrets should not extend to cases in which a disclosure of a trade secret serves the public interest, insofar as directly relevant misconduct, wrongdoing or illegal activity is revealed.
From a criminal standpoint, the figure of the whistle-blower is fairly new in our system as the criminal liability of legal entities did not apply until 2010 and was not clearly regulated until the reform of 2015, when the requirements of compliance programmes and the impact their full implementation will have on the liability of companies was specified in more detail.
Notwithstanding, Organic Law 3/2018, of 5 December, regarding Personal Data Protection and Guarantee of Digital Rights, entered into force on 7 December 201811 and introduced provisions in relation to whistle-blowing.
In said regard, the anonymity of the whistle-blower has been finally allowed under Article 24 of this law, but preserving the confidentiality of the personal data gathered as a result of the complaint (especially, the identity of the whistle-blower, when applicable).12
Moreover, it states that the access to the data recorded in the whistle-blowing system is exclusively limited to 'those who, forming or not part of the organisation, are developing internal control and compliance functions, or to those specially designated eventually. However, access by other individuals, or even the disclosure of data to third parties, could be permitted in order to adopt disciplinary measures or for judicial proceedings purposes'.
In addition, Royal Decree 11/2018, of 31 August, transposing the Fourth Directive of the European Union on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing, introduced Article 26-bis of Spanish Act 10/2010, which obligates entities to have in place appropriate procedures for their employees, managers or agents, to report internal breaches through a specific, independent and anonymous channel, proportionate to the nature and size of the obliged entity.
Whistle-blower channels should provide how the reports are received and processed. The company could decide whether the whistle-blowing channel is managed internally or by an external services provider. The latter requires the signing of a confidential agreement. In such regard, Circular No. 1/2016 of Spanish General Prosecutor Office provides that monitoring and control measures appear to be more effective the higher the level of externalisation is.
If a criminal proceeding is initiated because there are grounds of the commission of a crime or cimes, the whistle-blower could turn into a witness or, in case of participation in the perpetration of the offence, into an accused party. In both cases, the anonymity of its identity could no longer be maintained.13
Although there are no incentive programmes for whistle-blowers for reporting wrongdoings to the authorities, if the whistle-blower becomes an accused party to the criminal proceedings, his or her penalty might be mitigated by the court for confession of the illegal act, according to Article 21.5 of the Criminal Code.
Lastly, it should be remarked that on 23 April 2018, the European Union published the proposal for a Directive of the European Parliament and of the Council on the protection of persons reporting on breaches of Union law ('whistle-blower'). In case the proposal turns into a final Directive, the Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with the Directive by 15 May 2021, at the latest.14
As previously said, Act 1/2019 of Business Secrets regulated an exemption to whistle-blowers in accordance with this Directive.
i Corporate liability
As has been already explained, since the entry into force of Act 5/2010, Spanish law has provided for the criminal liability of a corporate entity in certain cases (see Section II.i).
Liability of a company for a crime may exist alongside that of an individual, and the company may also be held liable when no specific individual perpetrator of the offence has been found or no proceedings may be brought against the individual (for example, because of lapse of liability by death or by application of the statute of limitation). This means that any mitigating and aggravating circumstances of either the company or the individual will not be affected by the other's situation. This being the case, the joint representation and defence of the individual and the company may not be compatible, as it is highly likely that conflicts of interest will arise. Thus, in most cases, it may not be advisable to have a joint representation and defence in the criminal proceedings.
In addition to criminal liability, it should be remembered that there are certain civil obligations that arise as a result of criminal offences, so the ex delicto civil liability of companies exists directly and jointly and severally with that of the individuals15 and vicariously.16
Under Article 33.7 of the Criminal Code, the penalties that may be imposed on businesses are as follows:
- quota-based or proportional fines;
- winding up of the company;
- suspension of the company's activities for up to five years;
- closure of the company's premises and facilities for up to five years;
- barring from those activities through which the offence was committed, aided or concealed;
- disqualification from public subsidies and assistance; and
- court intervention.
