The criminal courts in Spain have sole jurisdiction to prosecute criminal corporate conduct. The investigation and prosecution of criminal offences, therefore, falls to the examining magistrates' courts, which are responsible for conducting the preliminary investigation stage in criminal proceedings. In this role they are assisted by the state law enforcement bodies.

The examining magistrates' courts conduct preliminary enquiries that are primarily aimed at gathering information and documentation that may serve as evidence (searches, interception of communications, etc.). In these enquiries they may take precautionary measures to ensure that the proceedings are conducted effectively (preventive or provisional detention, bonds or attachments).

Judges are required to investigate any indication of a crime and are not restricted as to what may be found, having broad powers for the purpose. They have a duty to ascertain the facts and circumstances that allow the conduct in question to be regarded as criminal, and then to investigate the defendant (identification and gathering of personal details), determine the damage caused and identify the person responsible.

Any investigative measures that violate fundamental rights (the interception of personal communications, searches of and dawn raids on private premises, etc.) may only be agreed to in exceptional circumstances and are subject to authorisation by the court. In addition, it is necessary to ascertain what criminal act is being investigated, and whether the use of that measure of investigation is justified within the context of the investigation. The court must oversee the organisation and implementation of the measure.

Occasionally, officials of the Public Prosecutor's Office, within the scope of their duties, may carry out investigations that result in the referral of the case in question to the relevant court authority, so that the necessary proceedings may be conducted or so that it may be ruled that there is no case to answer when it is found that there are insufficient grounds for bringing any action.

Additionally, given that the role of the Public Prosecutor's Office includes the actual filing of criminal actions, the public prosecutor may appear in the criminal proceedings and lead public prosecution, and may also appear at preliminary investigation stages.

Other government agencies (such as the tax authorities, the National Securities Market Commission, the employment authorities or the Bank of Spain) may bring proceedings against individuals or companies in relation to other corporate conduct, adjudge them responsible for offences provided for by law and impose penalties. These agencies are able to require the production of documents and to question individuals, as long as there is no violation of the subject's fundamental rights.

During any administrative proceedings conducted by the aforementioned government agencies, if it is suspected that the activity constitutes a criminal offence, proceedings will be stayed and the case immediately referred to the Public Prosecutor's Office or to the court.

The government's criminal policy unquestionably has an impact on the prosecutorial role. This policy is influenced not only by national needs or priorities but by the international obligations that must be fulfilled by the government; however, the effects of the policy do not extend beyond the day-to-day work of the courts and investigations.

Finally, a company under investigation is not required to cooperate with authorities, but doing so is a mitigating circumstance of its criminal liability that can be applied under Article 31 quater (b) of the Spanish Criminal Code. Moreover, although the lack of collaboration with the authorities is permitted as part of the rights of defence of the entity under investigation, according to case law this conduct will prevent the legal person to appear in court as private prosecution.


i Self-reporting

Act 5/2010 of 22 June 2010 entered into force in December 2010, amending Act 10/1995 of 23 November 1995 on the Criminal Code. One of the main developments of this legislation was the inclusion for the first time of the criminal liability of legal entities.

Accordingly, under Article 31 bis of Act 5/2010, a legal entity could be held criminally liable, 'in the cases provided for in this Code',2 for:

  1. offences committed on its behalf or for its benefit by its legal representatives and de facto or de jure directors; and
  2. offences committed on its behalf and for its benefit by persons who, in the fulfilment of their duties and subject to the authority of the aforementioned individuals, would have performed the criminal acts as a result of a lack of due control over them.

Notwithstanding the foregoing, Act 1/2015 of 30 March amending the Penal Code, which entered into force on 1 July 2015, modified the above-mentioned Article 31 bis, making corporate entities liable as follows. In the cases provided for in this Code,3 these entities will be criminally liable for:

  1. offences committed for and on behalf of them and to their direct or indirect benefit, by their legal representatives or by those persons who, acting individually or as members of a body of the legal entity, are authorised to take decisions on behalf of the legal entity or have organisational or management powers therein; and
  2. offences committed in the performance of corporate duties and for and on behalf of them and to their direct or indirect benefit, by those persons who, being subject to the authority of the persons referred to in the foregoing paragraph, have been able to carry out the offences as a result of the failure by the latter to fulfil their duties of supervision, monitoring and control of the activity of the former, bearing in mind the specific circumstances of the case.

