Whistleblowers in an organisation – responsibilities and sanctions
A month has passed since the 25 September entry into force of the Polish Act on the Protection of Persons Who Report Breaches of Law, popularly known as whistleblowers (the “Whistleblower Protection Act”). This is an opportune time to take stock of the obligations involved and the potential consequences for organisations that have not yet implemented proper whistleblower protection procedures. Below, we answer key questions about the implementation of the requirements under the new regulation.
Who is obliged to implement whistleblower protection procedures?
The obligation to implement whistleblower protection procedures, including a system for receiving reports of potential irregularities, applies to certain groups of businesses:
1. Businesses employing more than 50 individuals
This requirement covers businesses that:
- engage individuals under an employment contract; and
- cooperate with people performing work on the basis of civil law contracts (e.g. mandate or B2B contracts), provided that the work is performed personally and these people do not employ others to perform the task.
2. Businesses employing at least one individual in specific sectors
This obligation applies to companies operating in specific high-risk areas, in particular:
- financial services, products and markets;
- anti-money laundering and countering the financing of terrorism;
- transport safety; and
- environmental protection.
Specifically, this obligation applies to:
- accounting firms;
- lending institutions; and
- real estate agents.
These regulations result from the implementation of the provisions of Directive 2019/1937, which aims to increase the protection of whistleblowers in the European Union.
What documents and procedures should be implemented?
The implementation of a whistleblower protection system requires the preparation of appropriate documents and procedures to ensure compliance. Here are the key elements:
- An internal procedure for reporting and follow-up
The main document is the bylaws that set out the rules for reporting violations of the law and how they should be followed up. This is an essential element of the whistleblower protection system, which must comply with the requirements of the Whistleblower Protection Act. - Authorisation of people responsible for receiving reports
Written authorisations should be prepared for anyone who will be responsible for receiving and following up on reports. - Information documentation
The employee is required to provide information on the procedure in place. To this end, a document with information on the reporting system should be developed and provided to employees, contractors and other interested parties, e.g. at the recruitment stage. - Agreements to operate an external platform for reporting
If a business uses an external entity or platform to accept notifications, a written agreement governing the terms of cooperation is required. The agreement should cover, at least, the acceptance of applications, the provision of feedback and ensuring compliance with the Personal Data Protection Act. - Personal data processing agreements
The business, as a controller of personal data, must enter into personal data processing agreements with entities handling reports. This is a requirement under current data protection legislation.
Is whistleblower protection at group level sufficient?
Although the protection of whistleblowers is regulated by an EU Directive, each Member State has implemented its provisions in its own way, adapting them to local needs. In Poland, whistleblower protection provisions set out obligations for the administration of personal data.
Under the Polish law, a business is obliged to introduce a local reporting channel in Poland, regardless of the existence of a group system operating in other EU countries. The Polish regulation assumes that a business operating on the Polish market is the controller of personal data and bears full responsibility for processing it.
In practice, this means that:
- a reporting channel operating at group level may be considered an additional tool.
- however, it cannot replace the local reporting channel, which must be implemented in accordance with Polish regulations.
Polish businesses should therefore adapt their procedures and reporting channels to national regulations, even if they belong to international structures, in order to avoid non-compliance and potential sanctions.
What does the consultation phase look like and how long does it last?
The consultation phase preceding the establishment of whistleblower protection regulations is mandatory and crucial for the proper implementation of internal procedures. The business is obliged to consult with trade union representatives or, if there are none, with designated employee representatives.
According to the Whistleblower Protection Act, the consultation phase should last between five and 10 days from the date of the draft regulations being presented. The business must comply with this deadline to avoid breaching the regulations and to ensure compliance with the requirements of the Whistleblower Protection Act.
When do the regulations enter into force?
An internal procedure in the form of bylaws comes into force seven days after it is communicated to employees and other individuals working with the trader.
In practice, the manner in which the rules and regulations are communicated should be consistent with the company’s normal methods of communication, e.g. by publication on the intranet, notice board or transmission of the document by email. It is important that the rules and regulations are made available not only to employees with an employment contract, but also to those cooperating under civil law contracts such as mandate or B2B.
What are the penalties for failing to implement the regulations?
The Whistleblower Protection Act provides for a fine of up to PLN 5,000 for failing to implement internal procedures in accordance with the regulations. This sanction applies to businesses that have not implemented whistleblower protection regulations within a certain timeframe, or have not complied with the formal requirements under the Whistleblower Protection Act.
What are the consequences of a whistleblower making a false report?
A whistleblower who knowingly makes a false report is subject to criminal sanctions. In the event that the report was made in bad faith, the legislation provides for:
- a fine,
- the restriction of liberty,
- imprisonment for up to two years.
These sanctions are intended to prevent abuse and protect against false accusations.
What will change from 25 December 2024?
Although most of the provisions of the Whistleblower Protection Act have been effective since 25 September 2024, the legislature decided to postpone the implementation of some regulations until 25 December 2024.
These changes include:
- External reporting channels for public institutions:
- The Ombudsman will have the main responsibility for receiving external reports.
- Public institutions will be required to implement mechanisms to receive such reports.
- Information obligation for businesses:
- Businesses will have to provide accessible and understandable information on how to report irregularities to the Ombudsman, public authorities or, where applicable, to the EU institutions.
- This information must be easily accessible to employees, contractors and other individuals who cooperate with the business.
More info:
This article is part of the Newsletter No. 4 | 2024.