Article 66-bis of the Criminal Code requires that, when applying any of the aforementioned penalties (except for fines), the judge or court will consider: (1) the need for the penalty to prevent the continuation of the criminal activity or its effects; (2) the economic or social consequences, especially for employees; and (3) the position within the company of the individual who failed to exercise due control.
The Criminal Code seeks to make fines the penalty generally applicable to businesses. The process for determining the fine, in the event of a quota system, entails the court determining the applicable fine period on the basis of the circumstances indicated in the foregoing paragraph, as well as the applicable quota for each daily fine, taking into consideration the financial circumstances of the defendant. In the case of businesses, the daily quota would range from €30 to €5,000.
Article 31-ter, introduced with Act 1/2015, provides that when both parties (legal person and individual) are sentenced to a fine in the same case on the same charges, the size of the fine each must pay is scaled so that the resulting amount is not disproportionate to the severity of the charges.
Finally, the range of potential sanctions will not vary based on the authority bringing the action.
iii Compliance programmes
As stated, Act 1/2015 of 30 March amended the Penal Code entering into force in July 2015.
Said amendment expressly acknowledged that a legal person may be exempted from criminal liability if it has a corporate compliance programme for the prevention of crime. This acknowledgement put an end to all discussion on the matter since 2010, and for the first time established the requirements that must be met by what the law terms 'an organisation and management model for the prevention of crime'.
When a crime is committed by de facto or de jure directors or legal representatives17 of a legal person, Article 31-bis 2 of the Penal Code makes the following conditions necessary in order for the enterprise to be exempted from criminal liability:
- the crime prevention model must have been adopted and effectively executed prior to the commission of the crime, including monitoring and control measures fit for preventing crimes of the sort in question or for significantly reducing the risk of such crimes;
- the crime prevention model must have been supervised by an authority that has autonomous powers of initiative and control within the legal person (a compliance officer), although when the legal person is 'small',18 supervisory functions may be assigned directly to the governing body of the legal person;
- the individuals who have perpetrated the crime must have fraudulently evaded the organisation and prevention models; and
- the authority entrusted with supervising and running the prevention model must not have failed to exercise, or insufficiently exercised its supervision, monitoring and control functions.
Article 31-bis 4 establishes that, when the crime is committed by persons provided in Article 31-bis 1(b),19 the legal person is exempted from liability if, before the crime was committed, it did in fact adopt and effectively execute an organisation and management model that was adequate to prevent crimes of the sort committed or to reduce significantly the risk of the commission of such crimes.
The Article goes on to say that partial accreditation of the criminal liability exemption requirements set in preceding Articles will be regarded as an attenuating circumstance.
Article 31-bis 5 of the Penal Code sets out the requirements for an effectual corporate compliance programme (one which is fit to qualify the legal person for exemption from criminal liability in future). Qualifying organisation and management models must:
- identify the activities in which the target crimes might be committed. In other words, before an 'organisation and management model for the prevention of crime' can be created, an analysis must be run that includes an in-depth examination of the company's business, its facilities, the legislation applicable to it and to its business, etc. This analysis is what the Anglo-Saxon world calls 'risk assessment'. The goal is to correctly identify and evaluate the company's risk in connection with the sorts of crimes that its directors, legal representatives and employees might reasonably engage in. In short, the idea is to map out the firm's risks;
- establish the exact protocols or procedures for forming the legal person's wishes, making its decisions and executing its decisions in connection with its wishes. Thus, the legal person is equipped with policies, clauses, protocols and, of course, a good internal investigation manual, so that it can detect potential criminal acts;
- set up financial resource management models suitable for averting the target crimes. The governing body's commitment to and engagement with the corporate compliance programme must be reflected in the yearly allocation of resources so that the compliance officer can effectively carry out his or her supervision, monitoring and control functions;
- make it compulsory to report possible risks and infringements to the authority entrusted with monitoring the operation and observance of the prevention model. Reporting channels facilitating the detection of crimes in the company must, therefore, be implemented and all company employees must have access to the reporting channels;
- establish a disciplinary system that properly penalises infringement of the measures established by the model. This condition must be seen in relation to the functions of the compliance officer and the human resources department, and it must necessarily include a reaction plan or protocol for action when a crime is committed, and the system of rules penalising crime; and
- run regular verifications of the model, and modifications of the model, when evidence of major violations of the model is found or when there are changes in the organisation, the control structure or the company's business that make modifications necessary. Not only must a corporate compliance programme be introduced, but follow-up reports must also be given regularly to evaluate the design of the model and the effectiveness of the controls the company has implemented.
