Since the Spanish Penal Code's reform back in 2010, companies have been working on their criminal risk management programs. To be really effective, such programs need professionals who know such internal regulations to guarantee its strict compliance inside the company: the Compliance Officer. Said Compliance Officer must manage all the companies' legal risks and will be the one in charge of handling the information and investigation tasks regarding the compliance of the company's regulations. Within such internal regulations, the Compliance Officer may request access to all technological resources provided by the company. May the Compliance Officer access such resources at his own will? May he access the email box of the employees without any limitation? May he check the hard drive of the computers of the employees? May he record conversations within the company? Although there is not an undisputable answer to all these questions, there are indeed several keys that must be always followed.
Back in 2010, in contrary to what we had learnt in the Spanish Schools of Law ("societas delinquere non potest"), legislators astonished everyone by reforming the Penal Code and incorporating in such text article 31.bis, which provides moral entities with the capacity to commit crimes. More recently, the Government, pending the definition of the liability framework of moral entities, drafted a reform Project of the Penal Code - whose approval by the Spanish Congress took place on January 21, 2015 -. Said reform specifies the requirements that moral entities shall comply with in order to prove their "due control" inside their organizations that will allow them to prevent corporate liability; above and beyond the corporate liability of those persons within the organization that may have committed a crime. These requirements shall be summarized in criminal risks, preventive protocols and in the availability of material and human resources whose purpose is the managing of such risks.
Certainly, the future for moral entities - but especially for corporations -, will lead them to seriously reviewing their current Codes of Conduct or "Ethics". Having general internal protocols crammed with good intentions will not suffice; it will be of the essence to provide answers to those requirements in order to protect the company from a possible corporate liability arising from the accusation of the commission of a crime committed by its administrators, managers, directors and/or employees.
Now that parliamentary approval is soon to come , it is now the moment for all corporations to focus on complying with this regulation and setting their own protocols and mechanisms that match these requirements.
Who is the Compliance Officer?
Major national and multinational corporations have been working on their criminal risk management protocols from the reform of 2010, substituting or complementing their former codes of conduct and prevention programs. Lacking a national legislative reference, these companies have approached the comparative law in search of a legal frame that would be of use in order to adapt their codes and internal protocols. It is precisely from this frame that the Compliance Officer arises.
The Compliance Officer is not a figure that is expressly regulated in the Spanish Law; and, nevertheless, it is indeed regulated, in a way, in the reform Project of the Penal Code as the "organ of the moral entity with autonomous powers of initiative and control." Despite being a figure that lacks shape and content from a legal standpoint in Spain, its incorporation in the Spanish companies is every day more usual.
We may refer to other figures alike as those responsible for complying with the due diligence measures of those companies that are subject to Anti-Money Laundering Regulations, but the truth of the matter is that they are different legal bodies; with equally different legal consequences.
So then who is the Compliance Officer in the companies? The answer is clear: not only will he be the one responsible for complying with the moral and ethical conducts implemented by the company but, especially and additionally, of all those legal obligations that imply a risk to the company.
The need to generate confidence in the market and protect companies' reputation was the first motive to establish norms of conduct. Later on, other laws like Anti-Money Laundering regulations led the entities involved to give their codes of conduct a much more legal and binding character. And with the reform of the Penal Code, the corporate compliance programs have become still more compelling.
These programs, in order to be effective and efficient, need people who know such norms that guarantee its strict compliance inside the company. These persons are known as Compliance Officers, and despite being a figure that lacks specific status and regulation, its existence and appointment as guarantor of the legal compliance is a legal duty.
Therefore, the Compliance Officer will be in charge of managing legal risks; and being responsible for informing and investigating every fact related to the compliance of the companies' regulations. Even "ex officio" or following a complaint reported through a complaints box ("Whistleblowing"), the Compliance Officer shall initiate an investigation in order to check any possible violation detected or denounced.
The investigation tasks of the Compliance Officer and the lacking of a specific legal frame.
In the course of his/her internal investigations, the Compliance Officer may request access to technological resources at the disposal of the administrators, managers, directors and employees by the companies; or to technological systems of control established to protect the very same companies. In such a scenario, there are plenty of questions that arise: May the Compliance Officer freely access these means? May s/he access freely the emails or texts that are sent or received? May s/he monitor computers and check their hard disks? And check the internet sites that have been visited by the employees during working hours? May s/he record conversations, either private or professional, made from the mobile phones put at the employees' disposal by the company? May the video-surveillance cameras or the GPS localizers be used at his discretion?