The latest reform of the Criminal Code was passed by Act 1/2019 – entering into force on 13 March 2019. It did not change the wording of the Article but extended corporate criminal liability to misappropriation offences4 and terrorism crimes.5

As a result of these provisions, legal entities may be held to be criminally liable and must, therefore, ensure that they have suitable corporate compliance programmes in place that provide for the possibility of investigation of any internal wrongdoing, but there is no obligation to report the conduct discovered by the company. Under Article 31 quater, the criminal liability of a legal entity may, however, be mitigated in the following circumstances:

  1. disclosure of the offence to the authorities prior to learning that proceedings have been brought;
  2. cooperation by providing evidence to the investigation that is new and decisive for shedding light on the criminal liability;
  3. reparation or mitigation of any damage caused by the offence prior to the criminal trial; or
  4. prior to the trial, taking effective measures to prevent and detect any possible offences that could be committed in the future using the resources of the legal entity.

This would be reflected by a reduction in the penalty imposed in accordance with the rules set out by Article 66 of the Criminal Code, which is proportionate to the extent of the cooperation provided but will not totally exempt the company from liability.

In conclusion, although no obligation of self-reporting is established, it could have very positive results for the legal entity and must be decided on a case-by-case basis.

ii Internal investigations

As already indicated, as a result of the entry into force of Act 5/2010 and the introduction of the criminal liability of legal entities, an increasing number of companies are implementing corporate compliance programmes that set out suitable monitoring and control measures for preventing criminal conduct on the part of their directors, legal representatives or employees.

A very important part of a corporate compliance programme, which allows a business to ascertain whether sufficient controls are in place, is, without doubt, the internal investigation of any irregular conduct that becomes known within the company.

In other words, corporate compliance programmes must include specific measures for the prevention and detection of possible criminal offences. It should be stressed that the reform introduced by Act 1/2015 expressly set the requirements for an effectual corporate compliance programme, including reporting channels facilitating the detection of possible risks and infringements to the authority entrusted with monitoring the operation and observance of the prevention model.

For these purposes, in the last few years it has become increasingly common for businesses to establish direct communication or reporting channels with their employees so that the latter have a means of reporting any conduct that they deem could constitute misconduct or illegal activity, or a breach or violation of laws or regulations (internal regulations of the company or legal regulations), and that has had or could have a negative impact on the business, without being afraid that disciplinary or discriminatory measures or any other actions of retaliation will be taken as a result of having reported the conduct.

In this regard, the business must establish clear and accessible communication channels that enable information to be received correctly and promptly by the relevant persons. Various different information sources may be used for warning of possible irregular conduct, for example, work carried out by the internal audit department, whistle-blowing, exit interviews, rumours and employee satisfaction surveys.

Once possible irregular conduct is known, the company will investigate it in accordance with the rules set out in its guidelines on internal investigations. Normally, the person in charge of starting the internal investigation is the compliance officer.6

Corporate investigations can be conducted by both internal and external counsels. The assistance of an outside counsel will be determined according to the nature of the facts reported, the positions the wrongdoers hold and the expertise required for conducting the investigation, among others.

When there is suspicion of the commission of a crime, it is always advisable to retain an outside counsel to assure independence during the course of the investigation, to guarantee the authorities the objectivity of the results achieved, as well as to preserve professional secrecy in the exchange of documentation and information.

Only outside counsel communications will be totally protected by professional secrecy in Spain. There is not a legal provision regarding in-house counsels – which are bound to the company (the client) by means of an employment relationship – and, therefore, are not considered independent. In this regard, although it may be thought that in-house counsels communications with the entity are not protected under legal privilege, this is not yet clear.

Professional secrecy should be maintained at all times in any documents (including communications) produced during an internal investigation, even though its scope under Spanish law is more limited than under English law. The professional secrecy of lawyers is enshrined in the right to personal privacy7 and the right to a fair defence,8 and releases them from the obligation to report events of which they are aware as a result of the explanations of their clients,9 and to testify regarding those events that the accused has disclosed in confidence to his or her lawyer as the person entrusted with his or her defence.10 This exemption applies to the production of documents in criminal proceedings at the request of the court, and to any other measure of investigation authorised by the court for the purposes of seizure of the requested documents.

During the internal investigation process, the interviewing of the persons involved, the gathering of information, the inspection – if possible, by independent third parties – of the company's computers and servers, and the request of documentation, including any documents in the possession of third parties, is fundamental and must be recorded properly.

