First whistleblower report - what to do?
Frequently Asked Questions

First whistleblower report - what to do?

Being an employer involves many obligations. Most of these are about how you treat your staff. The moment someone decides to report irregularities inside your company can be the most stressful day of the year. In one conversation, you learn that something has gone wrong. You also find out that an employee has been carrying this knowledge long enough to feel hurt or scared. Before you do anything else, take a moment. Think carefully about the steps you must take next. The law leaves very little to chance now.

Key Takeaways

  • Since 25 September 2024, Polish companies with 50 or more staff must run a written reporting process.
  • The company must confirm a report within 7 days and give real feedback within 3 months.
  • The person handling a report must be authorised in writing and have no stake in the case.
  • The reporter's name stays secret, and the case file is kept for 3 years.
  • Retaliation against a reporter is a crime, with fines up to 1,080,000 zloty and up to 3 years in prison.

How whistleblower laws have changed

The EU Directive 2019/1937 sets the European baseline for protecting whistleblowers. The deadline for member states was 17 December 2021. However, compliance was slow. In March 2025, the Court of Justice of the EU fined several countries for failing to follow the rules. These included Germany, Luxembourg, Czechia, Estonia, and Hungary. Every Member State now has legislation on the books, though the European Commission still flags gaps in protection.

Court of Justice of the European Union building in Luxembourg with EU member state flags

Court of Justice of the European Union, Luxembourg
©Cédric Puisney (CC BY 2.0)

Poland was one of the last countries to join. The Ustawa o ochronie sygnalistów (Whistleblower Protection Act) started on 25 September 2024. Any organization with at least 50 people must have a written internal reporting process. This applies to both private and public entities. Some sectors, like financial services and transport safety, are covered regardless of their size. If your company has crossed the threshold and your process is still just a draft, you are already at risk.

A report does not arrive in a vacuum. It triggers a regulated process with strict deadlines. These deadlines start ticking the moment your channel receives the report. Treating this as a simple HR talk is now a legal mistake.

Who can receive the report

Reports may go to the owner, a board member, or HR. Larger firms may even have a dedicated contact for whistleblowers . Whoever it is, two things must be true. First, they need written authorisation from the company to handle reports. Second, they must be impartial. They cannot have a conflict of interest with the people mentioned in the report. For example, you shouldn't pick the line manager of the team being reported.

The international standard ISO 37002:2021 suggests three principles: Trust, Impartiality, and Protection. It also defines a four-stage process: receive, assess, address, and conclude. This helps you separate the intake of information from the investigation itself. One person can do both, but they are two different tasks.

The first 7 days

Once you register a report, you have 7 days to tell the reporter you received it. This isn't a verdict. It is a signal that the report is in the system and a human is handling it. Tell them who is in charge of the case and what happens next. Use plain language and avoid making promises about the outcome. A bad acknowledgement can sound like a rebuttal and cause more trouble.

The channel you use also matters. If someone reports in person or over the phone, you must create a written record. Let them verify it. Never answer an email report by using "reply-all." If you use a secure reporting software, keep all messages there. Don't copy sensitive info into a company ticketing system that others can read.

The 3-month feedback window

Within 3 months of the acknowledgement, you must give the reporter substantive feedback. You need to explain what actions you plan to take or have already taken. The clock is on the company, not just the investigator. If the case is complex, tell the reporter why before the deadline runs out.

The first job of the receiver is to judge if the report is "in scope." The Polish act covers many areas. These include corruption, public procurement, money laundering, and product safety. It also covers environmental protection and privacy. Regular labour-law disputes between an employee and the firm are usually not included. You must look at the substance of the report, not just how angry the email sounds.

Sometimes reports are about personal grudges or old disputes. You should still investigate them carefully instead of dismissing them. Article 57 of the Polish act makes it a crime to knowingly report false information. This can lead to 2 years in prison. However, honest mistakes are still protected. Treating an awkward report as malicious is a fast way to face a retaliation claim.

Polish Sejm parliament building on Wiejska Street in Warsaw

Sejm of the Republic of Poland, Warsaw, where the Whistleblower Protection Act was adopted on 14 June 2024
©Sandra Cohen-Rose and Colin Rose (CC BY-SA 2.0)

Recordkeeping and confidentiality

Every report goes into a register of internal reports. This register tracks when you received it, what it is about, and what you did. You must keep this data safe. The reporter's identity must remain secret. Polish law requires you to keep these records for 3 years after you close the case.

The bar for confidentiality is very high. It is stricter than most old company policies. You may only disclose the reporter's name if it is strictly necessary and lawful. For example, a court may order it. Anyone who works on the case must sign a confidentiality agreement. The register is also subject to GDPR rules on data protection and access.

International companies should check their old templates. In September 2024, the US SEC fined seven firms over USD 3 million. Their employment contracts had language that discouraged whistleblowing. Another firm was fined USD 240,000 for confidentiality clauses that didn't allow for regulator reports. Old NDAs or severance deals can be seen as evidence that you are blocking reports. Reviewing these templates costs very little. Learning the hard way costs a lot.

Caring for the reporter

Receiving a report often means asking difficult questions. You must assess the evidence without blaming or flattering anyone. The way you ask matters. Use "trauma-informed" habits. Ask open questions and let the reporter use their own words. Give them some control over the timing. Let them bring a support person if they want. If you start by asking "are you sure you saw that?", you will get fewer reports in the future.

It must be safe for the reporter to keep working. Check in with them using the same channel they used to report. Confirm their job is safe and explain the next steps. Ask them how they are doing. Most reporters only go to a regulator if their own company goes silent.

When to get outside help

You cannot resolve every report in-house. Sometimes you need to talk to outside lawyers. This is important if the report involves crimes, large money losses, or board members. External investigators are helpful when you can't stay impartial inside the firm. ISO 37002 suggests using them if the management is too close to the conduct being reported.

The reporter also has the right to take the case further. In Poland, the main external channel is the Commissioner for Human Rights (RPO). Other public bodies can also help. Going to the press is only protected in very specific cases. Taking the report seriously usually keeps it in-house. Poor handling gives the reporter a reason to go public.

Office of the Polish Commissioner for Human Rights (RPO) on Aleja Solidarności 77, Warsaw

Office of the Polish Commissioner for Human Rights (RPO), Aleja Solidarności 77, Warsaw
©Adrian Grycuk (CC BY-SA 3.0 PL)

What it costs to get this wrong

The Polish act makes retaliation a crime. Obstructing a report or unmasking a reporter can lead to huge fines of up to PLN 1,080,000. It can also lead to 3 years in prison. Organizations that don't set up a proper process face other penalties. In a retaliation case, the employer must prove that their actions were not connected to the report. Reporters can also win compensation with no cap on damages.

The math is simple. A report handled well costs a few weeks of work. A report handled badly costs your reputation and attracts regulators. It often leads the reporter to go straight to the police or the press.

The honest version of the takeaway

Receiving a first report is stressful, but it doesn't have to be chaotic. The legal rules are now very detailed. The basics are simple: acknowledge the report within 7 days and give feedback within 3 months. Write everything down and treat the reporter with respect. These are the same habits good investigators have always used. Now that the law has caught up, you just need to follow them.

Updated at
Damian Sawicki

Legal advisor specializing in business, commercial and IP law. Writes on whistleblower legislation, the EU Directive, and implementing reporting procedures.

Launch your whistleblower reporting channel in less than 5 minutes!

A ready-made reporting page compliant with the EU Whistleblower Protection Directive. Deploy it without a developer.

Book a demo Try for free