The answer to many of these questions could be evident from a theoretical stand point – there are constitutional rights at stake -, in practice the answers are far more complex. There are a few guidelines that the Compliance Officer must always bear in mind to preventing the information obtained from his/her investigations from being invalid, or even illegal, for violating constitutional rights. These guidelines can be extracted from the analysis of the Supreme Court and the Constitutional Court rulings of the last years.
Jurisprudence has already given an answer to some of the questions that we have pointed out above. However, following up very closely the evolution in jurisprudence will be of the essence to see what the criterion on the new technological means that are incorporated into the company's activity is; and, specially, to the new working processes (i.e. those made through technological means owned by the administrators, managers, directors and employees (BYOD)).
If the lack of a specific and particular legislative status for the Compliance Officer is not worrying enough, the non-existence of a specific regulation for the use of these technological resources within the entrepreneurial sphere recommends maximum diligence when there is access by the Compliance Officer to technological tools provided by the company; and specially to those that are owned by the people working in the organization.
Nevertheless, despite lacking specific regulations on the topic we can hold on to a more general legal frame; and more specifically, to the one provided by the Workers' Statute, upon which jurisprudence is based when settling conflicts among entrepreneurs and employees referring to the rights to privacy and to secrecy of communications. And such jurisprudence can be adjusted to the dilemmas that the Compliance Officers shall face when carrying out their tasks.
The Workers' Statute differentiates two possible scenarios:
- Article 18 on the inviolability of the employee that regulates the search over his/her own body, locker and personal belongings. The article allows such searches: "when necessary for the protection of the company and the rest of the employees' patrimony, inside the working premises and in working hours. In theses searches, the employees' dignity and privacy will be respected to the maximum; and there will always be one employees' representative present. In case that there is not any representative present in the working premises, another employee shall be present, whenever it is possible."
- Article 20.3 on self-organization power and control of the labor activity, that allows the entrepreneur to: "adopting the measures that s/he considers more convenient on surveillance and control to verify compliance by the employee with his/her obligations and labor duties."
The Supreme Court, in its ruling of September 26, 2007, solved the doubt on which of these two articles was to be applied to controls made by entrepreneurs on the technological means provided to employees; and it established that the article that applies was (and still is) article 20.3 of the Statute of Workers.
Once this first problem has been solved, both the Supreme Court and the Constitutional Court have had to pronounce on the balance of the constitutional rights that protect employees and entrepreneurs, having to decide on the prevalence among:
- Article 18 of the Spanish Constitution that contains the rights to privacy, to secrecy of communications and to protection of the personal data; and
- Articles 33 and 38 of the Spanish Constitution that recognize, respectively, the rights to private property and to freedom to conduct a business.
Both articles 18 and 20.3 of the Workers' Statute contemplate different cases. However, they both agree on one thing: safeguarding the employee's dignity. And such dignity, at a constitutional level, materializes in the respect to constitutional rights such as privacy (article 18.1 SC), to secrecy to communications (article 18.3 SC), and to data protection (article 18.4 SC).
From a practical standpoint, the employee's dignity will oblige the Compliance Officer to be very rigorous in his/her investigations. He shall then avoid accessing private information of the employee whenever he is unauthorized to do so; and avoid exceeding his investigation, when authorized.
Likewise, whenever applying her/his measures or control, the Compliance Officer shall take into account the likely existence in the company of a tolerance of private use of the means provided by the company to his/her managers, directors and employees. Jurisprudence admits the existence of a "generalized social habit of tolerance" towards the moderate personal use of the IT and communication resources provided by the company; that can not be ignored when applying surveillance and control measures of the means facilitated by the company. This tolerance creates a certain "general expectation of confidentiality"[1] for the employees who use such technological and IT resources of the company.
Practical solutions to the lack of specific regulations: limitations on the tasks of the Compliance Officer.
How Compliance Officers shall act in order to fulfill their duties and respect the rights of the people who have been denounced or are being investigated? Compliance Officers shall have a wider or smaller freedom to operate depending on the company's policy of use of the technological resources; in some cases, nonexistent. We shall consider some of these situations discussed by the jurisprudence, with which Compliance Officers can meet; and the outcome of their actions in every one of these situations:
1. Existence of one policy of use defined and communicated to managers, directors and employees of the company:
2. Existence of an absolute prohibition by the company of use of the technological means for private use:
We will have to be very alert to the evolution of Spanish jurisprudence in the forthcoming years to evaluate if the absolute prohibitions – both: those noticed by the company and those that can be incorporated into collective agreements -, are enough to authorize any type of access and control by the company, and consequently, by the Compliance Officer in the means provided to managers, directors and employees.