As regards the interviewing of employees and the possibility of being accompanied by a lawyer, this will depend on the policy existing at the company regarding internal investigations. In any event, it is customary, especially at the beginning of the investigation, for employees to be informed in detail of the reason for the interview, but not to retain their own lawyers. The most widespread practice is guided by the provisions of employment law, consulting with both the compliance officer and the human resources responsible regarding the specific case in question to ensure that the investigation is appropriate and proportionate and respects the rights of all parties involved.

iii Whistle-blowers

From a criminal standpoint, the figure of the whistle-blower is fairly new in our system since the criminal liability of legal entities did not apply until 2010 and was not clearly regulated until the reform of 2015, when the impact that full implementation of compliance programmes will have on the liability of companies was specified in more detail.

Notwithstanding this, Organic Law 3/2018 of 5 December regarding personal data protection and the guarantee of digital rights, entered into force on 7 December 201811 and introduced provisions in relation to whistle-blowing.

In this regard, the anonymity of the whistle-blower has been finally allowed under Article 24 of this law, but preserving the confidentiality of the personal data gathered owing to the complaint (especially the identity of the whistle-blower, when applicable). Moreover, it states that the access to the data recorded in the whistle-blowing system is exclusively limited to:

those who, forming or not part of the organisation, are developing internal control and compliance functions, or to those specially designated eventually. However, access by other individuals, or even the disclosure of data to third parties, could be permitted in order to adopt disciplinary measures or for judicial proceedings purposes.

If criminal proceedings are initiated on the grounds of suspected criminal activity, the whistle-blower could become either a witness or an accused party. In both cases, the anonymity of his or her identity would not be maintained.

Although there are no incentive programmes for whistle-blowers to report to the authorities, if the whistle-blower becomes an accused party to the criminal proceedings, his or her penalty could be mitigated by the court for confession of the illegal act, according to Article 21.5 of the Criminal Code.

Finally, on 23 April 2018, the European Union published the proposal for a Directive of the European Parliament and of the Council on the protection of whistle-blowers. If this proposal becomes a final directive, the Member States must bring into force the laws, regulations and administrative provisions necessary to comply with the Directive by 15 May 2021, at the latest.12


i Corporate liability

As has been already explained, since the entry into force of Act 5/2010, Spanish law has provided for the criminal liability of a corporate entity in certain cases (see Section II.i).

Liability of a company for a crime may exist alongside that of an individual, and the company may also be held liable when no specific individual perpetrator of the offence has been found, or no proceedings may be brought against the individual (for example, because of lapse of liability by death or by application of the statute of limitation). This means that any mitigating and aggravating circumstances of either the company or the individual will not be affected by the other's situation. This being the case, the joint representation and defence of the individual and the company may not be compatible, since it is highly likely that conflicts of interest will arise. Thus, in most cases, it may not be advisable to have a joint representation and defence in the criminal proceedings.

In addition to criminal liability, it should be remembered that there are certain civil obligations that arise as a result of criminal offences, so the ex delicto civil liability of companies exists directly and jointly and severally with that of the individuals13 and vicariously.14

ii Penalties

Under Article 33.7 of the Criminal Code, the penalties that may be imposed on businesses are as follows:

  1. quota-based or proportional fines;
  2. winding up of the company;
  3. suspension of the company's activities for up to five years;
  4. closure of the company's premises and facilities for up to five years;
  5. barring from those activities through which the offence was committed, aided or concealed;
  6. disqualification from public subsidies and assistance; and
  7. court intervention.

Article 66 bis of the Criminal Code requires that, when applying any of the aforementioned penalties (except for fines), the judge or court will consider the need for the penalty to prevent the continuation of the criminal activity or its effects, the economic or social consequences, especially for employees, and the position within the company of the individual who failed to exercise due control.

The Criminal Code seeks to make fines the penalty generally applicable to businesses. The process for determining the fine, in the event of a quota system, entails the court determining the applicable fine period on the basis of the circumstances indicated in the foregoing paragraph, as well as the applicable quota for each daily fine, taking into consideration the financial circumstances of the defendant. In the case of businesses, the daily quota would range from €30 to €5,000.

Article 3 ter 1, introduced with Act 1/2015, provides that when both parties (legal person and individual) are sentenced to a fine in the same case on the same charges, the size of the fine each must pay is scaled so that the resulting amount is not disproportionate to the severity of the charges.

Finally, note that the range of potential sanctions will not vary based on the authority bringing the action.

iii Compliance programmes

As stated, Act 1/2015 of 30 March amended the Penal Code entering into force in July 2015.

This amendment expressly acknowledges that a legal person may be exempted from criminal liability if it has a corporate compliance programme for the prevention of crime. This acknowledgement put an end to discussion on the matter, and for the first time established the requirements that must be met under what the law terms 'an organisation and management model for the prevention of crime'.