The latest reform of the Criminal Code (by Act 1/2019) obligates the companies to review and adapt their compliance programmes to include the new offences that may be committed by the legal entities as well as to take into consideration the stiffening of the penalties in several crimes.20
iv Prosecution of individuals
The action of the company would vary depending on whether the offences were committed before or after 24 December 2010; in other words, depending on whether the provisions on the criminal liability of legal entities are applicable. If Article 31-bis is not applicable, the coordination of all the defences is certainly possible (and in fact, recommended) because the defence of the individual is also the defence of the company. Likewise, the payment of the employees' legal fees is possible as the actions have been carried out by the individuals in the performance of their corporate duties. If, however, Article 31-bis is applicable, the positions of the company defence may be incompatible and the specific case must be assessed to determine whether the company may coordinate with the individual's counsel and afford their legal fees.
According to Article 13.6 of the Code of Conduct of Spanish Legal Practitioners, lawyers should 'refrain from managing the affairs of a group of clients affected by the same situation, when a conflict of interest arises between them, as there is a risk of violation of professional secrecy or their freedom or independence may be affected'. This provision is consistent with the fundamental right of persons to be defended and assisted by a lawyer enshrined in Article 24 of the Constitution.
The judgment 154/2016 was the pioneering Supreme Court sentence confirming the criminal liability of a corporation and also ruled that conflicts of interest could be arisen between individuals and legal persons represented in court by the same attorney. For such possible conflicts of interest, there is no general answer, but some possible formulas used in other systems are offered in case conflicts of the kind arise; for example, the judicial appointment of a 'legal/public defender' of the company, or the assignment of the company's defence to the compliance officer.
Another matter analysed in said rulings is the possibility of the trial being annulled when the right to defence of the legal entity is breached for being represented by the natural person who is also accused individually in the same criminal proceeding.
i Extraterritorial jurisdiction
Act 5/2010, Act 1/2015 and Act 1/2019 do not explicitly set out provisions regarding the extraterritorial jurisdiction of the Spanish courts in the event of the application of Article 31-bis of the Criminal Code. Thus, any reference to perpetrators of an offence – Spanish and foreign – contained in the rules on extraterritorial jurisdiction set out in Article 23 of the Spanish Act on the Judiciary must be extended to legal entities.
Accordingly, under criminal law, the courts have jurisdiction to hear any actions for indictable and summary offences committed in Spanish territory (principle of territoriality), notwithstanding the provisions of those international treaties to which Spain is a party. The courts may, however, also hear offences regarded under criminal law as criminal offences even though they have been committed outside the national territory, provided that those persons criminally liable are Spanish persons or foreign persons who have acquired Spanish nationality (active personality principle) after the commission of the offence and the following requirements are met:
- the offence is punishable in the place of enforcement;
- the injured party or the Public Prosecutor's Office files a complaint or criminal complaint before the Spanish courts; and
- the offender has not been acquitted, pardoned or convicted abroad, or in the latter case, has not served a sentence.
Spanish criminal law also applies on an exceptional basis to offences committed outside the national territory, when committed by either a national or a foreign person, provided that they affect the basic interests of the state (known as the absolute principle or principle of protection of interests) or they are offences that violate the dignity of persons, transnational offences or offences committed in areas not subject to the sovereignty of any state (principle of universal justice).
