PREAMBLE

I

Citizen collaboration is essential for the effectiveness of the law. Such collaboration is not only manifested in the proper personal fulfillment of the obligations that correspond to each individual, a demonstration of the subjection of all public powers and citizens to the Spanish Constitution and the rest of the legal system (Article 9.1 of the Spanish Constitution), but also extends to the collective commitment to the proper functioning of public and private institutions.

This citizen cooperation is a key element of our rule of law and, furthermore, is considered in our legal system as a duty of every citizen when they witness the commission of a crime, as established in the Criminal Procedure Code. This duty, in the service of protecting the public interest when it is threatened, must be taken into consideration in cases where it conflicts with other duties provided for in the legal system.

Likewise, our legal system provides for citizen participation in public initiatives to promote research into actions that violate urban planning regulations, activities that could harm the environment, or to prevent damage to historical and artistic heritage. These are other examples that have a long tradition in Spanish legislation.

Along the same lines, and in line with the push for European Union law, some sectoral regulations, particularly in the financial and antitrust fields, have incorporated specific instruments to enable those aware of irregular or illegal conduct to provide supervisory bodies with useful data and information. Furthermore, Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, provides for the creation and maintenance of information systems through which a private-law entity may be informed, even anonymously, of the commission, within the entity itself or through the actions of third parties contracting with it, of acts or conduct that may be contrary to the general or sectoral regulations applicable to it.

Furthermore, there are many examples of civic actions that have highlighted the existence of irregular practices and corruption. This has led to investigations that, following the legally established judicial process, have resulted in the imposition of the corresponding criminal convictions for such conduct.

However, it should also be noted that, on occasion, such laudable civic behavior has led to painful consequences for those who report such corrupt practices and other violations, such as pressure from those reported. Therefore, it is essential that the legal system protect citizens when they display courageous behavior that clearly serves the public good. Furthermore, it is important to establish a public awareness that those who break the law must be prosecuted and that violations should not be tolerated or silenced. This is the main purpose of this law: to protect citizens who report violations of the legal system within the framework of a professional relationship.

It is also important to remember that, in line with the trend in the Anglo-Saxon world, which has regulated the protection of so-called "whistleblowers" for years—those who use a whistle to sound an alarm—some autonomous communities have already regulated institutions responsible for receiving communications from citizens reporting irregularities. As an example, and without prejudice to the authorities created by some local entities, it is worth noting that the autonomous communities of Catalonia, Valencia, the Balearic Islands, Navarre, the Principality of Asturias, and Andalusia have addressed the issue of whistleblower protection, although the regulation has been partial and focused primarily on the creation of offices or agencies with the specific function of preventing and investigating cases of fraudulent use or allocation of public funds, illicit exploitation arising from actions involving conflicts of interest or use of privileged information, or, in general, conduct contrary to integrity. That is, they have limited this legislation to the public sphere, in some cases prior to Directive 2019/1937.

The term "whistleblower" has been adopted in some legal systems, such as the French one. Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of EU law uses the term "whistleblower," and this law has opted for the term "informant."

Furthermore, the terms "information" and "communications" have been used interchangeably to avoid repetition, in accordance with proper grammatical and syntactical writing.

II

With the approval of this law, Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 is incorporated into Spanish law. The differences in treatment between the various legal regimes existing in the Member States have generated difficulties in ensuring consistent application of European law and prosecuting its violations. To this end, the aforementioned Directive regulates minimum requirements for the various information channels through which a natural person who becomes aware of a violation of European Union law in a work-related context can report its existence. Specifically, it requires many companies and public entities to have internal information channels because it is considered, as has also been reflected in reports and statistics collected during the drafting of the European text, that it is preferable for the organization itself to be aware of information on irregular practices in order to correct them or repair the damage as quickly as possible. In addition to these internal channels, the Directive requires the establishment of other, so-called "external" information channels, in order to offer citizens communication with a specialized public authority, which can generate greater confidence by allaying their fear of retaliation within their community.