When a crime is committed by de facto or de jure directors or legal representatives15 of a legal person, the Article 31 bis 2 of the Penal Code makes the following conditions necessary for the enterprise to be exempted from criminal liability:

  1. the crime prevention model must have been adopted and effectively executed prior to the commission of the crime, including monitoring and control measures fit for preventing crimes of the sort in question or for significantly reducing the risk of such crimes;
  2. the crime prevention model must have been supervised by an authority that has autonomous powers of initiative and control within the legal person (a compliance officer), although when the legal person is 'small',16 supervisory functions may be assigned directly to the governing body of the legal person;
  3. the individuals who have perpetrated the crime must have fraudulently evaded the organisation and prevention models; and
  4. the authority entrusted with supervising and running the prevention model must not have failed to exercise, or insufficiently exercised its supervision, monitoring and control functions.

Article 31 bis 4 establishes that, when the crime is committed by persons provided in Article 31 bis 1(b)17 the legal person is exempted from liability if, before the crime was committed, it did, in fact, adopt and effectively execute an organisation and management model that was adequate to prevent crimes of the sort committed or to reduce significantly the risk of the commission of such crimes.

The Article goes on to say that partial accreditation of the criminal liability exemption requirements set in the preceding Articles will be regarded as an attenuating circumstance.

Article 31 bis 5 of the Penal Code sets out the requirements for an effectual corporate compliance programme (one that is fit to qualify the legal person for exemption from criminal liability in future). Qualifying organisation and management models must:

  1. identify the activities in which the target crimes might be committed. In other words, before an 'organisation and management model for the prevention of crime' can be created, an analysis must be run that includes an in-depth examination of the company's business, its facilities, the legislation applicable to it and to its business, etc. This analysis is what the Anglo-Saxon world calls 'risk assessment'. The goal is to correctly identify and evaluate the company's risk in connection with the sorts of crimes that its directors, legal representatives and employees might reasonably engage in. In short, the idea is to map out the firm's risks;
  2. establish the exact protocols or procedures for forming the legal person's wishes, making its decisions and executing its decisions in connection with its wishes. Thus, the legal person is equipped with policies, clauses, protocols and, of course, a good internal investigation manual, so that it can detect potential criminal acts;
  3. set up financial resource management models suitable for averting the target crimes. The governing body's commitment to and engagement with the corporate compliance programme must be reflected in the yearly allocation of resources so that the compliance officer can effectively carry out his or her supervision, monitoring and control functions;
  4. make it compulsory to report possible risks and infringements to the authority entrusted with monitoring the operation and observance of the prevention model. Reporting channels facilitating the detection of crimes in the company must, therefore, be implemented and all company employees must have access to the reporting channels;
  5. establish a disciplinary system that properly penalises infringement of the measures established by the model. This condition must be seen in relation to the functions of the compliance officer and the human resources department, and it must necessarily include a reaction plan or protocol for action when a crime is committed, and the system of rules penalising crime; and
  6. run regular verifications of the model, and modifications of the model, when evidence of major violations of the model is found or when there are changes in the organisation, the control structure or the company's business that make modifications necessary. Not only must a corporate compliance programme be introduced, but follow-up reports must also be given regularly to evaluate the design of the model and the effectiveness of the controls the company has implemented.

iv Prosecution of individuals

The action of the company would vary depending on whether the offences were committed before or after 24 December 2010, in other words, depending on whether the provisions on the criminal liability of legal entities are applicable. If Article 31 bis is not applicable, the coordination of all the defences is certainly possible (and in fact, recommended) since the defence of the individual is also the defence of the company. Likewise, the payment of the employees' legal fees is possible as the actions have been carried out by the individuals in the performance of their corporate duties. If, however, Article 31 bis is applicable, the positions of the company defence may be incompatible and the specific case must be assessed in order to determine whether the company may coordinate with the individual's counsel and afford their legal fees.

According to Article 13.6 of the Code of Conduct of Spanish Legal Practitioners, lawyers should 'refrain from managing the affairs of a group of clients affected by the same situation, when a conflict of interest arises between them, as there is a risk of violation of professional secrecy or their freedom or independence may be affected'. This provision is consistent with the fundamental right of persons to be defended and assisted by a lawyer enshrined in Article 24 of the Constitution.

As regards measures that may be taken against employees, an effective corporate compliance programme must include a disciplinary system that suitably penalises the breach of measures established in the model. As described above, the disciplinary system was expressly provided for in Act 1/2015 (Article 31 bis 5(5)).


i Extraterritorial jurisdiction

Act 5/2010, Act 1/2015 and Act 1/2019 do not explicitly set out provisions regarding the extraterritorial jurisdiction of the Spanish courts in the event of the application of Article 31 bis of the Criminal Code. Thus, any reference to perpetrators of an offence – Spanish and foreign – contained in the rules on extraterritorial jurisdiction set out in Article 23 of the Spanish Act on the Judiciary must be extended to legal entities.

