Written by 9:28 am European Union

Whistleblowers In Poland Gain Protection. – Whistleblowing

The EU obliged the Member States to implement Directive (EU)
2019/1937 of the European Parliament and of the Council of 23
October 2019 on the Protection of Persons who Report Breaches of
Union Law (Official Journal EU L 305 of 26.11.2019, p. 17 and EU
Official Journal L 347 of 20.10.2020, p. 1, the
“Directive”) by December 17, 2021. In Poland the
Directive is to be implemented in the Act on the Protection of
Persons who Report Breaches of Law (the “Act “). So far,
four versions of the draft have been published on the website of
the Government Legislative Centre, including the last version of
July 22, 2022, which was submitted for consideration to the
Committee for European Affairs. The latest changes introduced to
the draft are corrective and linguistic in nature, which might
imply that it is going to be the final version. Therefore, it is
worth getting acquainted with the planned regulations as we will
soon need to implement them.

The general intention of the Act is to protect whistleblowers
against retaliation, i.e., those who wish to make reports on
breaches of law in a work-related context. The Act prohibits any
forms or attempts of discrimination, mobbing, or unjustified or
unfavorable treatment of whistleblowers. On the other hand, the Act
provides for a number of protective measures to persons concerned,
as well as ensures the implementation of institutional and
organizational solutions related to reporting breaches of law.

From the entrepreneur’s point of view, the most important
regulations concern:

  • The obligation to establish an internal channel or designate a
    person within the organizational structure to receive reports of
    breach of law, or outsource this obligation to an external

  • The obligation to establish an impartial, internal channel or
    designate an impartial person to follow-up on the reports, verify
    them and communicate with the whistleblower. These tasks may also
    be outsourced to an external entity authorized to receive
    notifications, provided that they guaranty impartiality;

  • The obligation to establish and implement an internal reporting
    procedure – through consultations with the company’s trade
    union organization or – in the absence of such an organization -
    with representatives of the entrepreneur’s employees, which
    obligation has been imposed on all entrepreneurs employing 50 or
    more people and all entities operating in the area of financial
    services, products and markets, and prevention of money laundering
    and terrorist financing, transport safety and protection of the
    environment that fall under Union acts listed in parts I.B and II
    of the Annex to Directive 2019/1937, regardless of the number of

  • The minimum requirements set for the internal reporting
    procedure include:

  • the obligation to indicate an internal organizational unit or
    person within the organizational structure of the legal entity or a
    third party, authorized to receive the reports,

  • information on how the report is to be made, which includes the
    correspondence or e-mail address;

  • the obligation to indicate an impartial, internal
    organizational unit or a person within the organizational structure
    of the legal entity, authorized to take follow-up actions,
    including verification of the report and further communication with
    the whistleblower, including the requests for additional
    information and giving feedback to the whistleblower; this role may
    be performed by an internal organizational unit or a person
    referred to in point 1, if they ensure impartiality;

  • confirmation that the report has been received within 7 days,
    unless the whistleblower has not provided the contact address;

  • the obligation to diligently undertake follow-up activities by
    an impartial organizational unit or a third party (a person or an

  • the deadline to give feedback to the whistleblower;

  • a system of incentives to encourage the employees to use the
    internal reporting procedure;

  • comprehensible and easily accessible information on external
    reports to the Ombudsman or public authorities and, where
    applicable, to the institutions, bodies, offices or agencies of the
    European Union.

Due to the obligation to implement the internal reporting
procedures, each entrepreneur must undertake adequate technical
measures allowing them to establish oral and written channels to be
used by the individuals employed in the organization to inform
about breaches of law.

As regards the oral channel, it could be a special hotline or
another voice communication system, including a telephone line or a
recordable or non-recordable system. Reports made via a recordable
telephone line or another recordable system should, upon the
whistleblower’s consent, be documented in the form of a
recording of a conversation or its complete and exact transcript.
On the other hand, an oral report, made with the use of a
non-recordable hotline or another non-recordable system should be
documented in the form of minutes. The whistleblower is authorized
to check, correct and approve the transcript or minutes by their

The legislator has also provided for an obligation to organize a
meeting in person within 14 days following the request to this
effect provided that the whistleblower consents. If such a meeting
is organized, such a report is recorded or minutes are drawn up
from this meeting. In the latter situation, the whistleblower is
also authorized to verify, correct and approve the minutes from the
meeting by placing their signature.

As regards the written reports, these may be made in written and
electronic form.

The legislator has not provided for the possibility to make
reports anonymously. The Directive does not require it either.
Nevertheless, it does not mean that anonymous reports are
prohibited by the Act. The entrepreneur will have to decide on its
own whether it is going to accept anonymous reports. There is only
one case mentioned in the Act, namely when information on breach of
law has been anonymously reported to the entrepreneur, and
subsequently the identity of the whistleblower is revealed and they
have been the subject of retaliation, which is when provisions on
the prohibition against applying retaliation measures and allowing
for means of protection of whistleblowers will apply, provided that
the conditions specified in Art. 6 of the Act have been satisfied,
i.e., if at the moment of making the report the whistleblower could
have reasonably believed that the information reported or publicly
disclosed is true and that the information constitutes information
on breach of law.