These two clear objectives of the Directive—protecting whistleblowers and establishing minimum standards for information channels—are incorporated into the content of this law.

The law is structured into 68 articles, six additional provisions, three transitional provisions, and twelve final provisions.

III

Title I specifies the purpose and scope of the law.

The purpose of the regulation is to protect individuals who, in a work or professional context, detect serious or very serious criminal or administrative violations and report them through the mechanisms regulated therein.

Regarding its scope, in addition to protecting those who report breaches of EU law as provided for in the Directive of the European Parliament and of the Council of 23 October 2019, this law also covers serious and very serious criminal and administrative violations of our legal system.

It has therefore been deemed necessary to extend the material scope of the Directive to include violations of national law, but limited to serious or very serious criminal and administrative offenses, in order to allow both internal and external information channels to focus their investigative activity on violations considered to have the greatest impact on society as a whole.

Likewise, cases governed by specific regulations, that is, those that regulate the mechanisms for reporting violations and protecting informants provided for by sectoral laws or by the European Union instruments listed in Part II of the Annex to Directive (EU) 2019/1937, are excluded from the material scope of application.

Good faith, the honest awareness that serious, harmful events have occurred or may occur, constitutes an indispensable requirement for the protection of whistleblowers. This good faith is the expression of their civic behavior and is contrasted with other actions that, on the contrary, must be excluded from protection, such as the transmission of false or distorted information, as well as those obtained illegally.

Along with describing the objective scope of application, the law specifies the subjective scope, that is, the individuals who are protected against potential retaliation. Thus, protection extends to all those with professional or employment ties to entities in both the public and private sectors, those who have already terminated their professional relationship, volunteers, interns or trainees, and individuals participating in selection processes. The law's protection also extends to individuals who provide assistance to whistleblowers, those close to them who may suffer retaliation, as well as legal entities owned by the whistleblower, among others.

Title II of the law establishes the legal framework for the Internal Information System, which covers both the channel, understood as a mailbox or channel for receiving information, as well as the System Manager and the procedure. The Internal Information System should be used preferentially to channel information, since diligent and effective action within the organization itself could prevent the harmful consequences of the actions under investigation. However, once this preference has been declared, the informant may choose the channel to follow, internal or external, depending on the circumstances and the risks of retaliation they consider.

This title devotes a first chapter to the provisions applicable to both the public and private sectors.

The configuration of the Internal Information System must meet certain requirements, including ease of use, confidentiality guarantees, and proper monitoring, investigation, and whistleblower protection practices. Furthermore, the designation of a person responsible for ensuring its proper functioning is essential for the effectiveness of the Internal Information System.

It should be noted that anonymous reporting is permitted. When a communication is submitted within the framework of the Internal Information System and falls within the scope of the law, the specific rule contained in this law regarding the possibility of submitting and processing anonymous communications will apply. The Directive establishes as a principle the general duty to maintain the anonymity of the informant. However, this essential pillar of the European standard is exempted when either a national law provides for disclosure or it is requested within the framework of a judicial process, which often occurs, with the judge arguing the need to know the identity of the person who reported the information in order to guarantee the accused's right of defense. Thus, recital 34 states: "Without prejudice to the existing obligations to provide for anonymous reporting under Union law, it should be possible for Member States to decide whether to require legal entities in the private and public sectors and the competent authorities to accept and follow up on anonymous reports of infringements falling within the scope of this Directive."

And Article 6.2 states: "Without prejudice to the existing obligation to have anonymous reporting mechanisms under Union law, this Directive shall not affect the ability of Member States to decide whether or not to require legal entities in the private or public sectors and competent authorities to accept and follow up on anonymous reports of infringements."

Article 9.1.e) also provides for "diligent follow-up where provided for by national law with regard to anonymous reports."

In this regard, one legislative policy option, resulting from comparative models at the international and European levels, has been, as with personal data protection regulations, to regulate anonymous information and protect the person who communicates it.

