Implementing A “Corporate Compliance” And Data Protection Protocol – Spain

José DutilhManaging Partner, LeQuid, The J.Dutilh Law Firm For Social Impact

1. Proposal

 

The recent reform of the Criminal Code published in the Official State Gazette on 31 March 2015, entering into effect last 1 July, has substantially modified article 31 (2) of the Criminal Code, regarding the criminal liability of bodies corporate.  

 

Criminal regulations lay down the criminal liability of bodies corporate and the obligation of company administrators to adopt and execute effective surveillance and control models to prevent crimes, whose implementation exempts the company from criminal liability, if it is total, or mitigates it, if it is partial.  

 

Furthermore, however, criminal regulations requires the effective setting-up of such models and the implementation action of a body with autonomous powers of initiative and control, which in small companies, may be the administrative body itself.  

 

Accordingly, “due control” for the prevention of crimes in the company, whose implementation exempts company administrators, directors and subordinates from criminal liability, must include:

 

  • Establishment by the administrative body of an organisation and management model that includes suitable surveillance and control measures to prevent crimes.  
  • Creation of a body with autonomous powers of initiative and control to supervise the operation and execution of the prevention model implemented.  
  • Identification of company activities where the crimes to be prevented may be committed.  
  • Implementation of protocols or procedures that specify the training process of the body corporate’s intentions, adoption of decisions and execution thereof as regards thereto. 
  • Setup of management models for the sufficient financial resources to prevent the crimes to be prevented from being committed.  
  • Obligation to inform of possible risks and non-compliance to the body in charge of monitoring the operation and watching over the prevention model – whistleblowing channels -.  
  • Establishment of a disciplinary system that adequately penalises non-compliance with the measures established by the model.  
  • And periodic verification of the model and its possible modification when significant infringements of its provisions occur, or when changes take place in organisation, in the control structure or in the activity carried out that make them necessary.

 

 

2. Criminal liability.

 

2.1. Basis: non-compliance with the obligation to due control.

 

The criteria chosen by the reform of the Criminal Code to attribute criminal liability to bodies corporate is double (vicarious or by proxy and respondeat superior). Bodies corporate may be criminally convicted as liable for a crime, in two cases:

 

  • Deeds committed by their legal representatives and administrators de iure and de facto. (Section A, Art. 31 C.C.) 
  • b) Deeds committed by their employees, provided the employer had not exercised due control. (Section B Art. 31 C.C.)

 

 

  • Possible crimes

 

Bodies corporate can only be criminally liable for the 21 specific crimes expressly stipulated in the Criminal Code (not every crime laid down in the Criminal Code) which can give rise to their liability and which are as follows:

 

 

Illegal trafficking in organs (156 [2])  

Trafficking in human beings (177 [2]) 

Crimes relating to the prostitution and corruption of minors (189 [2]) 

Privacy offences and forceful entry in computers (197) 

Criminal fraud and fraud (251) 

Punishable insolvencies (261 [2]) 

Computer damage (264) 

Crimes against intellectual and industrial property, markets and consumers (288)  

Moneylaundering (302) 

Crimes against the Public Treasury and Social Security (310 [2]) 

Crimes against the rights of foreign citizens (318 [2]) 

Crimes regarding construction, building or illegal urban development (319) 

Crimes against the environment (327,328) 

Crimes relating to nuclear energy and ionizing radiation (343) 

Crimes of risk caused by explosives (348) 

Crimes against public health as regards drug trafficking (369 [2]) 

Falsehood in methods of payment (399 [2]) 

Bribery (427) 

Influence peddling (430) 

Corruption of foreign officials (445) 

Financing terrorism (576 [2])

 

In general they are only attributable to the body corporate if they are done so wilfully (including gross negligence and deliberate ignorance), the crimes of moneylaundering and against the environment can also be attributed to imprudence by the body corporate.

 

 

2.3 Aspects to take into account regarding the Corporations Act after the modifications introduced by Act 31/2014 on the improvement of corporate governance.