In this regard, the Spanish courts have the possibility of hearing and prosecuting offences of business corruption,21 even though committed by Spanish or foreign persons outside the national territory, provided that one of the following circumstances arises:
- the proceedings are brought against a Spanish person;
- the proceedings are brought against a foreign citizen that normally resides in Spain;
- the offence has been committed by an officer, director, employee or service provider of a commercial undertaking or of a society, association, foundation or organisation that has its permanent address or registered place of business in Spain; or
- the offence has been committed by a legal entity, undertaking, organisation, groups or any other kind of entity or group of persons that has its permanent address or registered place of business in Spain.
ii International cooperation
Spain cooperates with other countries in law enforcement and in prosecutorial functions not only on the basis of international treaties but also following the 'principle of reciprocity' enshrined in Article 13 of the Constitution.
The following European legal mechanisms for international legal assistance apply in Spain, among others:
- the Convention on Mutual Assistance in Criminal Matters of 20 April 1959, as amended by the Schengen Agreement, and the European Convention on Judicial Assistance of 29 May 2000; and
- the European Arrest Warrant regulated in the EU Council Framework Decision of 13 June 2002 and in the Spanish European Arrest Warrant Act 3/2003 (the National Court has a 24-hour service to process European arrest warrants).
In addition to the foregoing international legal cooperation (coordinated through the Spanish Ministry of Justice), the International Cooperation Unit of the Spanish Public Prosecutor's Office is responsible for the supervision and enforcement, where applicable, of the letters rogatory addressed to or issued by the Public Prosecutor's Office.
Likewise, this unit deals with any matter relating to the European Judicial Network, the Ibero-American Network for International Legal Cooperation (IberRED), Eurojust and the International Cooperation Prosecutors Network.
As regards extradition, Spain only grants extradition in compliance with a treaty or the law, in accordance with the principle of reciprocity. In addition, the offences for which extradition is requested must be regarded as a criminal offence under the criminal laws of both states and the sentence for the offence must be at least one year's imprisonment. The Spanish authorities do not grant extradition for political offences.
Spain is a signatory party of the European Convention on Extradition and to a large number of bilateral treaties on extradition.
Finally, the ruling issued by the Court of Justice of the European Union on 6 September 2016 regarding the Petruhhin case clarified a controversial issue referring to extradition. In that way, it stated that if the extradition is requested by a third state (non-Member State of the EU) to a Member State in relation to a European non-national citizen of the requested state, the requested Member State should inform the state of which the European citizen is national so that the latter could adopt the decision to start a criminal proceedings against its national and, for that purpose, make a European arrest warrant to the requested state.
iii Local law considerations
Provisions exist that may restrict investigations involving multiple jurisdictions. The most relevant law in this regard is the Personal Data Protection and Guarantee of Digital Rights Act (adopted by Organic Law 3/2018 to comply with European regulations).
The international personal data disclosure (i.e., transfer of data between different states or international organisations) is subject to both the provisions of the European Regulation and the above-mentioned organic law. The main point of Spanish Act 3/2018 is the requirement of the consent of the data owner to allow for its treatment, also stating the obligation to inform him or her about all the purposes for which the personal data could be used.22
In addition, as previously mentioned, the disclosure to third parties of the data recorded in the whistle-blowing system could only be permitted to adopt disciplinary measures or for judicial proceedings purposes.23
For its part, Article 28.g is encouraging the increase of data protection measures in several cases such as when the personal data is disclosed, habitually, to third states or international organisations of which a proper level of protection has not been declared.
