Polish whistleblower protection law "Ustawa o ochronie sygnalistów"

The Whistleblower Protection Act of 14 June 2024 imposes specific obligations on Polish employers. Below we explain who it applies to, what you need to prepare, and what penalties you face for neglecting it.

Who does the Whistleblower Act apply to?

The Act applies to every entity with 50 people or more. What counts is the number of people performing gainful work, including in the public sector, for example in local government units. You check the threshold twice a year, as of 1 January and 1 July.

It is not only full-time posts that count. The 50-person threshold includes employees converted to full-time equivalents as well as people providing paid work on a basis other than an employment relationship, including contractors and B2B associates.

Some entities are excluded or always covered. The Act does not apply to municipal offices and units of communes with fewer than 10,000 inhabitants. On the other hand, companies in regulated sectors, for example the financial market, are covered by the rules regardless of headcount.

The basic obligations of an employer under the Act are:

• the obligation to provide protection to people reporting breaches of law against retaliatory actions;
• the obligation to develop and implement an internal reporting procedure;
• the obligation to keep a register of internal reports;
• the obligation to ensure the confidentiality of the whistleblower's data and the data contained in the report;
• the obligation to store report data for a set period;
• information obligations towards the whistleblower.

What does implementing the internal reporting procedure involve?

The procedure is an act of internal law at the employer. You develop and implement it under the regime set out in the Act, which entails an obligation to consult employees or the company trade union organisation.

The Act sets out the minimum, mandatory content of the misconduct reporting procedure:

• an indication of the unit or person designated to receive reports, handle them, consider them, and take follow-up actions;
• a description of the ways in which whistleblowers can submit reports;
• the procedure for handling information about breaches of law reported anonymously;
• the obligation to confirm receipt of the report to the reporting person within 7 days of receiving it;
• the obligation to take follow-up actions and the procedure for taking them;
• the maximum deadline for providing feedback to the reporting person, not exceeding 3 months from the confirmation of receipt of the report;
• defining a system of incentives to use the internal reporting procedure.

Download a free whistleblower procedure template

The procedure itself only describes how the organisation handles a report. Receiving and processing reports is a separate task, with its own requirements: secure data transmission, anonymisation, and access control. As a secure whistleblowing software, WeMoral is compliant with the Whistleblower Protection Act on every one of those points.

What breaches can a whistleblower report?

The Act lists a specific catalogue of areas. A report may concern an act or omission that is unlawful or aimed at circumventing the law, in matters relating to:

• corruption;
• public procurement;
• financial services, products, and markets;
• the prevention of money laundering and terrorist financing;
• product safety and compliance with requirements;
• transport safety;
• environmental protection;
• radiological protection and nuclear safety;
• food and feed safety;
• animal health and welfare;
• public health;
• consumer protection;
• the protection of privacy and personal data;
• the security of networks and ICT systems;
• the financial interests of the State Treasury of the Republic of Poland, local government units, and the European Union;
• the European Union's internal market, including public-law rules on competition and state aid and the taxation of legal persons;
• constitutional freedoms and human and civil rights arising in relations between an individual and public authorities.

This is not a closed catalogue. When implementing the procedure, you can extend it to include breaches of internal regulations, for example policies and rules, or ethical standards arising from internal codes of conduct for whistleblowers.

Who can be a whistleblower?

A whistleblower is not only a full-time employee. It is a person who reports or publicly discloses information about a breach of law obtained in a work-related context. We explain more in our piece on who a whistleblower is. Under the Act, this may be:

• a job applicant;
• an employee and a temporary worker;
• an intern and trainee;
• a contractor or another person on a civil-law contract;
• an entrepreneur, for example a contractor or a B2B associate;
• a partner, shareholder, or commercial proxy;
• a member of a governing body of a legal person.

The employer must enable each of these people to make a report, and all of them are protected under the Act.

How is a whistleblower protected?

The main aim of the Act is protection against retaliation. This means protecting the reporting person against actions taken against them in response to a report of a breach of law.

The scope of whistleblower protection

Protection begins from the moment of reporting. The final version of the Act dropped the earlier requirement of a breach of the public interest, so the protection is broader.

"A whistleblower is subject to the protection set out in the provisions of Chapter 2 from the moment of making a report or public disclosure, provided that they had reasonable grounds to believe that the information that is the subject of the report or public disclosure was true at the time of making the report or public disclosure and that it constitutes information about a breach of law."
Article 6 of the Act of 14 June 2024 on the protection of whistleblowers

A whistleblower can obtain official confirmation of protection. When making an external report, they can apply to a public authority for a certificate confirming that they are subject to protection under the Act. The authority issues it within 1 month and does not examine any additional conditions, which limits arbitrariness and encourages reporting.

What are retaliatory actions?

The Act gives examples, not a closed catalogue. These include termination of a contract, non-renewal of a contract, reduction of remuneration, withholding a promotion, an unfavourable change in working conditions, mobbing, discrimination, or an unjustified referral for medical examinations. The prohibition also covers the very attempt or threat of such actions.

The burden of proof lies with the employer. It is the employer who must demonstrate that a given decision had no connection with the report. The protection also covers people who assist with a report and people connected to the reporting person.

"The employer bears the burden of proving that the action taken ... is not a retaliatory action."
Article 12(3) of the Act of 14 June 2024 on the protection of whistleblowers

What are follow-up actions?

Retaliation is prohibited, but follow-up actions are mandatory. These are the steps an employer takes to assess the truthfulness of a report and counteract the breach: an investigation, a check, and, if needed, notifying the relevant authorities. You inform the whistleblower about the actions taken or planned within 3 months.

How can a whistleblower report a breach?

The Act provides three routes for reporting the same breach:

If it is difficult to identify the competent authority, any external report can be directed to the Commissioner for Human Rights, who acts as the central authority for receiving such reports.

What are the penalties for breaching the Act?

The Act uses criminal provisions. The most serious breaches carry a fine, restriction of liberty, or imprisonment.

The Act is already in force, and entities meeting the threshold should have a ready internal reporting procedure. The sooner you implement it, the lower the risk of penalties and disputes with employees.