How to Conduct an Internal Investigation in Spain: Step‑by‑step Guide for Compliance Officers

Understanding how to conduct an internal investigation in Spain is now a core competency for every compliance officer, in‑house counsel and HR director operating in the country. Since Law 2/2023 (Ley 2/2023, de 20 de febrero, reguladora de la protección de las personas que informen sobre infracciones normativas y de lucha contra la corrupción) came into force, entities that meet the statutory thresholds must maintain an internal information channel and respond to reports within strict deadlines, acknowledgement within 7 calendar days, and a substantive outcome within 3 months. This guide walks through each phase of the investigation process, from triage to post‑investigation remediation, and flags the data‑protection limits, criminal‑proceedings suspension risks, and document‑preservation requirements that trip up even experienced teams.

It is current as of June 2026 and reflects the enforcement posture of the Autoridad Independiente de Protección del Informante (A. A. I. ) and the Agencia Española de Protección de Datos (AEPD).

Overview of the Internal Investigation Process and Who It Applies To

An internal investigation in Spain is a structured, fact‑finding procedure that a company initiates when it becomes aware, through a whistleblower report, employee complaint, audit irregularity or regulatory inquiry, of possible misconduct, fraud, or a breach of legal or compliance obligations. Its purpose is to establish facts, assess liability, remediate harm, and, where required, report findings to the competent authority.

Under Law 2/2023, the following entities must implement an internal information system (canal interno de información):

• Private‑sector companies with 50 or more employees.
• All public‑sector entities, irrespective of size.
• Political parties, trade unions, and employer organisations that receive or manage public funds.
• Foundations that receive public subsidies above the thresholds set in the statute.

Companies with between 50 and 249 employees may share resources for the channel, but each entity remains individually responsible for its own investigation process and compliance with statutory deadlines.

Who Should Run the Probe?

The designated “responsible person” (responsable del sistema) must be a senior officer or body with independence and autonomy. In practice, this is usually the compliance officer, a compliance committee, or, for smaller entities, the board secretary. The decision to involve external counsel should be taken at intake whenever the report concerns potential criminal conduct, involves senior management, or carries a risk of evidence destruction. External counsel adds legal‑professional privilege protections and specialist investigative experience, particularly in white‑collar and data‑protection matters.

Eligibility, Prerequisites and the Whistleblowing Procedure in Spain

Who Is Covered by the Whistleblowing Law?

Law 2/2023 protects a broad range of informants. Coverage is not limited to employees: it extends to self‑employed workers, shareholders, members of governing bodies, volunteers, trainees, job applicants, and any person who has obtained information about a breach in a work or professional context. Third‑party contractors and suppliers may also use the internal channel. This wide scope means that the investigation team must be prepared to handle reports from individuals who sit outside the conventional employer–employee relationship.

When to Call External Counsel Immediately

Engage specialised external counsel from Day 0 if:

• The allegation involves potential criminal conduct (fraud, bribery, money laundering).
• Senior management or board members are implicated.
• There is a real risk of evidence destruction or tampering.
• Criminal proceedings have already been opened or are imminent.
• Cross‑border elements require coordination with regulators in other jurisdictions.

Before launching interviews, the investigator must complete conflict‑of‑interest checks, confirm the role of the Data Protection Officer (DPO), and, where applicable, consult with worker representatives as required by the applicable collective bargaining agreement (CBA). These prerequisites are not optional: failure to observe CBA consultation obligations can render evidence inadmissible and expose the company to labour‑law claims.

Step‑by‑Step Procedure: How to Conduct an Internal Investigation in Spain

The following investigation steps for Spain reflect the statutory framework of Law 2/2023, AEPD data‑protection guidance, and established practitioner best practice. Each step specifies who acts, the target timeframe, and the key output. The summary table below provides an at‑a‑glance timeline; detailed guidance follows in the numbered sub‑sections.