Personal Data Protection is also regulated in Articles 236-bis to -decies of the Spanish Act on the Judiciary, lastly modified by Act 7/2015, of 21 July. Under said regulation, the consent of the owner of the data is not necessary for its treatment by the courts notwithstanding procedural rules regarding the validity of the evidence.24
Finally, banking secrecy is not regarded under law as an asset or property subject to protection in itself or by itself, but as something that is merely instrumental in protecting the real legal interests that merit protection, such as privacy, free competition, business secrets or the security of the state. As a result, in recent rulings, the courts have established that the lawfulness of any information protected by secrecy, either under privacy protection or the protection of a business secret, is a fundamental factor. They have also ruled that, in any event, there are greater interests that warrant the transfer of information to certain public persons (in addition to the interested parties) who are legally authorised to know that information, such as the government authorities responsible for tax fraud and – specifically – the Public Prosecutor's Office and the courts in the investigation and prosecution of criminal offences.
V YEAR IN REVIEW
There are no new developments in sight for the coming year in relation to internal investigations as the latest reforms of the Criminal Code adopted by Act 1/2019 of 20 February25 and Act 2/2019 of 1 March26 do not provide any provision in said regard. Notwithstanding, internal investigations are gradually making inroads in Spain as legal entities are taking more seriously the full and correct implementation of their compliance programmes to avoid or mitigate future penalties.
In addition, if the European Union proposal for a Directive on whistle-blowing finally passes into Directive, the Member States shall implement its provisions, which will affect internal investigations, because the following is regulated: (1) the obligation of setting up internal and external channels and procedures for reporting and follow-up of reports; (2) the treatment of the data gathered in the internal investigation; and (3) the penalties to be imposed upon wrongdoers.
To date, there have been 26 judgments by the Supreme Court regarding the criminal liability of legal persons. The most relevant ones could be summarised as follows.
The pioneering Supreme Court sentence (STS 154/2016) has already been mentioned in the previous Section as it is highly relevant and refers to possible conflict of interests between natural individuals and corporations.
The following was STS 221/2016 which ruled that, as could not have been otherwise according to the main Spanish criminal principles, a legal entity could only be criminally liable for illegal acts that took place after the reform of the Criminal Code in 2010.
The next remarkable ruling of the Supreme Court was STS 583/2017 of 19 July, which lowered the penalties imposed by the lower court, definitively establishing the criteria to follow for charging legal persons with a crime. The resolution also provided guidelines on the interpretation of penalties set forth in Article 66-bis of the Penal Code, stating that judges shall apply the proportionality principle when a legal person is convicted.
In addition, STS 489/2018 of 23 October analysed the possibility of the legal entity using its employees' emails as evidence in the criminal proceedings. Said ruling set that the key point to determine whether or not there has been a violation of the employees' privacy is the existence of consent granted by the employee to the employer to supervise him or her. In other words, to use the employees' emails as valid evidence in court, a prior value judgment should be made to determine if said possibility was known and contractually permitted by the employee and, therefore, constitutes a proportional measure to investigate an offence. Otherwise, the access will only be permitted under judicial authorisation.
For its part, STS 742/2018 of 7 February 2019 is one of the most noteworthy rulings, as the Supreme Court finally answered criminal or procedural questions regarding corporate liability. As such, it stated that the death of the natural person does not prevent the conviction of the entity. Finally, the Supreme Court clarified that single-member companies could also be held criminally liable.
The following ruling (STS 746/2018 of 13 February 2019) was also notable. The Supreme Court dismissed one of the grounds of an appeal considering that the fact that the summons didn't specify whether the offender should appear in court as a natural person or as representative of the entity did not prevent him form making the tax adjustment provided in Article 305.4 of the Criminal Code. Moreover, Article 31-ter 1 was applied in relation to the adjustment of the penalty between the natural and the legal person. In addition, the Supreme Court clarified that the mitigating circumstance of undue delays could not apply to the entity, but only the redress of damages specifically provided in Article 31-quater c.
Moreover, STS 123/2019 of 8 March is also relevant, because it is the ruling where the Supreme Court expressly recognised that the lack of a statement from the person designated by the company (because he was not summoned to appear in court) infringes the rights inherent to the defendant parties and therefore leads to the invalidity of the proceedings having to start over the investigation phase.