3. Non-existence of a policy of use; non-existence of a total prohibition of use of the company means for private use:
In any case, even in the event that the company has a policy of use – that has been correctly reported -, Compliance Officers shall not exceed in their investigations. Actually, the Spanish Supreme Court, as well as the Spanish Constitutional Court, has warned that the very same control measures must be duly provided; rejecting excessive controls or those that may get to create personality profiles, avoiding what it has been called by the Spanish jurisprudence as "excess of care"[6].
Consequently, Compliance Officers must not exceed their controls. Depending on their level, such excessive controls could affect not only the validity of the evidence obtained but, additionally, could be categorized as crimes for breaching the secrecy of communications and to privacy (art. 197 of the Spanish Penal Code).
Recent jurisprudence interpretation changes.
During the last two years, the Spanish Supreme Court, as well as the Spanish Constitutional Court, has ruled several judgments that may condition one doctrine regarding the contents of the rights to privacy, to secret of communications and to personal data protection; one doctrine that already sent to be consolidated. These last sentences – not exempt from controversy, since private votes have been issued –, and their possible consolidation as jurisprudence, will surely affect the investigations of the Compliance Officers.
In the first place, we should refer to Ruling of the Spanish Constitutional Court number 29/2013, of February 11, that admitted the appeal on the grounds of violation of the right to data protection, for taking images through video-surveillance systems (doctrine that has been consolidated with a latter Ruling of the Spanish Supreme Court of 2014). The Ruling's importance – dictated in application of the Ruling 292/2000, of November 30 [RTC 2000, 292] of the very same Spanish Constitutional Court that sentenced the unconstitutionality appeal on the Organic Law of Data Protection -, resides in the fact that it integrates the right to information as an essential and intrinsic part of the right to data protection; not admitting the validity of the images taken by a video-surveillance system when they do not match the purpose for which they were previously informed[7]. This interpretation (as many think, an excessive guarantor of the right to data protection – in fact, the Ruling contradicts the Ruling of the Spanish Supreme Court that ruled the appeal -), is not exempt from controversy and shall create during the forthcoming years new resolutions and rulings that, undoubtedly, need to be analyzed.
And, secondly, it is important to mention the Ruling of the First Courtroom (Penal) from the Supreme Court 28/44 of June 16, 2014, on falseness of corporate documentation, embezzlement and secrecy of communications, that reminds us which measures shall be taken in order to preserve the validity of the evidence that affect the right of communications (i.e. an email of the employee that proves that one felony or crime has been committed or has breached his/her labor obligations). In that sense, against all that has been stated by the Labor Courtroom – of the very same Spanish Supreme Court – over the last years, and of the Spanish Constitution Court, the Penal Courtroom states as follows: "for criminal purposes", one Court order is of the essence to access the information displayed in any communication resource; without it, not only shall the evidence be void, but also the people accessing the information shall be committing a crime for violating the secrecy of communications. Notwithstanding the above, the Court nuances that article 18.3 of the Spanish Constitution (on the right of communications) does not protect messages, but "communication resources themselves". And it expressly exempts certain cases under which such Court order shall not be necessary: i) messages "once received and open by the receiver"; ii) traffic data of communications (that is to say, time consumed during the communications, the lines used, the duration of the communication, etc; and iii) the use of the computer in order to surf the web (i.e. visited sites, time consumed navigating, etc.). Obviously, it specifies, on such cases, guarantees on data protection and privacy shall apply.
Recommendations to guarantee the investigations of Compliance Officers at maximum.
The recognition of the right to information as the core of the right to data protection shall entail, in the future, the appearance of new rulings that affect not only the use of video-surveillance systems, but also other means or technological resources provided by the companies to their employees in order to control the compliance of their labor obligations; and among them, those of complying with legal risks and management compliance.
The rulings of the Spanish Supreme Court and of the Spanish Constitutional Court from September 26, 2007 and February 11, 2013, focused on analyzing the access to technological means facilitated by the companies to their employees from the rights to privacy and to secrecy of communications perspective. From now on, the Spanish Courts shall analyze, together with those constitutional rights, the respect to the right data protection, specially when it is argued that the company has not duly reported the policy of use of the means or technological resources facilitated to the employees (i.e. monitoring, random controls, resources audits, etc.) or of the controls that, on the labor action, may represent other technological resources not facilitated, but equally active or invasive, as among others: video-surveillance cameras or GPS geo-localisation.