Accordingly, under criminal law, the courts have jurisdiction to hear any actions for indictable and summary offences committed in Spanish territory (principle of territoriality), notwithstanding the provisions of those international treaties to which Spain is a party. The courts may, however, also hear offences regarded under criminal law as criminal offences even though they have been committed outside the national territory, provided that those persons criminally liable are Spanish persons or foreign persons who have acquired Spanish nationality (active personality principle) after the commission of the offence and the following requirements are met:

  1. the offence is punishable in the place of enforcement;
  2. the injured party or the Public Prosecutor's Office files a complaint or criminal complaint before the Spanish courts; and
  3. the offender has not been acquitted, pardoned or convicted abroad, or in the latter case, has not served a sentence.

Spanish criminal law also applies on an exceptional basis to offences committed outside the national territory, when committed by either a national or a foreign person, provided that they affect the basic interests of the state (known as the absolute principle or principle of protection of interests) or they are offences that violate the dignity of persons, transnational offences or offences committed in areas not subject to the sovereignty of any state (principle of universal justice).

In this regard, Spanish Act 1/2014 of 13 March on universal justice amended Spanish Act 6/1985 of 1 July on the judiciary, specifically the wording of Article 23.4.18 This amendment introduced the possibility of the Spanish courts hearing and prosecuting offences of business corruption,19 even though committed by Spanish or foreign persons outside the national territory, provided that one of the following circumstances arises:

  1. the proceedings are brought against a Spanish person;
  2. the proceedings are brought against a foreign citizen that normally resides in Spain;
  3. the offence has been committed by an officer, director, employee or service provider of a commercial undertaking or of a society, association, foundation or organisation that has its permanent address or registered place of business in Spain; or
  4. the offence has been committed by a legal entity, undertaking, organisation, groups or any other kind of entity or group of persons that has its permanent address or registered place of business in Spain.

ii International cooperation

Spain cooperates with other countries in law enforcement and in prosecutorial functions not only on the basis of international treaties but also following the 'principle of reciprocity' enshrined in Article 13 of the Constitution.

The following European legal mechanisms for international legal assistance apply in Spain, among other:

  1. the Convention on Mutual Assistance in Criminal Matters of 20 April 1959, as amended by the Schengen Agreement, and the European Convention on Judicial Assistance of 29 May 2000; and
  2. the European Arrest Warrant regulated in the EU Council Framework Decision of 13 June 2002 and in the Spanish European Arrest Warrant Act 3/2003 (the National Court has a 24-hour service to process European arrest warrants).

In addition to the foregoing international legal cooperation (coordinated through the Spanish Ministry of Justice), the International Cooperation Unit of the Spanish Public Prosecutor's Office is responsible for the supervision and enforcement, where applicable, of the letters rogatory addressed to, or issued by, the Public Prosecutor's Office.

Likewise, this unit deals with any matter relating to the European Judicial Network, the Ibero-American Network for International Legal Cooperation (IberRED), Eurojust and the International Cooperation Prosecutors Network.

As regards extradition, Spain only grants extradition in compliance with a treaty or the law, in accordance with the principle of reciprocity. In addition, the requirement of dual criminality must be met; in other words, the offences for which extradition is requested must be regarded as a criminal offence under the criminal law of both states, and the sentence for the offence must be at least one year's imprisonment. The Spanish authorities do not grant extradition for political offences.

Spain is a signatory party of the European Convention on Extradition and to a large number of bilateral treaties on extradition.

In addition, the ruling issued by the Court of Justice of the European Union on 6 September 2016 regarding the Petruhhin case clarified a controversial issue referring to extradition. It stated that if the extradition is requested by a third state (non-European) to an EU Member State in relation to a European citizen (non-national) of the requested state, the requested EU Member State should inform the state of which the European citizen is a national for the latter to adopt the decision to start a criminal proceeding against its national and request a European Arrest Warrant.

iii Local law considerations

Provisions exist that may restrict investigations involving multiple jurisdictions. The most relevant law in this regard is the Personal Data Protection and Guarantee of Digital Rights Act (adopted by Organic Law 3/2018 to comply with European regulations).

