As the last member state of the European Union, Poland has implemented the EU Directive on the protection of persons who report breaches of Union law. The Whistleblower Protection Act which was adopted on 14 June 2024 introduced a protection regime for persons who report breaches in several areas of law. It also put an obligation on employers with at least 50 employees to implement procedures to make internal reports. All provisions of the Act have come into effect and must be complied with.
 
Whistleblower – or who is this?
According to the legal definition, reconstructed from several provisions, it is a natural person who in good faith reports (internally or outside the organisation) or publicly discloses a suspected breach of law, which he or she became aware of in relation with his or her work.

Good faith of a whistleblower means that he or she has a justified suspicion that the information reported is true at the time of its reporting and that it concerns a breach of law in the areas listed in the act. The purpose of the whistleblowers action is irrelevant for the assessment of good faith. The whistleblower does not have to act in socially justified interest or for the common good. However, a person who consciously reports or publicly reveals untrue information is not a whistleblower. Such a conduct is a crime punishable by imprisonment for up to 2 years.

Reporting and disclosures – or who can be informed about breaches of law?
A report can be made internally or externally. The former is sent “inside” the organisation in which the breach of law has occurred. Employers who employ at least 50 persons (as at 1 January or 1 July) are obliged to implement procedures for making such reports. The procedures must indicate who accepts the reports, through what channels they can be submitted, and who will investigate them and in what manner. The provisions of the Act on internal reporting came into effect on 25 September 2024.

The regulations concerning making external reports came into effect on 25 December 2024. Whistleblowers may submit them to public authorities which have competences to take follow-up steps in a given matter. For example, if you want to report a breach of consumer rights you can do it before the President of the Office of Competition and Consumer Protection or a district consumer advocate. Special powers (and obligations) are imposed by the law on the Ombudsman. If a whistleblower does not know which authority is competent to undertake the follow-up in a given matter, he or she can make a report to the Ombudsman. The Team for Whistleblowers working in the Office of the Ombudsman will determine the appropriate course of action and inform the whistleblower about it.

In special circumstances, a whistleblower may publicly disclose the information about the breach of law (e.g. on Facebook, other social media or generally speaking on the Internet). A person making such a disclosure will be protected, if he or she:

• has previously made an internal or external report and had not been informed about the follow-up,
• has justified reasons to believe that the public interest is directly at risk,
• has justified reasons to believe that in case of making an external report he or she will be exposed to retaliation or the effectiveness of such a report will be low.

The scope of the act – or what can be reported?
The Act lists several areas of law the breach of which can be the basis for a report that is subject to protection. The list mostly reflects the list in the Directive. Protected reports will include those which concern, among other things:

• corruption,
• public procurement,
• protection of the environment,
• consumer protection,
• protection of privacy and personal data,
• security of network and information systems.

Each entity can extend in their internal procedure the list of areas in which reports can be made. Such additional areas may include for example a breach of internal regulations in ethics and compliance. Persons reporting breaches of such internal regulations will be protected in the same way as “statutory” whistleblowers, in the scope provided for in internal procedures. Information about a breach of internal regulations cannot be however reported to public authorities as part of external protected reports or publicly disclosed.

Whistleblower protection – prohibition of retaliation
No retaliation action or measures can be used against whistleblowers. Such actions are any decisions or actions detrimental to his or her which result from reporting or disclosure which may do any harm or damage to the whistleblower (or a person close to the whistleblower or connected with him or her). The Act lists prohibited actions which can be taken against the whistleblower who is an employee or a person engaged on the basis of other contract, as examples only. These include termination of employment, failure to enter into or renew a contract, reduction in wages or any unfavourable change in employment conditions, withholding of a promotion or training, any form of discrimination or unfair treatment.

Using retaliation (or even a threat of retaliation) is a crime punishable by imprisonment for up to 2 years. If the perpetrator is persistent, he or she is punishable by imprisonment for up to 3 years.

So called persistent procedures cannot be initiated against a whistleblower. Making a report or a public disclosure in good faith cannot be the basis for liability for infringement of personal rights or defamation, violation of business secrets, personal data protection or copyright. The prohibition concerns all types of procedures – disciplinary, civil, criminal, and administrative. If someone brings such claims against a whistleblower and fails to demonstrate that they are not entitled to the whistleblower status, the proceedings should be discontinued.

Confidentiality of whistleblower data and procedure
The most important measure of whistleblower protection is confidentiality of whistleblower data and information disclosed in follow-up procedures. The Act precisely determines the principles of access to such information. It can only be accessed by persons who have been authorised (in writing and by name) by the entity to accept the reports and undertake the follow-up.

The group of people dealing with the reports should be limited to a minimum. Information which allows for establishing the whistleblower’s identity should not be revealed to persons who are not involved in the process of accepting and verification of reports. The same principles apply to other people taking part in the follow-up – e.g. witnesses, persons connected to the whistleblower or helping him to make the report.

Confidentiality of data should not be confused with anonymity. The Act on Whistleblower Protection does not oblige the employer to accept anonymous reports. Such anonymous information about breaches of law can be however the basis for undertaking appropriate measures by the employer (e.g. initiating explanatory procedure). If anonymous whistleblower reveals his or her identity during such a procedure or if the whistleblower’s identity is revealed, he or she is entitled to statutory protection.

What is next for whistleblower protection?
The Ministry of Family, Labour and Social Policy which authored the draft law announces that two years after the Act coming into force its effectiveness will be reviewed. Errors are to be corrected and loopholes that become apparent in the course of applying the provisions of the Act are to be remedied. A number of such loopholes have already been spotted. The most important shortcomings of the Act are the lack of clear rules concerning capital groups and common internal procedures, the principles of entrusting acceptance of reports to external entities or the possibility of involving them in the follow-up. 
 

Find more in the PRO HR Year Book 2024.