 

The reform of the Corporations Act as regards the public liability of administrators and directors incorporates and extends obligations and liabilities with respect to the administration, control and prevention of risks (criminal and fiscal). Administrators and directors shall be accountable to shareholders and to company creditors for any damages caused by acts or omissions against the law or the company’s articles of association or for non-compliance inherent to exercising the position. 

Liability shall not be exonerated when it has been adopted, authorised or ratified by the general shareholders’ meeting. 

Competence regarding the implementation and monitoring of the “Corporate Compliance” system is a matter for the administrative body, and may not be delegated. 

Furthermore, the reform lays down that the articles of association shall determine the system of administrators’ remuneration for their management and decision-making functions, with special reference to the system of remuneration for board members who carry out executive tasks. If the system includes a share in profits, the articles of association shall specifically lay down the share or maximum percentage thereof and whether the system includes the handover of shares or share options, or remunerations indexed to the share value in the public companies shall be expressly set forth in the articles of association.

Modifications to the Corporations Act (“LSC”) includes significant measures that must be taken into account in Corporate Compliance projects in all kinds of companies, in particular the following:

  • Administrators’ remuneration. 
  • General duty of diligence. 
  • Protection of the business judgement rule. 
  • Obligation to loyalty and conflict of interests. 
  • Subjective extension of liability. 
  • Delegation of competences. 
  • Competences that cannot be delegated. 
  • Control functions of the secretary of the Board of Directors.

 

Furthermore, after the reform introduced in article 249 of the Corporations Act, the indelegable nature of a series of competences was laid down. As a result, this article stipulates that, “the board of directors may not delegate the following competences under any circumstances: a) supervision of the effective operation of committees it may have set up and of the performance of the delegated bodies and the directors that it may have appointed”.

 

2.4. Possible penalties

 

There are 7 types of penalties created specifically to be applied to bodies corporate:

 

  • Fine by quotas or proportional.
  • Dissolution of the body corporate.
  • Suspension of its activities for a term that may not exceed five years.
  • Closure of its premises and establishments for a term that may not exceed five years.
  • Prohibition (temporary/definitive) from carrying out in the future the activities that, during the financial year, have been committed, have favoured or have concealed the crime (not + than fifteen years).
  • Disqualification from obtaining subsidies and public aid, contract with the public sector or enjoy fiscal benefits and incentives or from the Social Security, for a term that may not exceed fifteen years.
  • Judicial intervention to safeguard workers’ or creditors’ rights for the term deemed necessary, which may not exceed five years.

 

 

 

 

 

3. Recommendations to avoid liability for the body corporate

3.1. Specific actions

 

  • Detect crimes that involve greater risk (this will be carried out by means of drawing up a risk matrix). 
  • Prepare a Corporate Compliance Protocol. This will include risk detection, a legal opinion regarding the current internal operation of companies as regards regulatory compliance and legal basis to notify partners and directors. Additionally, a Code of Conduct and Ethics shall be drawn up, which (i) shall specifically lay down the actions that employees, administrators and/or directors may or may not carry out (ii) establish a system of information, accusation and complaint, (iii) disciplinary actions in the event of non-compliance. This integrates protocols and systems that the company already has (audits, external legal and tax consultancy, occupational hazard prevention, etc.). 
  • Implement a financial resource management model (important in the event of investigation by the tax authorities) – a plan to prevent financial offences will be prepared. 
  • Establish measures to control compliance: the measures to be adopted should be adapted to each company and could include, among other aspects, periodic meetings, questionnaires, incentives for proper compliance and training for employees, administrators and directors. 
  • Verify and periodically update documents (they must be “living documents”) accompanied by training and/or educational activities. 
  • Approve implementation by the Board and by the Administrative Body: a decision will be issued from the shareholders and another from the administrative organ approving the implementation and obligatory compliance with the documents issued.

 

3.2. Advantages

 

The advantages that this implementation would mean for the company particularly include the following:             

Exemption from criminal liability + Mitigation of the impact of any possible tax investigation + Greater possibility of public contracting + Greater possibility with of contracting with large companies + Attraction and retention of talent. Improved workforce performance and productivity.

 

Links