The international personal data disclosure (i.e., transfer of data between different states or international organisations) is subject to both the provisions of the European Regulation and the above-mentioned organic law. The main point of Spanish Act 3/2018 is the requirement for the owner of the data to consent to allowing its treatment, also obliging him or her to be informed about the aims for which the personal data could be used.20

In addition, as previously mentioned, the disclosure to third parties of the data recorded in the whistle-blowing system could only be permitted to adopt disciplinary measures, or for judicial proceedings purposes.21

For its part, Article 28(g) encourages increasing data protection measures in several cases, such as when the personal data is disclosed, habitually, to third states or international organisations of which a proper level of protection has not been declared.

Personal data protection is also regulated under Articles 236 bis to decies of the Spanish Act on the Judiciary, modified by Act 7/2015 of 21 July. Under this regulation, the consent of the owner of the data is not necessary for its treatment by the courts, notwithstanding procedural rules regarding the validity of the evidence.22

As regards banking secrecy, this is not regarded under the law as an asset or property that merits protection, but as something that is merely instrumental in protecting the real legal interests that merit protection, such as privacy, free competition, business secrets or the security of the state. As a result, in recent rulings, the courts have established that the lawfulness of any information protected by secrecy, either under privacy protection or the protection of a business secret, is a fundamental factor. They have also ruled that, in any event, there are greater interests that warrant the transfer of information to certain public persons (in addition to the interested parties) who are legally authorised to know this information, such as the government authorities responsible for tax fraud, and – specifically – the Public Prosecutor's Office and the courts in the investigation and prosecution of criminal offences.


There are no foreseeable developments for the coming year in relation to internal investigations, as the latest reforms of the Criminal Code adopted by Act 1/2019 of 20 February23 and Act 2/2019 of 1 March24 do not provide any provision in this regard. However, internal investigations are gradually making inroads in Spain as legal entities are taking the full and correct implementation of their compliance programmes more seriously to avoid or mitigate future penalties as a consequence of internal wrongdoing.

In addition, if the European proposal for a directive on whistle-blowing finally passes, Member States must implement its provisions, which will affect internal investigations. This includes regulating the obligation to set up internal and external channels and procedures for reporting and chasing reports; the treatment of the data gathered in the internal investigation; and the penalties to be imposed on wrongdoers.

To date, there have been 21 judgments by the Supreme Court regarding the criminal liability of legal persons.

The first ruling regarding corporate criminal liability was issued on 2 September 2015 but there was not enough evidence, and both the entity and the individual accused of fraud were acquitted.

On 29 February 2016, a pioneering Supreme Court sentence confirming the criminal liability of a corporation was delivered (STS 154/2016). This ruling provided guidelines for legal entities to comply with the law and norms through the implementation of models of prevention and control according to Article 31 bis of the Criminal Code so as to avoid penalties.

Two judgments from the Supreme Court about the criminal liability of legal persons – on 16 March 2016 (STS 221/2016) for property embezzlement and on 13 June 2016 (STS 516/2016) for crimes against the environment – ruled that legal persons could not be criminally responsible because the illegal acts took place before the reform of the Criminal Code.

Rulings STS 154/2016 and 221/2016 of the Supreme Court warned about the future conflicts of interest that may arise between the accused natural person (that represents the legal person) and legal persons who are represented in court by the same counsel, which may cause a breach of the right to defence of the legal entity.

Without prejudice to the court affirming that there is no general answer for this question, some possible formulas used in other systems are offered in case conflicts of the kind arise, for example, the judicial appointment of a 'legal or public defender' of the company, or the assignment of the company's defence to the compliance officer.

Another matter analysed in these rulings is the possibility of the trial being annulled when the right to defence of the legal entity is breached for being represented by the natural person who is also accused individually in the same criminal proceeding.

The following rulings by the Supreme Court did not shed light on interpreting the criminal liability of legal persons: STS 740/2016 of 6 October; STS 827/2016 of 3 November; STS 31/2017 of 26 January, in which the company could not be held responsible and was declared vicariously and civilly liable; and STS 121/2017 of 23 February, which acquitted the company of a crime against workers' rights as the conviction of a legal person for such an offence is not possible according to the Penal Code.

One remarkable ruling of the Supreme Court was STS 583/2017 of 19 July, which upheld the criminal liability of six companies for money laundering offences (and against public health), but lowered the penalties imposed by the lower court. This sentence confirmed previous Supreme Court case law and definitively established the criteria to follow for charging legal persons with a crime. The resolution also provided guidelines on the interpretation of penalties set forth in Article 66 bis of the Penal Code, stating that judges shall apply the proportionality principle when a legal person is convicted.

The following ruling of the Supreme Court in relation to corporate criminal liability was STS 668/2017 of 11 October, which stressed that a legal entity could only be held criminal liable of an offence if an effective compliance programme has not been implemented.

