The Compliance Officers And The Constitutional Limitations Of Their Investigations In Spain

Since the Spanish Penal Code's reform back in 2010, companies have been working on their criminal risk management programs. To be really effective, such programs need professionals who know such internal regulations to guarantee its strict compliance inside the company: the Compliance Officer. Said Compliance Officer must manage all the companies' legal risks and will be the one in charge of handling the information and investigation tasks regarding the compliance of the company's regulations. Within such internal regulations, the Compliance Officer may request access to all technological resources provided by the company. May the Compliance Officer access such resources at his own will? May he access the email box of the employees without any limitation? May he check the hard drive of the computers of the employees? May he record conversations within the company? Although there is not an undisputable answer to all these questions, there are indeed several keys that must be always followed.

Introduction.

Back in 2010, in contrary to what we had learnt in the Spanish Schools of Law ("societas delinquere non potest"), legislators astonished everyone by reforming the Penal Code and incorporating in such text article 31.bis, which provides moral entities with the capacity to commit crimes. More recently, the Government, pending the definition of the liability framework of moral entities, drafted a reform Project of the Penal Code - whose approval by the Spanish Congress took place on January 21, 2015 -. Said reform specifies the requirements that moral entities shall comply with in order to prove their "due control" inside their organizations that will allow them to prevent corporate liability; above and beyond the corporate liability of those persons within the organization that may have committed a crime. These requirements shall be summarized in criminal risks, preventive protocols and in the availability of material and human resources whose purpose is the managing of such risks.

Certainly, the future for moral entities - but especially for corporations -, will lead them to seriously reviewing their current Codes of Conduct or "Ethics". Having general internal protocols crammed with good intentions will not suffice; it will be of the essence to provide answers to those requirements in order to protect the company from a possible corporate liability arising from the accusation of the commission of a crime committed by its administrators, managers, directors and/or employees.

Now that parliamentary approval is soon to come , it is now the moment for all corporations to focus on complying with this regulation and setting their own protocols and mechanisms that match these requirements.

Who is the Compliance Officer?

Major national and multinational corporations have been working on their criminal risk management protocols from the reform of 2010, substituting or complementing their former codes of conduct and prevention programs. Lacking a national legislative reference, these companies have approached the comparative law in search of a legal frame that would be of use in order to adapt their codes and internal protocols. It is precisely from this frame that the Compliance Officer arises.

The Compliance Officer is not a figure that is expressly regulated in the Spanish Law; and, nevertheless, it is indeed regulated, in a way, in the reform Project of the Penal Code as the "organ of the moral entity with autonomous powers of initiative and control." Despite being a figure that lacks shape and content from a legal standpoint in Spain, its incorporation in the Spanish companies is every day more usual.

We may refer to other figures alike as those responsible for complying with the due diligence measures of those companies that are subject to Anti-Money Laundering Regulations, but the truth of the matter is that they are different legal bodies; with equally different legal consequences.

So then who is the Compliance Officer in the companies? The answer is clear: not only will he be the one responsible for complying with the moral and ethical conducts implemented by the company but, especially and additionally, of all those legal obligations that imply a risk to the company.

The need to generate confidence in the market and protect companies' reputation was the first motive to establish norms of conduct. Later on, other laws like Anti-Money Laundering regulations led the entities involved to give their codes of conduct a much more legal and binding character. And with the reform of the Penal Code, the corporate compliance programs have become still more compelling.

These programs, in order to be effective and efficient, need people who know such norms that guarantee its strict compliance inside the company. These persons are known as Compliance Officers, and despite being a figure that lacks specific status and regulation, its existence and appointment as guarantor of the legal compliance is a legal duty.

Therefore, the Compliance Officer will be in charge of managing legal risks; and being responsible for informing and investigating every fact related to the compliance of the companies' regulations. Even "ex officio" or following a complaint reported through a complaints box ("Whistleblowing"), the Compliance Officer shall initiate an investigation in order to check any possible violation detected or denounced.

The investigation tasks of the Compliance Officer and the lacking of a specific legal frame.

In the course of his/her internal investigations, the Compliance Officer may request access to technological resources at the disposal of the administrators, managers, directors and employees by the companies; or to technological systems of control established to protect the very same companies. In such a scenario, there are plenty of questions that arise: May the Compliance Officer freely access these means? May s/he access freely the emails or texts that are sent or received? May s/he monitor computers and check their hard disks? And check the internet sites that have been visited by the employees during working hours? May s/he record conversations, either private or professional, made from the mobile phones put at the employees' disposal by the company? May the video-surveillance cameras or the GPS localizers be used at his discretion?

The answer to many of these questions could be evident from a theoretical stand point – there are constitutional rights at stake -, in practice the answers are far more complex. There are a few guidelines that the Compliance Officer must always bear in mind to preventing the information obtained from his/her investigations from being invalid, or even illegal, for violating constitutional rights. These guidelines can be extracted from the analysis of the Supreme Court and the Constitutional Court rulings of the last years.

Jurisprudence has already given an answer to some of the questions that we have pointed out above. However, following up very closely the evolution in jurisprudence will be of the essence to see what the criterion on the new technological means that are incorporated into the company's...