We shall be alert to the evolution of the Spanish jurisprudence, but in the meantime, and for the legal risks management policies' sake and security, and of the very same activity of Compliance Officers, the following measures are advised:
- Creating one intern policy, clear and balanced, of uses of technological means facilitated by the companies to their managers, directors and employees. Such policy shall include points as relevant as the following: i) establishing the prohibitions (absolute/partial) on private use; ii) identify the means that shall be applied in order to verify the correction of the uses (i.e. monitoring, audits, etc.); i iii) cite the measures that shall be adopted in order to guarantee the effective labor utilization of the resources (i.e. if the entrepreneurs do not want employees to visit specific web sites during working hours, they may limit access to them, or close access to USB harbors in order to prevent them from extracting privileged information from the company, etc...).
- Inform the managers, directors and employees to whom the electronic resources have been provided, the policy of use of the company, communicating individually to every one of them such regulations, publicizing the program that contains such policy on the company's web site, providing training courses, and establishing the warnings and periodic alerts on such policy of use, which shall allow the company to fulfill the right to information requested by the Ruling of the Spanish Constitutional Court number 29/2013.
- Define a clear policy with the owners of the technological means, when they are provided by the very same managers, directors and employees, establishing separate access fields for both, professional and personal spheres.
- Act under the criteria of proportionality and prudence in the investigation tasks, avoiding obtaining further information of what it is essential in order to prove the facts investigated.
- Request court cooperation, when it is necessary to access the emails or instantaneous messages (especially when those messages prove to be "not open"), in order to avoid that the right of secrecy of communications is deemed breached, complying thus with the warning of the Spanish Supreme Court Ruling 28/2014.
The companies shall, therefore, not only have one policy on legal risks management, but also, specially and additionally, dictate and keep up to date an internal policy on the use of the resources and technological and electronic resources.
Only by following these minimum recommendations (and meanwhile one legal frame is not established that regulates the Compliance Officer status and/or a specific regulation is established on the use of the technological resources in the company's sphere) provides a maximum guarantee of a satisfactory conclusion of the investigations of the person in charge of the legal risks management in our companies, that is to say, the Compliance Officer.
[1] The European Court of Human Rights Judgments, June 25, 1997 (TEDH 1997, 37 (Halford case) and April 3, 2007 (TEDH 2007, 23) (Copland case) to evaluate the existence of violations of Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (RCL 19799, 2421).
[2] Supreme Court Judgment (Labor Courtroom, Section 1) of September 26, 2007 relating the right to personal privacy established that: "what the Company must do, according to the duty of good faith is establishing previously the rules of use of the means – applying absolute and partial prohibitions – and informing the employees that controls are going to be carried out and that the means that must be applied in order to verify the correction of the uses, as well as the means that must be adopted, if any, in order to guarantee the effective labor use of the means when it is necessary, without prejudice of the possible application of other means of preventive character, as the exclusion of certain connections." In the same sense, the Constitutional Court pronounces on Judgment 241/2012, of December 17, concerning the right to privacy and to secrecy of communications: "(...) we are dealing with communications among employees that were done when introducing the software on a computer of common use for all the employees of the company without any sort of precaution. In that sense, such communications stay out of constitutional protection for dealing with communications that are legally categorized as open, and thus, not secret. Hence, the intervention from the entrepreneur that is object of analysis can not be deemed as an action that breaches the right to the secrecy of communications, since such intervention is subsequent to a coincidental discovery from one of the users, employee of the company, that informs the management about its contents, adjusting the management their controlling actions to a sufficient standard of reasonability, without any breach or violation of the employees' fundamental rights being observed , since the access to the contents of the instantaneous messenger software "Trillian" only happened once the company was aware of the downloading of the software through the referred employee. The intervention from the entrepreneur limits to the verification of the downloading of the software on the computer of common use, with the aim of verifying if there had been any breach by the referred employees and its scope, executing the intervention within a reasonable two-months delay since the company became aware of the existence of the messenger software, (...) and without publicity to any third party. All these allegations break the alleged breach of fundamental right, before the lack of secrecy of communications, since these were open and did not contain the conditions that could preserve them.
