Compliance y cumplimiento normativo para empresas

Compliance is not about having neat folders or documents that nobody reads. It is about something far more important: protecting the company before problems arise.

If your company hires staff, processes data, sells products or services, signs contracts, makes corporate decisions, or has a management body, you are already assuming regulatory risks. And when those risks are not properly managed in time, the issue is usually not just a fine. It can affect the continuity of the business, the company’s reputation, and, in certain cases, the exposure of directors and managers as well. Today, the legal framework is quite clear: Law 2/2023 requires certain entities to implement an internal reporting system; Article 31 bis of the Criminal Code links corporate criminal liability to the existence and effectiveness of organisational and management compliance models; and the LOPDGDD and the GDPR require proper management of personal data processing.

We work from Barberà del Vallès by appointment and also provide online services to companies throughout the province of Barcelona.

If your company is growing, hiring, or making sensitive decisions, compliance is no longer “effectively” optional

Many companies do not implement compliance systems because they believe “that’s only for multinationals”. And that is precisely one of the most expensive mistakes.
Law 2/2023 requires, in the private sector, the implementation of an internal reporting system for companies with more than 50 employees, in addition to other entities specifically covered by the law. Subsequent institutional developments have reinforced this framework of supervision and proper operation of the system.

That does not mean that smaller companies do not need compliance. It means that, even where there is no full legal obligation in every area, having internal organisation, clear policies, and proper documentary traceability significantly reduces real risk. That is the difference between reacting to a complaint, a sanction, or an incident… and getting ahead of the problem before it happens.

I want to know whether my company is legally required to comply

Internal reporting channel and whistleblowing system: when it is required and how to implement it properly

Let’s be clear here: the reporting channel is not just “a mailbox” and nothing more.
Law 2/2023 regulates the internal reporting system and requires entities to have a management procedure, a designated system manager, and clear and accessible information about both the internal and external reporting channels. In addition, the channel must allow reports to be made in writing or verbally and must preserve confidentiality safeguards.
That means implementing the channel properly involves, at a minimum:

• defining the internal system;
• appointing a responsible officer;
• approving a formal procedure;
• organising deadlines and traceability;
• and connecting the channel with disciplinary measures, internal investigations, and evidence preservation.

I want to implement an internal reporting channel and protocol

Criminal compliance: protecting the company and its management body

Criminal compliance is not a trend. It is directly linked to Article 31 bis of the Criminal Code.
The Spanish Attorney General’s Office has repeatedly stated that this provision establishes genuine criminal liability for legal entities in relation to certain offences committed by individuals connected to them. And the very structure of Article 31 bis links exemption from or mitigation of liability to the existence of adequate organisational and management models designed to prevent offences or significantly reduce their risk.
Translated into business language: if you do not have a serious compliance model in place and something serious happens, the problem is no longer limited to the employee or manager who acted improperly. The company itself may also become liable. And depending on the offence, the Criminal Code provides for fines and other additional consequences for the business.
Here, we approach criminal compliance with a very practical mindset:

• risk mapping;
• policies and controls;
• practical minimum training;
• internal reporting channels;
• incident response;
• and sufficient traceability so the system is not just “paper compliance”.

I want to review my company’s criminal compliance system

Data protection and internal organisation

Data protection is not an add-on. It is a central part of regulatory compliance for any company that processes data relating to clients, employees, suppliers, or users.
In Spain, the core framework is formed by the GDPR and Organic Law 3/2018, and the Spanish Data Protection Agency (AEPD) provides specific guides, tools, and materials to help SMEs and data controllers comply with their obligations. Among these, the AEPD offers Facilita RGPD for companies carrying out low-risk processing activities, as well as dedicated guidance for SMEs.
In practice, this means reviewing:

• what data is being processed;
• on what legal basis;
• what information is being provided to data subjects;
• what processor agreements are in place;
• what security and retention measures apply;
• and how the company responds to data subject requests or incidents.

I want to review data protection and internal organisation

Employment compliance, HR and occupational risk prevention (PRL)

A company’s compliance framework does not stop at internal reporting channels, criminal compliance, or data protection. It also extends to something far more everyday — and far more sensitive: how you hire, how you manage people, how you document decisions, and how you protect the health and safety of your workforce. In occupational risk prevention, Law 31/1995 defines prevention as the set of activities or measures adopted or planned at every stage of the company’s operations to avoid or reduce work-related risks. In addition, the INSST states that the prevention plan is the tool that integrates preventive activity into the company’s overall management system, and that its essential instruments are the risk assessment and the preventive activity planning.
In practice, this means that a well-organised company does not simply “comply because it has to”: it structures HR, internal protocols, recruitment, management processes, training, record-keeping, and prevention systems in order to reduce disputes, accidents, sanctions, and directors’ exposure to liability. The Workers’ Statute also connects several sensitive aspects of this area, such as information rights for employee representatives and the integration of occupational prevention within the employment relationship, while the INSST insists that prevention must be integrated throughout the company’s management and operational structure, rather than existing as an isolated document.
Here, we approach employment compliance, HR and occupational risk prevention with a genuinely practical focus:

• basic review of employment contracts and labour documentation;
• internal protocols and traceability of sensitive decisions;
• coordination between administration, HR, and prevention systems;
• prevention plans, risk assessments, and preventive activity planning;
• minimum documentary organisation for inspections, incidents, and disputes;

and a review of how the company responds to workplace accidents, breaches, or internal complaints. The INSST itself highlights that the preventive system must be properly documented and that documentation forms part of the quality and safety of the company’s management system.

I want to review my company’s employment compliance, HR and occupational risk prevention systems

Policies, protocols and internal investigations

A good compliance system does not live in a PDF document. It lives in how the company actually operates internally.
That is why, beyond the reporting channel or the criminal compliance document, the key is to make compliance part of the company’s day-to-day reality:

• internal policies;
• operational protocols;
• basic risk matrix;
• incident management;
• internal investigations;
• document traceability;
• coordination with administration, HR, and the management body.

The logic behind Law 2/2023 and criminal compliance moves precisely in this direction: ensuring there is an operational system, not a decorative one, and that internal procedures exist to channel information, investigate relevant issues, and reduce the risk of breaches.

How we handle compliance for your company

1. We tell you what you actually need
Not every business needs the same thing. The first step is distinguishing between legal obligations, real risks, and the level of complexity involved.

2. We adapt compliance to the way your company actually works
We do not simply apply “standard models”. We review people, workflows, decision-making processes, documentation, and your real level of exposure.

3. We implement what is essential and genuinely useful
Internal reporting channels, protocols, risk mapping, policies, data protection documentation, contracts, and the minimum control structure your company needs.

4. We leave you with a system that can actually be used
The goal is not for you to have more folders. The goal is that, if something happens, your company has organisation, sound judgment, and the ability to respond properly.

What documentation we need

If you already have it available, it is useful to gather:

• the company’s organisational chart or basic structure;
• number of employees;
• existing internal policies;
• contracts with key suppliers;
• data protection documentation;
• website legal texts and forms, where applicable;
• the current internal reporting system or channel, if one already exists;
• and any document that helps us understand how the company makes decisions, documents processes, and exercises control.

If you don’t have everything, that’s fine. We will tell you what is essential and what should be built from scratch.

If you want your company to be better protected, it’s better to put order in place early than to react too late

Useful compliance is not about filling folders. It is about ensuring your company knows how to prevent, detect, respond, and properly document everything.
If you want to review your internal reporting channel, criminal compliance, data protection, or your company’s overall regulatory compliance, we can help you implement it with a clear focus: legal certainty, internal order, and real protection for your business.

Request an initial compliance assessment