Step 1, Triage and Intake (Day 0–7)

Record the date and channel through which the report was received. Assign a unique case identifier and open the case log. Perform an immediate confidentiality assessment: restrict access to the report on a strict need‑to‑know basis. Run conflict‑of‑interest checks on every person who will touch the case, including the responsible person and any proposed investigator.

Determine urgency. Reports alleging imminent evidence destruction, ongoing harm, or serious criminal conduct should be escalated to external counsel and, where necessary, the board within 24 hours.

Law 2/2023 requires the company to acknowledge receipt to the informant within 7 calendar days. The acknowledgement must confirm that the report has been received and outline the procedure that will follow. A sample acknowledgement:

“We confirm receipt of your report dated [date], assigned reference [ID]. Your report will be assessed confidentially in accordance with Law 2/2023. You will be informed of the outcome within three months.”

Output: completed intake form, case log entry, acknowledgement letter, and any immediate protective measures (e.g., preserving access to systems, restricting the subject’s ability to delete data).

Step 2, Define the Scope and Prepare the Investigative Plan (Day 1–14)

Draft a written investigative plan that defines:

• The factual and legal scope of the investigation (which allegations, which legal standards).
• Key witnesses to interview and the sequence of interviews.
• Data sources and digital systems to be preserved or searched.
• Whether external counsel or a forensic IT vendor is required.
• Privilege safeguards, how to create and maintain a privileged work‑product stream under external counsel’s direction.

At this stage, prepare the chain‑of‑custody template that will accompany every piece of evidence from collection through to any eventual court proceeding. If the scope indicates that the matter may cross into criminal territory, the plan should include a decision point for suspension for criminal proceedings (see the decision‑point box below).

Output: written investigative plan, chain‑of‑custody template, privilege protocol.

Step 3, Evidence Collection and Preservation (Day 7–45)

Evidence preservation in Spain must begin immediately, ideally within 24–72 hours of intake. Practical steps include:

• Issuing a written preservation notice to IT, HR, and any custodian of potentially relevant documents. A sample preservation notice: “You are required to preserve all documents, emails, messages, and electronic files relating to [subject matter] from [date range]. Do not delete, alter, or move any such materials.”
• Creating forensic images of relevant devices (laptops, phones, servers) and recording hash values to prove integrity.
• Exporting and sealing relevant emails and files in a restricted‑access repository.
• Logging every item in the evidence log with date, source, custodian, and the name of the person who collected it.

Data protection constraints apply throughout this phase. The AEPD’s guidance on data protection in labour relations requires that data collection be proportionate and limited to what is strictly necessary. If the investigation involves large‑scale processing of personal data or monitoring of employee communications, a Data Protection Impact Assessment (DPIA) may be required. The legal basis for processing is typically the employer’s legitimate interest or a legal obligation, but the scope must be documented in a record of processing activities.

Output: evidence log, forensic images with hash verification, sealed document repository, data processing record.

Step 4, Witness Interviews and Statements (Day 14–60)

Plan interviews in a logical sequence, typically starting with peripheral witnesses and working inward to the subject of the investigation. Key considerations for conducting interviews in Spain include:

• CBA constraints. Many collective bargaining agreements grant employees the right to be accompanied by a union representative or worker delegate during interviews that may lead to disciplinary action. Check the applicable CBA before scheduling.
• Confidentiality. Inform each interviewee that the investigation is confidential and that retaliation against informants is prohibited under Law 2/2023.
• Data protection. Interviewees must be informed of the purpose of data collection, the legal basis, and their rights under the GDPR. Avoid collecting categories of special data (health, political opinion, trade‑union membership) unless strictly necessary.
• Language. Interviews may need to be conducted or translated into Spanish and, where applicable, a co‑official language (Catalan, Basque, Galician). Provide an interpreter if the interviewee is not fluent.
• Documentation. Record interview notes contemporaneously. Signed statements may be obtained where lawful and proportionate, but be aware that some CBAs restrict requiring employees to sign investigation statements.

Output: interview notes, signed statements (where permissible), updated evidence log.

