Estrategeos
Internal information system · Law 2/2023

Whistleblowing channel

Internal Information System established by Estrategeos S.L. under Spanish Law 2/2023, of 20 February, on the protection of persons reporting on regulatory infringements and the fight against corruption — transposing EU Directive 2019/1937 — and under Law 10/2010 on the prevention of money laundering.

Last updated: 25 April 2026 Law 2/2023 · Law 10/2010 EU Directive 2019/1937

Legal framework and obligation

Spanish Law 2/2023 of 20 February (hereinafter, Law 2/2023) transposes EU Directive 2019/1937 into Spanish law and requires certain entities to operate an Internal Information System for receiving reports on infringements of Union and Spanish law.

Estrategeos S.L. qualifies as an obliged entity under Law 10/2010 of 28 April on the prevention of money laundering and the financing of terrorism, in its capacity as a tax advisory firm (Article 2.1.t of Law 10/2010). Pursuant to Article 10.1 and the Fifth Additional Provision of Law 2/2023, all entities subject to Law 10/2010 must implement an Internal Information System irrespective of headcount.

Approved by the governing body

This Internal Information System has been approved by the governing body of Estrategeos S.L. and is permanently published on this website pursuant to Article 5.2.j of Law 2/2023. Any modification will be reflected on this page with the corresponding update date.

Material scope

This channel may be used to report acts or omissions that may constitute, under Article 2 of Law 2/2023:

  • Acts or omissions that may constitute infringements of EU law in the areas listed in the Annex to Directive 2019/1937 — including public procurement, financial services, prevention of money laundering, environmental protection, product safety, personal data protection and protection of the financial interests of the Union.
  • Acts or omissions that may amount to a criminal offence or to a serious or very serious administrative infringement, including those resulting in financial loss to the public treasury or to the Social Security system.
  • Conduct contrary to the Anti-Money-Laundering and Counter-Financing-of-Terrorism Manual approved by Estrategeos S.L. under Law 10/2010 and Royal Decree 304/2014.
  • Conduct contrary to the Code of Ethics of the Spanish Register of Tax Advisors (REAF) and to the professional standards applicable to the firm's services.
  • Breaches of Regulation (EU) 2016/679 (GDPR) and of Spanish Organic Law 3/2018 (LOPDGDD) in the processing of personal data by the firm.

The following matters are expressly excluded, in accordance with Article 2.4 of Law 2/2023: classified information, information protected by legal professional privilege, the confidentiality of judicial deliberations and matters covered by criminal procedure rules. Commercial complaints regarding the provision of services are also outside the scope of this channel and will be handled through the ordinary channels.

Reporting persons

Pursuant to Article 3 of Law 2/2023, the channel may be used by natural persons who become aware of any of the conduct within the material scope in the context of an employment or professional relationship with Estrategeos S.L., regardless of whether such relationship has been terminated or has not yet commenced:

  • Persons holding a present or past employment, commercial or statutory relationship with the firm.
  • Trainees, volunteers and external collaborators in training.
  • Persons whose employment relationship has ended, as well as candidates whose recruitment or pre-contractual negotiations did not progress.
  • Self-employed professionals, contractors and subcontractors related to Estrategeos S.L., as well as their employees.
  • Shareholders, partners, members of the governing body and managerial staff.
  • Clients, interested third parties and members of the public who become aware of the conduct in the context of a professional relationship with the firm.

The protection afforded by Law 2/2023 also extends to facilitators, third parties connected with the reporting person (colleagues, relatives) and legal entities for which the reporting person works or with which they have any work-related connection.

Reporting channels

The Internal Information System of Estrategeos S.L. accepts written and oral reports, identified or anonymous, through the following channels:

  • Encrypted email: canal.etico@estrategeos.com — restricted-access mailbox monitored only by the System Manager, with reinforced confidentiality compared to ordinary corporate mailboxes.
  • Registered postal mail: Estrategeos S.L. — System Manager — C/ Postas, 16 — 4th floor DC, 28012 Madrid, Spain, in a sealed envelope marked "Confidential — Ethics Channel".
  • Oral reporting: upon written request to the email address above, by means of a face-to-face meeting or video conference with the System Manager within seven days of the request. The conversation will be documented in minutes signed by both parties; the reporting person may refuse recording.

Anonymous reports are accepted and handled in accordance with Article 7.3 of Law 2/2023. In such cases, the firm will provide a two-way communication channel allowing the case to be followed up without disclosing the reporting person's identity.

Out of scope

This channel is not an avenue for commercial complaints, technical incidents on the client portal, tax queries on case files or GDPR rights requests. Such matters should be addressed to admin@estrategeos.com (general handling) or to privacidad@estrategeos.com (data protection rights).

System Manager

Pursuant to Article 8 of Law 2/2023, the governing body of Estrategeos S.L. has appointed a natural person as System Manager of the Internal Information System, with functional autonomy and independence from the rest of the firm's bodies, and bound by reinforced duties of confidentiality and professional secrecy.

The identity of the System Manager and the direct contact mechanisms beyond the general channels described above have been communicated to the governing body and to the firm's personnel through the relevant internal means and are accessible to reporting persons by written request to canal.etico@estrategeos.com.

The appointment was notified to the Independent Authority for the Protection of Reporting Persons (A.A.I.) under Article 8.5 of Law 2/2023. Any revocation or replacement may only occur for justified cause and shall be notified to that Authority.

