Corporate and M&A

Key Aspects of Regulatory Compliance Obligations for International Companies in Spain

Subsidiaries of foreign companies in Spain must comply with certain legal obligations to guarantee their compliance with Spanish regulations and avoid sanctions, problems in tenders and damages to their reputation.

In addition to commercial and tax obligations, such as the deposit of annual accounts, minutes and accounting books, and providential obligations, such as salaries’ payment and social security contributions, etc., there are other essential obligations that must be observed, and which are briefly described below:

1.   Protocol against Sexual and/or Gender-Based Harassment

All companies in Spain, regardless of their size, must implement a protocol against sexual and/or gender-based harassment. Not implementing this protocol is a serious infraction, punishable by fines of up to 7.500 euros. This protocol must include specific procedures for the prevention and reporting of harassment cases, ensuring a safe and respectful work environment and thus protecting the company from possible reputational damage.

2.   Criminal compliance

The implementation of a criminal compliance program is essential to exempt the company from criminal liability for crimes committed within the company. This is particularly relevant for subsidiaries of foreign companies, where control and management bodies are not always found in the country. A compliance system must be adapted to Spanish regulations, and it is not enough to have a program designed only for the parent company. This program must include internal policies and procedures aimed at preventing, detecting, and correcting illegal behavior within the company.

3.   Whistleblowing Channel

All companies with 50 or more employees are required to have a whistleblowing channel. In addition, smaller companies may also be subject to this obligation depending on specific circumstances, so it is advisable to make an assessment in this regard.

It is important that this channel complies with local regulations, as a whistleblowing channel established abroad by the parent company is not enough (remember that the penalties for non-compliance can reach up to one million euros).

The implementation of a whistleblowing channel is not only a legal obligation, but also a tool to strengthen the company's trust and reputation with banks, investors, employees and business partners.

4.   Equality Plan

It consists of a set of measures adopted after carrying out a diagnosis of the situation, with the aim of guaranteeing equal treatment and opportunities between women and men, eliminating any type of gender-based discrimination. An equality plan is mandatory for companies with 50 or more employees, but in some cases, it is also mandatory for smaller companies, depending on the collective agreement or other factors. Therefore, it is advisable to carry out an analysis to determine whether the company is obliged to implement an equality plan.

5.   LGTBI Equality Plan

Law 4/2023 establishes that, as of March 2nd, 2024, all entities with more than 50 employees – that is, all entities required to have an Equality Plan – will have to implement a set of measures and resources to achieve real and effective equality for LGBTI people, including a protocol for the prevention and action in situations of harassment and/or violence against LGBTI people. In case of non-compliance, the company might get sanctioned with a fine of up to 150.000 euros are foreseen.

6.   Transfer Pricing

Transactions between entities of the same group must be valued at market prices, which entails certain documentary and reporting information. Although the transfer pricing study may be carried out by the parent company, it is necessary to verify its conformity with the parameters established by Spanish regulations in order to be protected in case of inspection.

7.   General Data Protection Regulation (GDPR)

The GDPR imposes an obligation on all companies that process personal data to protect it and guarantee the rights of data subjects. Subsidiaries in Spain must ensure that their personal data management practices comply with the requirements of the GDPR, including, among others, obtaining consents, adopting adequate security measures, and notifying security breaches. The Spanish Data Protection Agency (AEPD) has updated its Guide on the use of cookies, which was due to expire on January 11th, 2024. One of the main adaptations consists of being more transparent to the user and creating a banner with three buttons "ACCEPT COOKIES", "REJECT COOKIES" and "SETTINGS".

To sum it up, complying with these additional obligations is essential for subsidiaries in Spain to operate in compliance with the law and avoid penalties that can be costly both financially and in terms of reputation. Compliance also enhances their image and attractiveness in the marketplace, creating an environment of trust for employees, business partners and investors.

In Escura we are specialized in advising subsidiaries of foreign companies in Spain and we have departments dedicated to regulatory compliance. Our team can help your company to comply with all legal and regulatory obligations, thus ensuring its operability and reputation in the Spanish market.

< Back