Step 5, Analysis, Findings and Preliminary Recommendations (Day 45–75)

Collate all evidence and map it against the legal and factual scope defined in Step 2. Assess the level of misconduct and determine whether the conduct amounts to a disciplinary infraction, a civil liability issue, a criminal offence, or a combination. Consider:

• Whether the facts support the allegations on the balance of evidence.
• What disciplinary or remedial measures are appropriate (warning, suspension, dismissal, reporting to authorities).
• Whether the company’s compliance programme needs updating to prevent recurrence.
• Privilege: if external counsel has been engaged, the draft investigative report should be prepared under counsel’s direction and clearly marked as privileged.

Output: draft investigative report, preliminary recommendations.

Step 6, Decision, Remediation and Closure

Present the final report to the decision‑making body (typically the board, a compliance committee, or HR, depending on the nature of the misconduct). Approve and implement the remedial plan. Communicate the outcome to the informant within the statutory deadline, Law 2/2023 requires the internal procedure to be completed within a maximum of 3 months from receipt of the report, with an exceptional extension to 6 months where justified by the complexity of the matter.

If the investigation reveals conduct that must be reported to a public authority (regulatory breach, criminal offence), make the disclosure through external counsel. Preserve the investigation file for the applicable retention period, but be mindful of data‑protection limits: personal data collected during the investigation should not be retained longer than necessary and must be deleted or anonymised once the retention period expires.

Output: final report, remediation log, outcome notification to informant, authority disclosures (if applicable).

Step 7, Post‑Investigation Follow‑Up

Close the case log but schedule a follow‑up review at 6 and 12 months to confirm that remedial measures are working. Update the company’s compliance programme, code of conduct, and training materials to reflect lessons learned. Record disciplinary outcomes (anonymised where appropriate) for future reference.

Decision Point, If Criminal Proceedings Are Opened: Where a parallel criminal investigation or prosecution is opened by a Spanish court or the Fiscalía (public prosecutor), the company must exercise extreme caution. Industry observers expect that continuing active witness interviews or evidence gathering can prejudice the criminal proceedings and expose the company to allegations of obstruction or evidence contamination. The prudent course is to suspend all non‑essential investigative activity immediately, preserve evidence in sealed form under external counsel’s direction, and coordinate further steps with criminal defence counsel. A sample internal suspension notice: “Effective immediately, all investigative activity under case [ID] is suspended pending coordination with external counsel in light of criminal proceedings. All evidence must be preserved in its current form.

No interviews may be conducted without prior written authorisation.

Required Documents and Information for an Internal Investigation in Spain

The following checklist sets out the documents needed for an internal investigation. Maintain all items in a secure, access‑controlled repository. Data protection internal investigation requirements under the AEPD mandate that personal data is processed only to the extent necessary and retained only for as long as required.

Where the investigation involves employees covered by a collective bargaining agreement, check whether the CBA imposes additional documentation requirements, for example, mandatory notification to the works council before initiating a disciplinary investigation, or restrictions on how interview records may be used.

Internal Investigation Timeline and Key Deadlines

The internal investigation timeline is driven by two sets of deadlines: the statutory limits under Law 2/2023 and the practical operational targets that an effective investigation demands.

Statutory deadlines (Law 2/2023):

• Acknowledgement of report: within 7 calendar days of receipt.
• Completion of internal procedure: within a maximum of 3 months from receipt of the report.
• Exceptional extension: up to 6 months from receipt, but only where justified by the particular complexity of the matter. The extension must be communicated to the informant.

Practical operational targets:

• Evidence preservation: initiate within 24–72 hours of intake. Delay increases the risk of spoliation.
• Interview scheduling: aim to complete all witness interviews within 6 weeks of the investigative plan being approved.
• Draft findings: circulate internally within 10 weeks to allow time for legal review and board decision before the 3‑month statutory deadline.
• Remediation implementation: begin immediately upon final report approval; record milestones in the remediation log.

Missing the statutory deadlines does not extinguish the obligation to investigate, but it exposes the company to administrative sanctions under Law 2/2023 and oversight action by the A.A.I.. It may also undermine the credibility of the investigation if the matter proceeds to litigation or regulatory enforcement.