For compliance purposes, STS 192/2019 of 9 April is enlightening, where the Supreme Court makes an analysis of the compliance programmes, emphasising that they should be implemented and focused on preventing corporate crimes, not on avoiding the punishment.
The ruling 234/2019 of the Supreme Court of 8 May 2019 reiterated that the right to the presumption of innocence is also granted to legal entities as well as the rest of procedural rights recognised to individuals.
STS 499/2019 of 23 October emphasised that the defendant is not entitled to request the investigation of its own company or any other third party (given his or her condition as defendant), neither to try to avoid his or her responsibility, arguing that the company was not investigated in the proceedings.
In addition to the rulings of the High Court, which guide the lower courts, there is other remarkable case law regarding corporate criminal liability that should be highlighted. For instance, ruling 516/2017 of the 'Audiencia Provincial' of Santa Cruz de Tenerife of 20 December, which acquitted a company because its right to be heard before the court was not granted, and neither was the indictment properly formulated.
VI CONCLUSIONS AND OUTLOOK
As has already been discussed, the criminal liability of legal entities was introduced in 2010. Nonetheless, there is still little relevant case law in this field.
Since the 2015 reform, as the provisions are clearer in terms of the implementation of compliance programmes, the role of compliance officers and of internal investigations, it is anticipated that we will have more rulings from superior courts in such matters.
The latest reform, which took place in 2019, has no remarkable aspects regarding corporate criminal liability beyond the aforementioned.
Although past rulings are enlightening for the interpretation of the law, we still have a long way to go and a lot of questions to answer, such as:
- the regime for whistle-blowers, which have been partially regulated by Data Protection Law but continues casting doubts in different matters and jurisdictions;
- attorney–client privileges and work-product privilege that may apply during internal investigations;
- the impact of the collaboration with authorities beyond the possibility of applying the general mitigating circumstance in case of confession (following other jurisdictions such as the United States);
- the personal liability of compliance officers for not fulfilling their duties;
- conflicts of interest between legal and natural persons (despite the two rulings of the Supreme Court that superficially analysed such conflicts); and
- the application, in practice, of mitigating and exonerating circumstances and the like, because the case-law until now was not clear enough in this regard.27
1 Mar de Pedraza is the managing partner and Paula Martínez-Barros is partner at De Pedraza Abogados.
2 At that time an entity could be held to be criminally liable only in the following cases: illegal trafficking of organs (Article 156-bis); trafficking of human beings (Article 177-bis); offences relating to prostitution and the corruption of minors (Title VII, Chapter V); the discovery and disclosure of secrets (Article 197.3); fraud (Title XIII, Chapter VI, Section 1); criminal insolvency (Title XIII, Chapter VII); intellectual and industrial property offences; market and consumer-related offences and the new offence of corruption between private parties (commercial bribery) provided for in Article 286-bis (all of which are included under Title XIII, Chapter XI); money laundering (Article 302); tax and social security offences (Title XIV); offences against the rights of foreign citizens and clandestine immigration (Title XV-bis); offences relating to the development and use of land (Article 319); the cases described in Articles 325 and 326 in relation to offences against natural resources and the environment; offences relating to facilities for the storage or disposal of toxic waste (Article 328); the spillage or emission of materials or ionising radiations or the exposure of people to such materials or radiations (Article 343); the handling of materials, equipment or devices that could have devastating effects (Article 348.3); offences against public health involving the growing, manufacture or trafficking of drugs provided for in Articles 368 and 369; the forgery of credit cards, debit cards or cheques and documents in general (Article 399.1-bis); bribery (Title XIX, Chapter V); influence peddling (Title XIX, Chapter VI); offences of corruption in international trade transactions (Article 445); the possession, trafficking and storage of weapons, munitions or explosives; terrorism offences (Title XXII, Chapter V) and several forms of participation in criminal groups or organizations (Title XXII, Chapter VI).