An essential milestone in the acceptance of anonymous reporting is the United Nations Convention against Corruption, signed in New York on 31 October 2003, which establishes in its Article 13.2: "Each State Party shall take appropriate measures to ensure that the public is aware of the relevant anti-corruption bodies referred to in this Convention and shall facilitate access to such bodies, where appropriate, for the reporting, including anonymous reporting, of any incidents that may be considered to constitute an offence established in accordance with this Convention."

The Council of the European Union, in its Decision of 25 September 2008, on behalf of the then European Community, approved the United Nations Convention against Corruption.

Likewise, in sectoral areas of the European Union, it is worth highlighting Article 5.1 of Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999, which provides that "the Director-General may initiate an investigation where there is sufficient suspicion, which may also be based on information from a third party or anonymous information, that fraud, corruption or other illegal activity has occurred affecting the financial interests of the Union".

It is worth noting that the former advisory body to the European Commission on data protection, the Article 29 Working Party (WP29), in its Opinion 1/2006 on the "Application of EU data protection rules to internal whistleblowing systems in the fields of accounting, controls and auditing matters, anti-corruption, and financial and banking crime", established as a general rule that the whistleblower must identify himself, but there was also the possibility of receiving and processing anonymous reports in certain circumstances.

As can be seen, the European Union institutions have openly supported the possibility of accepting and following up on anonymous reports. To this end, an "anonymous whistleblowing" tool is available to help the European Commission uncover cartels and other antitrust violations and report anticompetitive practices prohibited by EU competition law that cause significant damage to the European economy.

Regarding current national regulations, the possibility of anonymous reporting has already been regulated in several areas. In September 2018, Royal Decree-Law 11/2018 of August 31 introduced the current Article 26 bis into Law 10/2010 of April 28 on the prevention of money laundering and terrorist financing. This article regulates internal procedures for reporting potential breaches (internal reporting channels) so that employees, managers, or agents can report, even anonymously, relevant information about potential breaches of this law, its implementing regulations, or the policies and procedures implemented to comply with them, committed within the obliged entity.

In another area, the aforementioned Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, establishes in its article 24.1: "The creation and maintenance of information systems through which a private law entity may be informed, even anonymously, of the commission within it or in the actions of third parties contracting with it, of acts or conduct that may be contrary to the general or sectoral regulations applicable to it shall be lawful."

Previously, and in various areas, the possibility of filing anonymous complaints had been recognized: Organic Law 12/2007, of October 22, on the disciplinary regime of the Civil Guard, contemplates the possibility that an anonymous complaint may lead to at least the initiation of a "restricted investigation." Furthermore, the State Attorney General's Office, in its Circular 4/2013, of December 30, on investigative proceedings, updated its approach to anonymous complaints. It states that, although complaints must, in principle, meet the requirements set forth in the Criminal Procedure Act to be considered as such, failure to comply with any of these requirements should not lead to their inadmissibility if they reveal facts constituting a crime that can be prosecuted ex officio and appear credible. Initiation of complaints by bringing them to the attention of other authorities or public bodies is becoming increasingly common.

The essential guarantee, however, is contained in Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, as previously indicated, specifically in its article 24.1.

These reporting channels, through anonymity, have helped establish an essential tool for a company's compliance and have been instrumental in receiving serious complaints that employees and collaborators would otherwise be reluctant to report for fear of retaliation if identified.

Some autonomous communities have also extended their protection to anonymous complaints and have established channels for receiving them.

The law differentiates the scope of the obligation to set up these internal channels in the sphere of private organizations from those belonging to the public sector.

In the private sector, in accordance with the Directive, all companies with more than fifty employees will be required to set up an internal information system. In corporate groups, the parent company will be able to implement the principles and policies that underpin the organization of the system for the proper organization and coordination of channels in each of the entities comprising it.