One should bear in mind that the personal data of the
whistleblower allowing to identify them must not be disclosed to
unauthorized individuals, unless the reporting person expressly
grants their consent to do so. This does not apply to situations in
which disclosure is a necessary and proportionate obligation
arising from provisions of law in the context of the explanatory or
court procedures conducted by respectively public bodies or courts,
also to guarantee protection to parties concerned.

Notwithstanding the above, the entrepreneur is obliged to
guarantee that the internal reporting procedure and the underlying
data processing protect the identity of the whistleblower, the
party concerned and any third party referred to in the report. The
confidentiality obligation concerns any information that may allow
identification of such individuals, directly or indirectly. Only
persons having written authorization of the entrepreneur are
allowed to receive and verify reports, undertake follow-up
activities, and process personal data of whistleblowers, the
parties concerned and third parties referred to in the report. They
must keep the personal data so received in confidence also upon the
end of the employment relationship.

As I have already mentioned, an entrepreneur may outsource the
tasks related to receiving the reports and the follow-up actions
under an agreement which will oblige the outsourced entity to use
technical and organizational solutions that will guarantee the
compliance of the undertaken actions with the Act and will specify
detailed rights and obligations related to the processing of
personal data. Of importance,, the execution of such agreement does
not release the entrepreneur from liability for performance of
obligations related to the application of the internal reporting
procedure, in particular as regards the confidence, giving feedback
and undertaking follow-up activities. Moreover, this type of a
service agreement must specify the rights and obligations of an
external entity related to the processing of personal data, as
referred to in particular in Article 28 sec. 3 of the EU Regulation
2016/679 (RODO).

The draft Act also stipulates that private individuals employing
from 50 to 249 persons, may contractually outsource the HR and
organizational tasks in the area of receiving and review of reports
and performing the explanatory procedures, provided that the
undertaken acts comply with the Act.

Irrespective of the foregoing, the Act obliges the entrepreneurs
to maintain a register of internal reports. The entrepreneur may
authorize an internal organizational unit or an individual within
the company’s structure to maintain this register or outsource
it to an external entity. The specific data to be contained in this
register have been set. The personal data and the other information
contained in the register of internal reports should be kept for 15
months after the end of the calendar year in which the follow-up
activities were completed or after the end of the procedures
initiated by these actions.

The Act also enumerates specific actions that are classified as
retaliation. However, please note that some of these actions, such
as coercion, threatening or workplace bullying have been prohibited
even before the Act was proposed. One should also remember that the
burden of proving that the undertaken actions do not constitute a
revenge is on the entrepreneur. The person undertaking revenge
actions faces potential criminal liability. Pursuant to the Act,
these are subject to a fine, limitation of freedom or imprisonment
of up to 2 years. If the perpetrator uses more than 2 types of
retaliatory actions, they shall be subject to imprisonment of up to
3 years. Criminal liability is also expected for individuals who
hinder the submission of a report, also by using violence, threats
or deceit, which is punishable by a fine, limitation of freedom or
imprisonment of up to 2 years.

The assessment of whether the information reported is true and
constitutes information on the breach of law is on the
whistleblower. In other words, the Act guaranties the whistleblower
protection against retaliatory actions provided that the reporting
person could have reasonably believed that the information reported
is true and proves that the law has been breached. If the
whistleblower makes the report being aware that this information is
untrue, she/he may be subject to criminal liability – a fine,
limitation of freedom or imprisonment of up to 2 years.

Moreover, a person who has suffered damage due to an intentional
report or public disclosure of untrue information is authorized to
receive compensation from the whistleblower in the amount of at
least one average monthly salary in the business sector valid as of
the day of submission of the report or making a public disclosure
(in October it was PLN 6687,20/approx. EUR 1450). An exception
constitutes a situation in which a whistleblower had reasonable
grounds to believe that the public disclosure was necessary to
reveal that the law had been breached, as stipulated in the

Under the transitional laws, an entrepreneur employing between
50 and 249 people is obliged to establish internal procedures by
December 17, 2023. Those employing 250 employees and more and all
entities falling under the Union acts listed in part I.B and II of
Annex to Directive 2019/1937, i.e., such that are active in the
financial services, products and markets, prevention of money
laundering and terrorist financing, transport safety and protection
of the environment have 2 months following the entry of the Act
into force.

Failure to establish the internal reporting procedure or
establishing such procedures that do not satisfy the minimum
wording requirements are subject to a fine.

The Act in the current wording sets a 2-month vacatio
. Therefore, it is worth to get ready to implement the
new requirements now since their complexity may prove that 2 months
will not be enough.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link