[3] Judgment of the Supreme Court (Labor Courtroom, Section 1) of October 6, 2011 relating to the right to personal privacy established as follows: "Once accepted the validity of such a categorical prohibition, that carries with it the warning on the possible downloading of control systems of use of the computer, it is not possible to admit that arises the right of the employee to have his/her privacy respected in the use of the IT means at his/her disposal. (...). But if there is a prohibition of personal use, there is no tolerance any more and such expectation of privacy ceases to exist, independently of the information that the company has been able to provide on the control and its scope; control that, on the other hand, is inherent to the very own work and to the means used to such purpose, and so it is legally foresee." In the same sense, but regarding the prohibition of absolute usage of the means given to the employee through Collective Agreement, the Judgment of the Constitutional Court (Courtroom 1) Judgment number 170/2013: "(...) the parties to the procedure were subject to the application scope of the XV Collective Agreement of the chemistry industry (...). In its article 59.11 it was classified as serious offence the "use of the means owned by the company (e-mail, Intranet, Internet, etc...) for different purposes related with the contents of the labor activity (...). The express conventional prohibition of the extra-labor usage of the e-mail and its subsequent limitation to professional purposes carried with it, implicitly, the faculty of the Company to control its usage, in order to verify the accomplishment by the employee of his/her obligations and labor duties, including his/her adequacy to the exigencies of the good faith [arts. 5 a) and 20.2 and 3 LET]. In the case subject to study, the sending of emails analyzed was executed through a cannel of communication that, according to legal and conventional previsions, was open to the exercise of power of inspection awarded to the entrepreneur ; submitted thus to his possible verification, which is why, in accordance with our doctrine, as out of the constitutional protection of article 18.3.
[4] Supreme Court Judgment (Labor Courtroom, Section 1) of March 8, 2011, regarding the right to privacy of the employees for investigating the computer without previous warning on the possible limits of use and of execution of controls to that purpose. According to the Court: "the fact of the matter is that, on the Internet access history the computer used by the Maintenance Supervisors – the plaintiff employee among them –, all and every one of the specific "visits" done to Internet appear, as it is specified in the termination letter. That is to say, it does not refer globally to times and sites visited by the employee, but also to the domain and contents of these: sites of multimedia contents (videos); IT piracy sites; sites of classified advertisements for individuals; sites of Internet TV access; access to personal email; sites for consultation on topics related to female sex, etc...; which undoubtedly entails a violation of his right to privacy according to and within the terms of the doctrine that has been referred to above.
[5] As an example of such doctrine, the Constitutional Court Judgment number 170/2013, of October 7: "in accordance to our reiterated doctrine, the right to privacy is not absolute – as non of the fundamental rights are -, being possible that they give yield before constitutionally relevant interests, provided that the limit that such constitutional right has to experience reveals as necessary to reach a constitutionally legitimate purpose and it is proportionate." STC 115/2013, of May 9 (RTC 2013, 115), FJ 5; or SSTC 143/1994, of May 9 (RTC 1994, 143) FJ6; and 70/2002, of April 3 (RTC 2002, 70), FJ 10).
[6] Constitutional Court Ruling 98/2000, of April 10 on auditory surveillance/casino, according to which the Court ruled that althoug the installation of microphones inside the working premises had been warned by the entrepreneurs to their employees and the company's committee, the measure adopted by the casino was totally disproportionate and unjustified and, thus, violated the right to privacy and ruled in favor of the employee: "This is why, this Court has remarked the need that the court rulings, in cases like this one, preserve the necessary balance among the obligations arising from the contract for the employee and the sphere – modulated by the contract , but in any case subsistent – of his/her constitutional freedom (STC 6/1998, of January 21). Given the preeminent position of the fundamental rights in our system of law, this modulation shall only happen: "in the strictest measure necessary for the right and correct development of the productive activity" (STC 99/1994). This entails the need to proceed with an adequate consideration (SSTC 20/1990, of February 15 [RTC 1990, 20], 171/1990, of November 12 [RTC 1990,171], and 240/1992, of December 21 [RTC 1992,240], among many others),that respects the right definition and evaluation of the fundamental right at stake and of the labor obligations that may modulate it (SSTC 170/1987, of October 30 [RTC 1996,4], 106/1996, 186/1996, of November 25, and 1/1998, of January 12 [RTC 1998, 1] among many others). These limitations or modulations must be strictly necessary to satisfy one entrepreneurial interest that deserves protection, in such a way that, in the event that there are other possibilities to satisfy such interest that are less aggressive and disturbing of the particular right, these shall be applied and not the others, more aggressive and disturbing. At the end of the day, what we are dealing here with is the principle of proportionality.
[7] Constitutional Court Ruling 29/2013, February 11 of video-surveillance on the personal data protection that establishes that: "the Plenary Session of the Court has appointed as characteristic element of the constitutional definition of article 18.4 of the Spanish Constitution, of its essential core, the right of the person affected to be informed of who has his/her personal data and to what end."
Jaume Cabecerans Cabecerans is a partner at Roca Junyent Advocats, S.L.P. in the Barcelona office. Mr. Cabecerans can be contacted at j.cabecerans@rocajunyent.com; Juan Cuenca Marquez is a lawyer at Roca Junyent Advocats, S.L.P. in the Barcelona office. Mr. Cuenca Márquez can be contacted ad j.cuenca@rocajunyent.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