Aware of the potential cost to companies with this new burden, the law allows companies with more than fifty employees and fewer than two hundred and fifty employees to share resources and means for managing the information they receive, always making clear the existence of their own channels within each company.

However, regardless of the number of employees, all political parties, unions, business organizations, and any foundations dependent on them are required to have an Internal Information System, provided they receive public funding. This requirement stems from the unique constitutional role these organizations play, as proclaimed in Articles 6 and 7 of the Spanish Constitution, as a manifestation of political pluralism and a vehicle for the defense and protection of their respective economic and social interests. The existence of corruption cases affecting some of these organizations increases public concern about the proper functioning of institutions. Therefore, it is essential to demand that these organizations maintain an exemplary attitude that fosters public confidence in them, since the proper functioning of the democratic system largely depends on it. Hence, the obligation to establish, regardless of the number of employees, an Internal Information System to swiftly address any indication of a serious or very serious criminal or administrative violation against the public interest. The widespread implementation of an internal information system will facilitate the eradication of any suspicion of nepotism, patronage, misuse of public funds, irregular financing, or other corrupt practices.

With regard to the public sector, the law has broadly extended the obligation to have an internal information system. Consequently, public administrations, whether territorial or institutional, independent authorities or other bodies that manage social security services, universities, companies and foundations belonging to the public sector, as well as public law corporations, must establish such a system. Similarly, all constitutional bodies and bodies of constitutional relevance, as well as those mentioned in the Statutes of Autonomy, are also required to have an internal information system.

As noted, it is important to ensure that all institutions, agencies, and other entities exercising public functions have an effective system for detecting the irregular practices described in this regulation, regardless of the size of the entity or the territorial scope in which it exercises its powers.

Thus, while it is true that the Directive grants Member States the right to exempt municipalities with fewer than 10,000 inhabitants from certain obligations, this law does not contemplate this exception. Consequently, in response to the need to provide a common and general framework for the protection of informants and to avoid creating loopholes that could seriously harm the public interest, the obligation to maintain an internal information system is extended to all municipalities. However, this obligation is accompanied by certain clarifications to facilitate compliance by municipalities with a population of less than 10,000. The law allows these municipalities to share information-receiving resources with other administrations exercising their powers in the same autonomous community. This possibility does not exempt each local administration from having a person responsible for its internal information system.

In any case, it must be emphasized that it is considered appropriate for each municipality to have its own internal information system, and therefore the assistance that other territorial administrations can provide is highlighted.

Furthermore, the material management of the Internal Information System is expected to be carried out through indirect management methods, although the attribution by territorial administrations to a third party of the management of the Internal Information System will require them to prove that they lack their own resources to perform the function.

It is worth noting that Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (LPAC), applicable in a basic manner to all administrative procedures, establishes that any communication of facts that may constitute an infraction must be considered a complaint (article 62.1 LPAC).

Title III of the law regulates the external reporting channel. Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 rightly recognizes that one of the main factors discouraging potential whistleblowers is a lack of confidence in the effectiveness of reporting. Therefore, the European regulation imposes on Member States the obligation to establish appropriate external reporting channels, so that their actions are governed by the principles of independence and autonomy in receiving and processing information about violations.

Providing independence and autonomy to the external communication channel(s) requires ensuring the completeness, integrity, and confidentiality of the information, preventing unauthorized personnel from accessing it, and enabling long-term storage of the information.

In order to meet the objectives pursued by the European Union and to further the protection of whistleblowers, this law establishes an external channel managed by the Independent Whistleblower Protection Authority (IWPA), as provided for in Title VIII.

It is considered beneficial that the establishment of this channel, as a complementary means to the internal channel, be channeled through the Independent Authority for the Protection of Whistleblowers (IAW), thus providing it with the guarantees of independence and autonomy required by European standards.