Consecutively, STS 316/2018 of 28 June was ruled, adding nothing to corporate criminal liability, but only that misappropriation offence could not be committed by a legal entity and the concepts of ad extra and ad intra offences were introduced (the latter are the crimes in which the injured party is the own entity for the commission of misappropriation or disloyal administration offences). STS 353/2018 of 12 July and STS 365/2018 of 18 July followed the same principle and added nothing remarkable about criminally liability of legal entities. The same could be appointed regarding following STS 436/2018 of 28 September 2018.25

STS 489/2018 of 23 October analysed the possibility of the legal entity using employees' emails as evidence in criminal proceedings. This ruling established that the key to determining whether there has been a violation of the employees' privacy is the existence of consent granted by the employee to the employer to supervise him or her. In other words, to use the employees' emails as a valid evidence in courts, a decision should be made to determine if this possibility was known and contractually permitted by the employee and, therefore, constitutes a proportional measure to investigate an offence. Otherwise, the access will only be permitted under judicial authorisation.

Two days later, the delivery of STS 506/2018 of 25 October created controversy since it appeared to suggest a change in case law. Against the grounds of the Act 1/2015, this ruling tied the criminal liability of the entity to that of the natural person who committed the offence, stating that if the unlawfulness of the action of the natural person was not declared, the same principle should apply to the legal entity.

STS 561/2018 of 15 November did not refer to corporate criminal liability. STS 737/2018 of 5 February 2019 then reiterated that the implementation of an effective compliance programme does not affect civil and personal liability, regardless of whether this clarification was clear enough before the ruling.

STS 742/2018 of 7 February 2019 is noteworthy in that the Supreme Court finally answered criminal or procedural questions regarding corporate liability. As such, it stated that the death of the natural person does not prevent the conviction of the entity. Finally, the Supreme Court clarified that single-member companies could also be held criminally liable.

STS 746/2018 of 13 February 2019 was also remarkable. The Supreme Court dismissed one of the grounds of appeal, as the summons did not specify if the offender should appear in court as a natural person or as representative of the entity, preventing him from making the tax adjustment provided in Article 305.4 of the Criminal Code. Moreover, Article 31 ter 1 was applied in relation to the adjustment of the penalty between the natural and legal person. In addition, the Supreme Court clarified that the mitigating circumstance of undue delays could not apply to the entity, but only the redress of damages specifically provided in Article 31 quater c).

STS 108/2019 of 5 March examined in depth the criminal circumstances that constitute money laundering.

The last ruling of the Supreme Court (STS 123/2019 of 8 March) analysed procedural aspects. The Supreme Court has expressly recognised that lacking a statement from the company's representative (because he or she was not summoned to appear in court) infringes the rights inherent to the defendant parties and, therefore, leads to the invalidity of the proceedings, which must then restart the investigation phase.


As has already been discussed, the criminal liability of legal entities is quite new in Spanish legislation and there is little case law in this regard. As stated, to date there have been 21 judgments of the Supreme Court, but only four analysing in depth procedural or criminal questions that could be applicable to all entities.

Since the 2015 reform, as the provisions are clearer in terms of the implementation of compliance programmes, the role of compliance officers and of internal investigations, it is likely we will have more rulings from superior courts in these matters.

The most recent reform, taking place in 2019, has no remarkable aspects regarding corporate criminal liability.

Although past rulings are enlightening for the interpretation of the law, we still have a long way to go and many questions to answer, concerning, for example:

  1. the regime for whistle-blowers, which has been partially regulated by the new European General Data Protection Law but continues to be a cause for concern in different matters and jurisdictions;
  2. attorney–client privileges that may apply during internal investigations;
  3. the impact of collaboration with authorities beyond the possibility of applying general mitigating circumstances in the case of confession;
  4. the personal liability of compliance officers for not fulfilling their duties;
  5. conflicts of interest between legal and natural persons; and
  6. the application, in practice, of mitigating and exonerating circumstances and the like since the case law remains inadequately transparent in this regard.26