Safeguards and prohibition of retaliation

Estrategeos S.L. guarantees to reporting persons and to those protected under Article 3 of Law 2/2023:

  • Confidentiality of identity of the reporting person and of any third party mentioned in the report; only the System Manager and, where applicable, the designated investigating body shall have access.
  • Absolute prohibition of retaliation under Article 36 of Law 2/2023, including any form of suspension, dismissal, change of conditions, denial of promotion, transfer, negative evaluation or non-renewal adopted as a consequence of the report.
  • Reversal of the burden of proof in retaliation proceedings: the firm must demonstrate that the measures adopted are based on different and duly justified grounds (Article 38 of Law 2/2023).
  • Assistance and support measures: right to independent advice, free legal aid as provided by law, and psychological support, under Articles 41 and 42 of Law 2/2023.
  • Exemption from liability for reporting or publicly disclosing information lawfully obtained, under Article 39 of Law 2/2023, save in cases of wilfully false reporting.

Retaliation against a reporting person constitutes a very serious infringement punishable by a fine of up to €1,000,000 for legal persons (Article 65 of Law 2/2023) and may, in addition, amount to the criminal offence under Article 197 quater of the Spanish Criminal Code.

Handling procedure and deadlines

Once a report is received, the Internal Information System will operate within the maximum deadlines set out in Article 9 of Law 2/2023:

  • Acknowledgement of receipt to the reporting person within a maximum of seven calendar days from receipt, unless such acknowledgement could compromise the confidentiality of the report.
  • Preliminary admissibility assessment within a reasonable period sufficient to support the decision to admit, dismiss or refer the matter to another competent authority.
  • Decision and feedback to the reporting person within a maximum of three months from receipt, extendable for an additional three months in cases of particular complexity duly justified, with prior notice to the reporting person.

The case file shall include, as a minimum: identification of the person responsible for handling, relevant dates, description of the reported facts, investigative steps taken, conclusion and, where applicable, corrective or disciplinary measures adopted. The reporting person shall be informed of the actions taken and, where appropriate, of the final outcome.

Where the facts may amount to a criminal offence, the competent body shall immediately refer the information to the Public Prosecutor's Office or to the European Public Prosecutor's Office where the facts affect the financial interests of the Union.

Personal data processing

Personal data processing relating to the channel is carried out in accordance with Chapter IX of Law 2/2023 (Articles 30 to 35), Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD).

  • Data controller: Estrategeos S.L., NIF B02715894, C/ Postas 16 — 4th floor DC, 28012 Madrid, Spain.
  • Purpose: receipt, registration, analysis and handling of reports submitted through the Internal Information System, as well as adoption of the corrective and disciplinary measures arising from them.
  • Lawful basis: compliance with a legal obligation to which the controller is subject (Article 6.1.c GDPR), in connection with Articles 10 and 30 of Law 2/2023 and with Law 10/2010.
  • Categories of data: identification data of the reporting person (where the report is not anonymous), identification data of the persons referred to in the report, description of the facts, supporting documentation and, where applicable, data relating to administrative or criminal infringements under Article 30.1 of Law 2/2023.
  • Recipients: System Manager, designated investigating body, external legal advisors bound by professional secrecy, administrative or judicial authorities where there is a legal obligation to disclose, and the Public Prosecutor's Office or European Public Prosecutor's Office where the facts may amount to a criminal offence.
  • Retention period: data is kept only for the time strictly necessary to decide whether to open an investigation. If three months pass without action, data is deleted, unless the purpose is to leave evidence of the operation of the prevention model. In any case, the maximum retention period is ten years under Article 32 of Law 2/2023.
  • Rights: access, rectification, erasure, objection, restriction and portability may be exercised before the System Manager. The right of access of the person concerned by the report is modulated under Article 33 of Law 2/2023 to preserve the confidentiality of the reporting person. There is also a right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

External reporting

Use of the internal channel is not mandatory. The reporting person may choose to address themselves directly to the external channel of the Independent Authority for the Protection of Reporting Persons (A.A.I.) regulated under Title IV of Law 2/2023, as well as to the relevant sectoral authorities, without losing any of the safeguards and protective measures recognised by Law 2/2023:

  • Spanish Securities Market Commission (CNMV) in matters of securities markets and financial instruments.
  • Spanish Markets and Competition Commission (CNMC) in competition matters.
  • SEPBLAC (Executive Service of the Commission for the Prevention of Money Laundering) on money laundering and terrorist financing matters.
  • Spanish Data Protection Agency (AEPD) on personal data protection matters.
  • European Anti-Fraud Office (OLAF) and European Public Prosecutor's Office on the protection of the Union's financial interests.
  • Autonomous regions that have set up their own authorities for the protection of reporting persons.

The right of public disclosure under Article 28 of Law 2/2023 is recognised for those who have previously reported through internal and/or external channels without measures having been adopted within the legal deadlines, or where there is an imminent or manifest danger to the public interest.

Records and retention

Estrategeos S.L. keeps a register of reports received and of the internal investigations they have triggered, ensuring the confidentiality requirements set out in Law 2/2023 (Article 26). This register is not public and is only accessible to the competent Authority by reasoned decision in the framework of proceedings aimed at determining potential liability.

Personal data not necessary for the handling and investigation of the report shall be deleted immediately. Retention of the case file shall cease upon expiry of the periods set out in Article 32 of Law 2/2023, without prejudice to applicable accounting, tax or judicial retention periods under other rules.

For any query regarding the operation of the Internal Information System other than the submission of a specific report, please contact canal.etico@estrategeos.com.