1. In the cases provided for in this Code, legal entities shall be criminally liable:
a) For offenses committed in their name or on their behalf, and for their direct or indirect benefit, by their legal representatives or by those who, acting individually or as members of a body of the legal entity, are authorized to make decisions on behalf of the legal entity or hold powers of organization and control within it.
b) For offenses committed, in the course of business activities and on their behalf and for their direct or indirect benefit, by those who, being subject to the authority of the natural persons mentioned in the preceding paragraph, were able to commit the acts due to a serious breach by the latter of their duties of supervision, monitoring, and control of their activity, taking into account the specific circumstances of the case.
2. If the offense is committed by the persons indicated in point (a) of the previous section, the legal entity shall be exempt from liability if the following conditions are met:
1. The administrative body has adopted and effectively implemented, before the commission of the offense, organizational and management models that include appropriate monitoring and control measures to prevent offenses of the same nature or to significantly reduce the risk of their commission;
2. The supervision of the operation and compliance of the implemented prevention model has been entrusted to a body of the legal entity with autonomous powers of initiative and control or that is legally entrusted with the function of supervising the effectiveness of the internal controls of the legal entity;
3. The individual perpetrators committed the crime by fraudulently circumventing the organizational and prevention models; and 4. There was no omission or insufficient exercise of supervisory, monitoring, and control functions by the body referred to in condition 2. In cases where the above circumstances can only be partially proven, this circumstance will be taken into account for the purposes of mitigating the penalty.
3. In small legal entities, the supervisory functions referred to in condition 2 of paragraph 2 may be assumed directly by the administrative body. For these purposes, small legal entities are those that, according to applicable legislation, are authorized to file abbreviated profit and loss accounts.
4. If the offense is committed by the persons indicated in point (b) of paragraph 1, the legal entity shall be exempt from liability if, before the commission of the offense, it has adopted and effectively implemented an organizational and management model that is suitable for preventing offenses of the nature of the one committed or for significantly reducing the risk of their commission. In this case, the mitigation provided for in the second paragraph of section 2 of this article shall also apply.
5. The organizational and management models referred to in condition 1 of paragraph 2 and the preceding paragraph must meet the following requirements:
1. They shall identify the activities within which the offenses to be prevented may be committed.
2. They shall establish the protocols or procedures that specify the process for forming the will of the legal entity, adopting decisions, and executing them in relation to those activities.
3. They shall have financial resource management models suitable for preventing the commission of the offenses to be prevented.
4. They will impose the obligation to report potential risks and non-compliance to the body responsible for monitoring the operation and compliance of the prevention model.
5. They will establish a disciplinary system that adequately sanctions non-compliance with the measures established by the model.
6. They will carry out a periodic review of the model and its possible modification when significant breaches of its provisions come to light, or when changes occur in the organization, the control structure, or the activities carried out that make such modifications necessary.