Title III systematically addresses the specific regulations of the external channel through which the individuals referred to in Article 3 of the law may report, either directly or after submitting information to the internal channel. After detailing the procedure for receiving communications, which may be made anonymously or with confidentiality of the informant's identity, and their form (written or verbal), the law addresses the admission process. After a preliminary analysis, a decision is made on whether to admit the report for processing, whether to reject it with justification if any of the specific reasons provided for this purpose apply, whether to immediately notify the Public Prosecutor's Office if the conduct could constitute a crime, or whether to refer the report to another authority or body that may be competent to process it.

Once the communication has been admitted for processing, the investigative phase begins, culminating in the issuance of a report by the Independent Authority for the Protection of Whistleblowers. Once the report has been issued, the Independent Authority for the Protection of Whistleblowers may order the case to be closed; the initiation of disciplinary proceedings, without prejudice to bringing the facts to the attention of the Public Prosecutor's Office if, despite not initially seeing any indication that the facts could constitute a crime, such evidence emerges during the course of the investigation; or to the European Public Prosecutor's Office when the financial interests of the European Union are affected, where appropriate; or the referral of the information to another competent authority or body, if appropriate. In line with Directive 2019/1937, it has been deemed appropriate that the time period for conducting the investigations and responding to the whistleblower should not be extended more than strictly necessary, which is why the time period for completing this investigative phase cannot exceed three months.

Finally, it should be noted that the resolution adopted by the Independent Authority for the Protection of Whistleblowers (AAI) may not be subject to any administrative or judicial appeal, without prejudice to the possible challenge of the resolution that would terminate the sanctioning procedure that may be initiated as a result of the investigations carried out.

It should be noted that reporting the existence of a criminal or administrative offense does not constitute a data subject, but rather a collaborator with the Administration. Therefore, the investigations carried out, both within the framework of the Public Sector Internal Information System and within the procedure developed by the Independent Whistleblower Protection Authority (IWPA), are always initiated ex officio and in accordance with the procedure established in the LPAC.

Title III also sets out the set of rights and guarantees that informants have in the external communication procedure before the Independent Authority for the Protection of Informants (IAI), and the requirement to review the procedures for receiving and monitoring information, thus fulfilling the mandate of the Directive.

Finally, it is worth highlighting the possible implementation of external information channels by the autonomous communities. These external channels will be managed by independent regional authorities similar to the Independent Authority for the Protection of Whistleblowers (IAW), whose jurisdiction may extend both to reports on violations falling within the scope of this law and committed within the scope of regional and local public sector entities within the territory of the corresponding autonomous community, and to reports relating to breaches attributable to private sector entities that produce effects solely within the territory of that autonomous community.

Title IV contains provisions common to internal and external communications, in line with Chapter V of Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019. It regulates the obligation to provide adequate information in a clear and easily accessible manner regarding internal and external communication channels, as a means and guarantee for better understanding of the channels established by this law.

Title V deals with public disclosure. Whistleblowers using internal and external channels are afforded specific protection against retaliation. The protection for those who make public disclosure, subject to conditions, is based, among other things, on the guarantees and protection offered by the public as a whole, protecting those who demonstrate a civic attitude when raising concerns about potential serious criminal or administrative violations or violations of the legal system that harm the general interest, as well as on the protection of journalists' sources.

There are situations in which it is appropriate to protect these individuals as well, and the law, following European guidelines, specifies the conditions that must be met for the protection regime to be extended. Thus, for example, such protection is contemplated when internal and external channels have failed or when an imminent threat to the public interest is observed, such as a highly toxic spill or other polluting risks.

In this regard, it is noteworthy that the Directive itself, in its recitals 45 and 46, grants special recognition to the protections related to the rights to freedom of information and investigative journalism, which are constitutionally recognized in our legal system. Thus, Recital 45 states that "Protection against reprisals as a means of safeguarding freedom of expression and media freedom and pluralism should be afforded both to persons who report information about acts or omissions within an organization ("internal whistleblowing") or to an external authority ("external whistleblowing"), and to persons who make such information available to the public, for example, directly through web or social media platforms, or to media outlets, elected officials, civil society organizations, trade unions, or professional and business organizations." For its part, Recital 46 alludes to the importance of whistleblowers as important sources for investigative journalists and crucial to safeguarding the watchdog function that investigative journalism plays in democratic societies.

