Autonomy of corporate criminal liability in the criminal process

On April 11, 2025, the Supreme Court issued ruling 372/2025, with a presentation by Judge D. Manuel Marchena Gómez. In its legal basis 2.2, the resolution addresses in detail the criteria for convicting a legal entity, reaffirming that corporate criminal liability cannot be based on an automatic link resulting from the conduct of an individual, but rather requires proof of a specific act of the entity, such as the absence or ineffectiveness of crime prevention programs, in accordance with Article 31 bis of the Penal Code.

The ruling examines the conviction imposed on an individual for an aggravated fraud crime, in which the previous instances also convict the legal entity of which the individual is the administrator. It highlights a very important idea for the defense of the legal entity in Spain: it is not possible to automate the conviction of a legal entity based on the conviction of the physical person administering it due to their prior conduct. 

As is well known and is settled jurisprudence in our Supreme Court, in Spain, the criminal liability of a legal person cannot be obtained through a model of vicarious liability or hetero-responsibility. Far from being a derived responsibility, the criminal imputation to the legal person must be constructed based on its own action, evidenced by structural failures within its internal organization, control, and supervision systems. It is precisely the lack of effective prevention mechanisms that can facilitate the commission of crimes within the entity that underpins the criminal liability of the legal person. 

That is why it is particularly important that organizations have a representation and legal defense that is separate from the individual who administers or is being investigated for their possible participation in the events. In this regard, the ruling states:

“Collective entities only respond for their own acts and, for that reason, must have representation and defense that upholds the principle of contradiction. And this defense should not be assumed by the same professional who is responsible for safeguarding the interests of the individual - in this case Jenaro - whose behavior has precipitated the responsibility of the legal person.” 

This argument relates to STS 221/2016 which recalls what has already been stated in the well-known STS 154/2016 of February 29, known as the leap year ruling, regarding the obligation that the legal person has the same rights and procedural status as that enjoyed by the individual, obviously taking into account the different modulations needed. However, just like for the individual, in the case of the imputation of a legal person “the authorship trial of the legal person will require the prosecution to prove the commission of a criminal act by some of the individuals referred to in Article 31 bis of the CP, but the evidentiary challenge of the Public Prosecutor's Office cannot stop here. (…). It must also establish that this crime committed by the individual, which forms the basis of their individual responsibility, has become a reality due to the occurrence of a corporate crime, due to a structural defect in the prevention mechanisms required of every legal person, much more precisely, following the 2015 reform.”

Thus, one cannot make a presumption iuris tantum of an organizational defect when the connection fact, that is, the crime committed by the individual, is established. To impose sanctions on a legal person (such as fines, dissolution, suspension of activities, closure of premises, disqualification, or judicial intervention, according to Art. 33.7 of the Penal Code), the Prosecutor must establish liability with the same evidentiary rigor as in the case of an individual. 

There is no double evidentiary pathway: the culpability of the company is not presumed by that of the individual, but must be demonstrated autonomously. In this sense, if the proven facts do not mention the non-compliance with prevention plans —a key element for underpinning the criminal liability of the company—, the entity is acquitted, as is the case with the ruling being analyzed. 

It is worth noting that the attribution of criminal liability to legal persons doctrinally relies on two main schemes:

• Vicarious model: is based on liability for an external effect, which involves transferring the imputation from the individual who acts to the entity.
• Self-responsibility model or direct imputation: rests on the idea that the legal person is responsible for its own actions, being directly imputed the illegal act.

This second model is, in principle, more coherent with the foundation of corporate criminal liability, since the acts committed by administrators or representatives are attributed to the entity. However, this imputation requires as a prerequisite the commission of a criminal act by these organs. Furthermore, under this scheme, the prosecution must demonstrate that the company did not have an effective system of prevention and detection of crimes, that is, that a suitable internal control program was not designed, implemented, or updated. This interpretation has been consolidated by the jurisprudence of the Supreme Court in resolutions such as the Sentences 154/2016 of February 29; 221/2016 of March 16; 516/2016 of June 13; and 506/2018 of October 25, along with its clarifying order of November 12.

Conclusion:

From the above arguments, we can draw the following key conclusions about the autonomy of corporate criminal liability or liability of the legal person:  

1. Autonomous criminal liability of the legal person: Automatic responsibility for the crime of an individual is not accepted; a specific act of the entity must be proven, such as the absence or ineffectiveness of prevention programs (Art. 31 bis CP).
2. Need for structural proof: The Public Prosecutor must demonstrate not only the individual crime but also an organizational defect in the company's prevention mechanisms. Corporate culpability is not presumed.
3. Self-responsibility model: The jurisprudence of the Supreme Court rejects vicarious liability and demands direct imputation based on the lack of effective compliance systems.

Informative note prepared by Lucía Martínez-Arrieta Rebollo, Junior Associate of the Governance and Compliance area of ECIJA Madrid.