Costs of an Internal Investigation in Spain

The costs of an internal investigation in Spain vary significantly depending on scope, complexity, and whether external providers are engaged. The table below provides indicative market ranges. All figures should be treated as estimates and confirmed with providers before engagement.

Investigation costs are generally treated as a deductible business expense for corporate‑tax purposes, but the treatment of specific items (e.g., legal fees related to criminal defence, penalties) may differ. Confirm with the company’s tax advisors before allocating budget.

What Changes in 2026: Practical Actions for Compliance Officers

Since Law 2/2023 entered into force, the operational landscape for internal investigations in Spain has shifted in several important ways. Compliance officers should note the following developments as of mid‑2026:

• A.A.I. oversight is now active. The Autoridad Independiente de Protección del Informante has begun exercising its supervisory and sanctioning functions. Early indications suggest a particular focus on whether entities have established compliant internal channels and whether acknowledgement and outcome deadlines are being met.
• Stricter AEPD enforcement in workplace investigations. The AEPD has increased scrutiny of data processing during internal investigations, with particular attention to proportionality, data minimisation, and the lawfulness of monitoring employee communications. Compliance officers should ensure every investigation includes a documented assessment of the data‑protection legal basis and, where applicable, a DPIA.
• Suspension for criminal proceedings is a practical reality. Court and prosecutorial practice has reinforced the principle that internal investigative activity should be limited or suspended where parallel criminal proceedings could be prejudiced. The likely practical effect is that companies must build a clear “pause protocol” into their investigative plans from the outset.
• Internal channels for companies with 50–249 employees are mandatory. The transitional period has elapsed. All entities within scope must have a functioning channel. Failure to do so is itself a sanctionable infraction.

Common Pitfalls and How to Avoid Them

Even experienced compliance teams encounter procedural traps when conducting an internal investigation in Spain. The following pitfalls are the most frequently observed:

• Failing to acknowledge the report within 7 days. This is the single most common compliance failure. Set an automated reminder in the case‑management system at Day 0 and assign a named individual to send the acknowledgement.
• Destroying or altering evidence. Even unintentional spoliation, such as routine email‑server purges, can be catastrophic. Issue a preservation notice within 24 hours of intake and suspend all automated deletion policies for potentially relevant data.
• Breaching data‑protection rules during evidence collection. Accessing employee personal devices, monitoring private communications, or collecting special‑category data without a lawful basis violates the GDPR and AEPD guidance. Document the legal basis for every data‑processing operation and apply the principle of data minimisation rigorously.
• Interviewing witnesses in breach of CBA requirements. Collective bargaining agreements in Spain frequently grant employees the right to have a union representative present during investigative interviews that could lead to disciplinary consequences. Ignoring this right can render the interview evidence inadmissible and trigger separate labour‑law claims.
• Continuing the investigation after criminal proceedings have opened. Active investigative steps, particularly witness interviews, conducted in parallel with a criminal investigation can constitute obstruction or contaminate evidence. Suspend non‑essential activity and coordinate with criminal defence counsel.
• Mismanaging privileged materials. Mixing privileged external‑counsel work product with non‑privileged investigation files risks waiver. Maintain a strict separation protocol from Day 0.
• Retaining investigation data beyond the permitted period. Under AEPD guidance, personal data collected for the investigation should be deleted or anonymised once the retention period linked to the investigation’s purpose expires. Over‑retention violates the GDPR’s storage limitation principle.

Sources

1. BOE, Ley 2/2023 (consolidated text)
2. BOE, Ley 2/2023 (PDF / consolidated)
3. Agencia Española de Protección de Datos (AEPD)
4. Cuatrecasas, Legal flash on Law 2/2023
5. KPMG, Legal alert on Law 2/2023
6. Clifford Chance, Spain transposition of the Whistleblowing Directive
7. Uría Menéndez, Commentary on Law 2/2023
8. Molins Defensa Penal, Internal criminal investigations
9. Cleary Gottlieb, Conducting an internal investigation