Title VI regulates the processing of personal data arising from the application of this law.

Article 17 of the Directive requires that all processing of personal data carried out pursuant to the Directive must be carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and Directive (EU) 2016/680. Similarly, this law provides that the processing of personal data must be governed by the provisions of said Regulation and Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights.

Until now, Article 24 of the aforementioned Organic Law regulated the creation and maintenance of internal information systems. The content of this provision has been incorporated into this law, but it was necessary to complete the provisions previously included in the Organic Law in order to extend them to data processing carried out in external communication channels and in cases of public disclosure. Furthermore, and in accordance with Article 6 of the General Data Protection Regulation, it is necessary to indicate the provisions that make the processing of personal data lawful. The processing will be deemed necessary for compliance with a legal obligation when it must be carried out in cases where it is mandatory to have an Internal Information System and in the case of external communication channels, while it will be presumed valid under the provisions of Article 6.1.e) of the General Data Protection Regulation when that system is not mandatory or the processing is carried out within the scope of public disclosure regulated by Title V. It is also indicated that if the person under investigation exercises the right to object to the processing of their personal data, it is understood that there are compelling legitimate reasons that legitimize continuing with said processing, as permitted by Article 21.1 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016.

The law also regulates certain special conditions regarding data processing in order to fully guarantee the right to data protection, and in particular the identity of informants and of those investigated for the information provided. Preservation of the informant's identity is one of the essential premises for ensuring the effectiveness of the protection pursued by this law. Therefore, it is required that it must be guaranteed at all times. Along these lines, it is stipulated that the informant's identity will never be subject to the right of access to personal data, and the possibility of communicating said identity is limited only to the judicial authority, the Public Prosecutor's Office, or the competent administrative authority, requiring that third-party access to it be prevented in all cases. Furthermore, entities required to maintain an internal information system, external third parties that manage it, and the Independent Data Protection Authority (IAA), as well as any others established, are required to have a data protection officer.

Title VII, as already mentioned, constitutes the core of the law, providing protective measures to protect those who maintain a civic attitude and respect for democracy by reporting serious violations that harm the public interest. It must be ensured that no one is intimidated by future harm. Hence, the first measure is the forceful declaration prohibiting and nullifying any conduct that could be classified as retaliation and is adopted within two years of completing the investigations. In this regard, the law offers several, but not exhaustive, scenarios that demonstrate intolerable behavior toward whistleblowers: termination of contracts, intimidation, unfavorable treatment, reputational damage, etc.

The need to ensure proper application of the law means that any clauses or contractual provisions that impede or attempt to limit the right or ability to report, such as confidentiality clauses or provisions reflecting express waivers, are rendered ineffective. It also means that any liability for obtaining relevant information is waived, or that the burden of proof is reversed in proceedings initiated to demand compensation for damages. Finally, whistleblowers will have the necessary support from the Independent Whistleblower Protection Authority (IWA) to ensure that the protection measures established in this law are effective.

But the protective measures are not only directed toward the informants. Those to whom the facts described in the communication relate must also be afforded special protection against the risk that the information, even with apparent veracity, may have been manipulated, be false, or respond to motivations beyond the legal scope. These individuals retain all their rights to judicial protection and defense, access to the file, confidentiality and confidentiality of identity, and the presumption of innocence; in short, the same rights enjoyed by the informant.

The advantages and effectiveness demonstrated by leniency programs in certain sectors have led to the inclusion of regulations that specify the specific conditions for their proper application.

