1 July 2015 is the effective date of the amendment of Organic Law 10/1995, of 23 November, on Criminal Code (in accordance to the Final Provision Eight of Organic Law 1/2015, of 30 March) and among other instances (252 amended articles and 32 deleted), it must be noted that the amendments will affect offences related to Internet and companies (SMEs included), which will bear the criminal liability for offences committed on their behalf or on their account and for their benefit by their legal representatives and administrators, in fact or law, and for offences committed when performing their corporate activities and on the account and for the benefit of the legal entity, by whom, being under the authority of legal representatives or administrators in fact or law, the events might be committed if due control has not been exercised on the specific circumstances of the case.
Despite the fact that criminal liability of legal entities already existed on the amendment of Criminal Code of 2010, currently the aforementioned amendment makes clearer the need of companies (including SMEs) of having crime prevention systems in order to exempt them of direct criminal liability, systems which somehow have been implemented through Compliance Officer or Corporate Compliance programs, especially by those “compelled” companies regarding regulatory compliance in regulated matters affecting them as money laundering, transparency and good governance of listed companies or prevention of harassment in the workplace.
With said initial approach and assuming that there are several offences that could be committed from a company, we, the IT Law Department at Belzuz Abogados, focus this article on the convenience for companies of including the organisational and management models “Compliance Officer” or “Corporate Compliance”, as a method to be exempt of liability, when the time comes, from digital crimes (committed through Internet) and, especially, from unauthorised access to computer equipment or from disclosure of sensitive data (Art.197, 197 bis, 197 ter) and damages in computer systems (Article 264, 264 bis, y 264 ter).
Ultimately, companies must consider the convenience of including efficient systems for regulatory compliance and prevention of such offences, programs of good governance, on internal policies.
Criminal Code amendment foresees a set of liability exemptions, which are sum up as follows:
If management board has adopted and executed efficiently, before the offence, organisational and management models (Compliance Officer or Corporate Compliance) that include monitoring and control measures appropriate for the prevention of offences of same nature or for reducing significantly the risk.
That monitoring of performance and compliance of the implemented prevention model has been entrusted to the entity body with autonomous powers of initiative and control or that legally monitors internal controls effectiveness of the entity.
In the event that individual perpetrators have committed an offense dishonestly avoiding the organisational and prevention models.
If neither an omission nor a poor exercise of monitoring, surveillance and control functions have occurred by the aforementioned body.
In the context of small companies (authorised to file an abridged profit and loss account) surveillance functions may be directly taken by the board of directors and, if relevant, the exclusion will be granted, if, before the offence is committed, a organisational and management model (Compliance Officer or Corporate Compliance) is adopted, and implemented, and it is useful to prevent offences of the same nature as those already committed or to reduce significantly the risk of committing them.
In the events where the aforementioned circumstances may only be subject to partial accreditation, this circumstance will be assessed for the purposes of reduced penalty.
The Criminal Code amendment also foresees the requirements that those organisational and management models should meet:
1. Identifying activities under which those offences, to be prevented, may be committed.
2. Establishing protocols or procedures that specify the process of corporate will formation, decision making and implementation related to them.
3. Having management models for appropriate financial resources to prevent offences.
4. Imposing an obligation of informing the body responsible for the monitoring of performance and compliance of the prevention model on potential risks and breaches.
5. Establishing a disciplinary system that appropriately prosecutes breaches of the measures provided by the model.
6. Checking periodically the model and its possible amendments whenever there are relevant breaches of the provisions, or whenever there are changes in organisation, in control structure or in the performed activity that make necessary a checking.
As specialists with expertise in offences committed through Internet, and taking into account the significant legal consequences that may bring the amendment of the Criminal Code for the companies on 1 July, our suggestion is to implement in Compliance Officer or Corporate Compliance systems every protocol that allow considering and assessing the risk of breaching the applicable law and of committing offences through Internet (against privacy, damages to computer equipment, against intellectual property, etc.), having available the appropriate security measures, security plans, protocols for action and awareness policies against cybercrime.
Belzuz Abogados SLP
La presente publicación contiene información de carácter general sin que constituya opinión profesional ni asesoría jurídica. © Belzuz Abogados, S.L.P., quedan reservados todos los derechos. Se prohíbe la explotación, reproducción, distribución, comunicación pública y transformación total o parcial, de esta obra, sin autorización escrita de Belzuz Abogados, S.L.P.