1 Mar de Pedraza is the managing partner and Paula Martínez-Barros is a partner at De Pedraza Abogados.

2 At that time an entity could be held to be criminally liable only in the following cases: illegal trafficking of organs (Article 156 bis); trafficking of human beings (Article 177 bis); offences relating to prostitution and the corruption of minors (Title VII, Chapter V); the discovery and disclosure of secrets (Article 197.3); fraud (Title XIII, Chapter VI, Section 1); criminal insolvency (Title XIII, Chapter VII); intellectual and industrial property offences; market and consumer-related offences and the new offence of corruption between private parties (commercial bribery) provided for in Article 286 bis (all of which are included under Title XIII, Chapter XI); money laundering (Article 302); tax and social security offences (Title XIV); offences against the rights of foreign citizens and clandestine immigration (Title XV bis); offences relating to the development and use of land (Article 319); the cases described in Articles 325 and 326 in relation to offences against natural resources and the environment; offences relating to facilities for the storage or disposal of toxic waste (Article 328); the spillage or emission of materials or ionising radiations or the exposure of people to such materials or radiations (Article 343); the handling of materials, equipment or devices that could have devastating effects (Article 348.3); offences against public health involving the growing, manufacture or trafficking of drugs provided for in Articles 368 and 369; the forgery of credit cards, debit cards or cheques and documents in general (Article 399.1 bis); bribery (Title XIX, Chapter V); influence peddling (Title XIX, Chapter VI); offences of corruption in international trade transactions (Article 445); the possession, trafficking and storage of weapons, munitions or explosives; terrorism offences (Title XXII, Chapter V) and several forms of participation in criminal groups or organisations (Title XXII, Chapter VI).

3 Act 1/2015 of 30 March also extended the catalogue of crimes that entail liability. Thus: (1) new Article 258 ter of the Penal Code states that legal persons may also hold criminal liability for the new crimes of frustration of enforcement; (2) Article 304 bis 5 also expressly states that legal entities are criminally liable for the new crime of illegal financing of political parties; (3) Article 288 provides that legal persons may also hold criminal liability for the new offence of corruption in business introduced in new Article 286 ter; (4) for its part, Article 366 of the Penal Code is amended to expand the range of crimes against public health to include the liability of legal persons (Penal Code, Articles 359 to 365); (5) Article 386 is amended so that Section 5 includes liability under Article 31 bis for crimes of counterfeiting; and (6) new Article 510 bis of the Penal Code introduces the liability of legal persons for crimes committed on the occasion of the exercise of fundamental rights and public freedoms guaranteed by the Constitution in relationship with provocation, hate or violence as defined in the new wording of Article 510 of the Penal Code.

4 Section 5 of Article 435 of the Criminal Code.

5 Article 580 bis of the Criminal Code.

6 The compliance officer is the authority that has autonomous powers of initiative and control within the legal person, which existence is one of the requirements set in Article 31 bis 2 for the exemption of criminal liability.

7 Article 18.1 of the Spanish Constitution.

8 Article 24 of the Spanish Constitution.

9 Article 263 of the Criminal Procedure Act.

10 Articles 416.2 and 707 of the Criminal Procedure Act.

11 This law was a consequence of the implementation of the European General Data Protection Regulation, enforced across all EU Member States on 25 May 2018.

12 One of the most remarkable provisions of the proposal of the Directive is the prohibition of any form of retaliation against whistle-blowers (Article 14).

13 Article 116.3 of the Criminal Code.

14 Article 120 of the Criminal Code.

15 As seen above, Article 31 bis 1(a) of Act 1/2015 (unmodified since then) refers to 'legal representatives or those persons who, acting individually or as members of a body of the legal person, are authorised to take decisions in the name of the legal person or hold organisation and control faculties within the legal person'.

16 According to the rewording of Article 31 bis 3 of the Penal Code, 'small' legal persons are those that are authorised by law to submit profit and loss accounts.

17 'Persons acting on behalf of the entity and for its benefit who, in the fulfilment of their duties and subject to the authority of the legal representatives and de facto or de jure directors, could have committed an offence as a result of a lack of due control' (i.e., employees or other controlled individuals).

18 Article 23.4 was also modified by Act 2/2015, of 30 March, but only regarding terrorism section.

19 These offences were globally named as 'crimes of business corruption' under Act 1/2015 of 30 March. The different types of offences are provided in Articles 286 bis to 286 quater of the Criminal Code, being the offence of corruption in international business transactions regulated under Article 286 ter.

20 Article 6 of the new Data Protection Act.

21 Article 24 of the new Data Protection Act.

22 Article 236 quater of the Spanish Act on the Judiciary.

23 Regarding the transposition of EU directives in relation to financing and terrorism.

24 In relation to road safety offences.

25 An aspect beyond corporate criminal liability could be highlighted in this ruling: the familiar relationship exculpatory cause provided in Article 268 of the Criminal Code could not be applied if additional injured parties exist in the proceedings.

26 STS 746/2018 of 13 February 2019 denied the application of the mitigating circumstance for undue delays according to the specific wording of Article 31 quater, which starts with 'only' when referring to the mitigating circumstances that could be applied to legal persons.