Title VIII regulates the Independent Whistleblower Protection Authority, AAI

A democratically advanced society must adequately protect those who, by reporting irregularities of which they become aware in their work or professional environment, publicize them, thereby enabling public authorities to act and put an end to the illegal activity detected when it affects the public interest. And it is a matter of leadership to advance in this direction, as Directive 2019/1937 of the European Parliament and of the Council of October 23, 2019, which is being transposed by this law, does.

The so-called "whistleblower" will only be adequately protected if, first and foremost, there is not only a duty to report unlawful conduct of which he or she is aware, but also a system that allows for the channeling of information. This implies the implementation, by public and private entities, of channels that allow anyone who comes into contact with the organization to reveal information at their disposal that may constitute an offense likely to affect the public interest. This internal information channel, referred to in previous paragraphs, must guarantee the confidentiality of the informant, in all cases, if we want reprehensible behavior to come to light. It is also advisable to provide for their anonymity. There is no better way to protect the informant than by guaranteeing their anonymity.

This internal information channel must be complemented by an external channel, that is, the possibility for anyone aware of the fact that may be reported in accordance with this regulation to approach a public authority that, with all the necessary guarantees, is aware of the reported fact and can proceed to investigate it and, where appropriate, can collaborate with the Public Prosecutor's Office when it considers that the fact being reported constitutes a crime.

Ensuring adequate protection for whistleblowers requires, in compliance with Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019, that Spain have a comprehensive regulatory and institutional framework that effectively addresses the need for protection for those who report breaches of the legal system that affect or undermine the general interest.

An appropriate and effective regulatory response requires jointly coordinating, and therefore using the same regulatory instrument, the new legal framework applicable to whistleblower protection and the appropriate institutional framework to ensure its full effectiveness.

Recital 64 of Directive 2019/1937 of the European Parliament and of the Council of 23 October 2019 leaves it to the prudent discretion of Member States to determine which authorities are competent to receive information on infringements falling within its scope and to appropriately follow up on reports.

Among the various alternatives offered by our domestic legal system, the Independent Whistleblower Protection Authority (IWPA) is considered ideal as a basic pillar of the institutional system for whistleblower protection. Its unique nature and institutional fit within the public sector will allow it to successfully channel the set of functions that the Directive attributes to the competent authorities of each Member State. Among the various possibilities open to the challenge of effectively addressing the transposition of the Directive, the independent nature and autonomy enjoyed by these types of public sector entities are considered the best way to implement the institutional framework for whistleblower protection, excluding other alternatives with less independence from the executive branch and ultimately allowing a newly created entity to guarantee the functionality of the system, an entity independent of its appointer and of the Public Administration, which, in the exercise of its functions, adheres to technical criteria.

On the other hand, the specific nature of the subject matter also makes it advisable that the functions assigned by the Directive to the competent authorities be exercised by a newly created authority, without the possibility of resorting to existing ones within the public sector. Furthermore, for the purposes of creating a new authority, it is crucial to establish, in compliance with the Directive, an external information channel that complements internal channels (in both the private and public sectors). It is particularly important that an entity under a special regime of autonomy and with a marked technical and specialized nature in the matter be responsible for the management of this external channel.

The foregoing, combined with the set of functions that the Directive requires competent authorities to assume in the area of whistleblower protection, and with others that go beyond the content of the European standard and whose inclusion lies in a greater guarantee and extension of whistleblower protection, recommend that a specific independent authority assume this set of powers and ultimately serve as an essential institutional pillar in the fight against corruption.

To this end, Title VIII of the regulation addresses, as noted, the authorization for the creation of the Independent Authority for the Protection of Whistleblowers (IAW), as a public law entity with its own legal personality, endowed with autonomy and organic and functional independence from the Executive and the public sector, as well as from any entity whose activity may be subject to its supervision. Structured in three chapters, the first sets forth the nature and functions of the Independent Authority for the Protection of Whistleblowers (IAW): management of the external communications channel, assumption of the status of advisory and consultative body to the Government on matters of whistleblower protection, development of models for crime prevention in the public sphere, assumption of sanctioning powers in this area, among others.