3 Act 1/2015 of 30 March also extended the catalogue of crimes that entail liability. Thus: (1) new Article 258-ter of the Penal Code states that legal persons may also hold criminal liability for the new crimes of frustration of enforcement; (2) Article 304-bis 5 also expressly states that legal entities are criminally liable for the new crime of illegal financing of political parties; (3) Article 288 provides that legal persons may also hold criminal liability for the new offence of corruption in business introduced in new Article 286-ter; (4) for its part, Article 366 of the Penal Code is amended to expand the range of crimes against public health to include the liability of legal persons (Penal Code, Articles 359 to 365); (5) Article 386 is amended so that Section 5 includes liability under Article 31-bis for crimes of counterfeiting; and (6) new Article 510-bis of the Penal Code introduces the liability of legal persons for crimes committed on the occasion of the exercise of fundamental rights and public freedoms guaranteed by the Constitution in relationship with provocation, hate or violence as defined in the new wording of Article 510 of the Penal Code.
4 Section 5 of Article 435 of the Criminal Code.
5 Article 580-bis of the Criminal Code.
6 The compliance officer is the body within the company that has autonomous powers of initiative and control within the legal person, which existence is one of the requirements set in Article 31-bis 2 for the exemption of criminal liability.
7 Article 18.1 of the Spanish Constitution.
8 Article 24 of the Spanish Constitution.
9 Article 263 of the Criminal Procedure Act.
10 Articles 416.2 and 707 of the Criminal Procedure Act.
11 This law was a consequence of the implementation of the European Data Protection Regulation which became enforceable in all Member States on 25 May 2018.
12 Notwithstanding, it should be highlighted that the anonymity of the whistle-blower can make it difficult not only to duly investigate the case reported, but also to protect the whistle-blower. In addition, the employees could badly use the anonymity to report in bad faith with the sole purpose of damaging the company.
13 Although 'protected witnesses' exist in Spanish criminal proceedings, Act 19/1994, of 23 December, on the protection of witnesses and expert witnesses in criminal proceedings, is considerably old and not effective in all cases. Notwithstanding, the circumstances to be considered as a 'protected witness' are provided in the said law and, in such case, the anonymity could be maintained.
14 One of the most remarkable provisions of the proposal of the Directive is the prohibition of any form of retaliation against whistle-blowers (Article 14).
15 Article 116.3 of the Criminal Code.
16 Article 120 of the Criminal Code.
17 As seen above, Article 31-bis 1a resulting of Act 1/2015 (unmodified since then) refers to 'legal representatives or those persons who, acting individually or as members of a body of the legal person, are authorised to take decisions in the name of the legal person or hold organisation and control faculties within the legal person'.
18 According to the rewording of Article 31-bis 3 of the Penal Code, 'small' legal persons are those that are authorised by law to submit profit and loss accounts.
19 'Persons acting on behalf of the entity and for its benefit who, in the fulfilment of their duties and subject to the authority of the legal representatives and de facto or de jure directors, could have committed an offence as a result of a lack of due control' (i.e., employees or other controlled individuals).
20 For instance, tax crimes and subsidy frauds have now a lower quantity restriction: the evaded amount that leads to criminal liability has been established from €10,000 to €100,000 with different penalties.
21 These offences were globally named as 'Crimes of business corruption' under Act 1/2015, of 30 March. The different types of offences are provided in Articles 286-bis to 286-quater of the Criminal Code; concretely, the offence of corruption in international business transactions is regulated under Article 286-ter.
22 Article 6 of the Data Protection Act.
23 Article 24 of the Data Protection Act.
24 Article 236-quater of the Spanish Act on the Judiciary.
25 Regarding the transposition of European Union directives in relation to financing and terrorism.
26 In relation to road safety offences.
27 STS 746/2018 of 13 February 2019 denied the application of the mitigating circumstance for undue delays according to the specific wording of Article 31-quater which starts with 'only' when referring to the mitigating circumstances that could be applied to legal persons.