Chapter II of Title VIII sets out the legal framework governing the new Authority, distinguishing between the general legal framework governing its activities and the specific features it presents in terms of personnel, contracting, assets, legal assistance, budgeting, accounting, and economic and financial control. Within these specific features, it has been deemed necessary to provide the entity with two less common but absolutely necessary powers to achieve the objectives of transposing the Directive. On the one hand, the Independent Authority for the Protection of Whistleblowers (IAWP) itself is able to draft circulars and recommendations establishing the criteria and appropriate practices for compliance with the provisions contained in this law and the regulations implementing it. On the other hand, the law attributes the exercise of the sanctioning power (provided for in Title IX of the law) to the Independent Authority for the Protection of Informants, AAI, thus complying with the requirement of attribution of power by legal (or regulatory) norm contained in Law 40/2015, of October 1, of the Legal Regime of the Public Sector.

Finally, Chapter III of Title VIII sets out the internal organizational structure of the entity. It provides for the existence of a Presidency, the governing body of the Authority, which will have as its advisory body an Advisory Committee, with a distinctly technical composition. Many of its members are, by virtue of their position, ex officio members from either the Public Administration or regulatory or supervisory bodies.

Comprehensive whistleblower protection requires leaving no room for impunity. This principle of action, which is directly linked to the leadership that must act as the mediating axis of the proposed system's suitability, combined with the concept of our State as a shared public space, requires access to the external information channel through the Independent Authority for the Protection of Whistleblowers (IAW) in those territories that have not provided for the creation of Authorities or the attribution of such authorities to bodies within their own autonomous communities and within their respective jurisdictions. In this way, the Independent Authority for the Protection of Whistleblowers (IAW) will be able to process communications received through its external channel that affect the jurisdiction of those autonomous communities that so decide and sign the corresponding agreement, and those others that do not provide their own bodies to channel external communications within their jurisdiction. This possibility complies with the doctrine of the Constitutional Court, set forth in ruling 130/2013, which states that "in cases such as those considered here, State provisions establishing rules intended to allow the implementation of Community Regulations in Spain and which cannot be considered basic or coordinating rules are supplementary to those that may be issued by the autonomous communities for the same purposes within their jurisdiction. Without forgetting that the supplementary clause of Article 149.3 of the Spanish Constitution does not constitute a universal clause attributing jurisdiction, in such cases, the possibility for the State to issue innovative supplementary rules is fully justified."

The articulated text concludes with Title IX, which establishes the sanctioning regime necessary to effectively combat actions that involve retaliation against informants, as well as failure to comply with the rules for communication channels.

The law concludes with six additional provisions relating to the periodic review of the procedures for receiving and monitoring communications by the responsible authorities, to the agreements that the State and Autonomous Communities may sign to assign the Independent Authority for the Protection of Informants (AAI) management powers for the external communications channel in the corresponding autonomous area, the preparation of an annual report and aggregated statistical information, to the administration of the Historical Territories of the Basque Country, to the Strategy against corruption and the extension of protection measures; three transitional provisions to regulate the internal information channels already enabled and the adaptation of existing internal information systems and the implementation of said systems, in general, by obliged subjects within a period of three months, as well as the budgetary provision for the Independent Authority and, finally, twelve final provisions that modify, among others, Law 1/1996, of January 10, on free legal aid; Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction to include the new Independent Authority for the Protection of Informants (AAI); Law 15/2007, of July 3, on the Defense of Competition; Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing; Law 10/2014, of June 26, on the regulation, supervision and solvency of credit institutions; Law 9/2017, of November 8, on Public Sector Contracts, which transposes into Spanish law Directives 2014/23/EU and 2014/24/EU of the European Parliament and of the Council of February 26, 2014; Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, for the purposes of data processing for the protection of individuals who report regulatory violations; the jurisdictional titles under which the law is based; the incorporation of Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23, 2019, into domestic law; a regulatory enabling clause and its entry into force.