On June 24, 2024, the Act on the Protection of Whistleblowers (the "Whistleblowers Act") was published in the Journal of Laws, which means that most of its provisions will come into force on September 25, 2024.
The following is a summary of the new provisions introduced into the Polish legal system by the Act, which are the most relevant from the point of view of employers.
Definition of whistleblower
Following the model of the implemented Directive 2019/1937 of the European Parliament and of the EU Council of 23 October 2019 on the protection of whistleblowers under the EU law (the "Directive"), the legislator does not differentiate between the forms of work provided or the nature of the legal relationship between the whistleblower and the legal entity where the irregularity occurred, if the whistleblower became aware of the irregularity in a broadly understood work-related context (provision of services, performance of functions).
Such a definition is not merely editorial and has important consequences in terms of the legal position of whistleblowers and their access to intra-organizational whistleblowing tools, as discussed in more detail below.
In addition, a whistleblower can also be an individual who becomes aware of irregularities in a work-related context before the employment (or other legal relationship) is established, as well as after the termination of this relationship, which means that the provisions of the Act should also be applied to both candidates for employment in a given legal entity and former (co-)employees of a legal entity.
Subject of whistleblower’s report
The whistleblowers Directive obliged Member States to include in their local laws implementing EU law certain areas of law and social life that may be affected by a whistleblower's report but left Member States free to expand this catalogue. The EU regulation listed ten such areas:
- public procurement;
- financial services, products and markets and the prevention of money laundering and terrorist financing;
- product safety and compliance;
- transport security;
- environmental protection;
- radiological protection and nuclear safety;
- food and feed safety, animal health and welfare;
- public health;
- consumer protection;
- protection of privacy and personal data and security of networks and information systems;
The Polish legislator decided to expand this catalogue by four additional areas, which are:
- corruption;
- financial interests of the State Treasury of the Republic of Poland, the local government unit and the European Union;
- the internal market of the European Union, including public law rules on competition and state aid and corporate taxation;
- constitutional freedoms and rights of man and citizen - occurring in the individual's relations with public authorities and unrelated to the other areas indicated.
Anonymous reports
The whistleblowers Directive left Member States the choice to extend protection to whistleblowers who anonymously report violations of the law. Successive drafts of the Whistleblowers Act have alternately allowed or disallowed this possibility, subjecting it to the individual decision of the individual entities implementing whistleblowing procedures.
In the final wording, the legislator decided to include anonymous reports under the regime of the Whistleblowers Act. This means that both legal entities and public bodies operating whistleblowing channels will be able to determine in their internal/external reporting procedures whether they choose to accept anonymous reports or whether they will leave them unprocessed. We note, however, that if the identity of a whistleblower who originally acted anonymously is subsequently disclosed, he or she should from that point on be treated on an equal footing with other whistleblowers at least in terms of protection against retaliation for having made a report and will be entitled to analogous claims for any harm suffered as a result of the report.
Prohibition of retaliation
The Whistleblowers Act described the prohibition of retaliatory actions against a whistleblower provided for by the Directive. The minimum requirements stemmed from the Directive, and the Polish legislator also extended this catalogue with e.g. mobbing, discrimination. Moreover, employers can also extend this catalogue on their own, e.g. to harassment or sexual harassment. The final wording of the Whistleblowers Act describes, among other things, the prohibition of actions involving any kind of coercion, intimidation or exclusion, or the prohibition of causing 'other immaterial damage', including the violation of personal property, in particular the whistleblower's good name. Attempts or threats of such actions are also to be qualified as retaliatory actions. The Whistleblowers Act establishes that the burden of proof is on the employer to prove that the action taken against the whistleblower was not retaliatory.
The making of a report will not be allowed as a basis to:
- terminate, rescind or terminate without notice a contract to which the whistleblower is a party, in particular concerning the sale or supply of goods or the provision of services,
- impose an obligation or refuse to grant, restrict or withdraw an entitlement, in particular a concession, permit or abatement.
The Whistleblowers Act also introduces rules on civil liability in connection with possible retaliatory actions. Under it, a whistleblower will be able to claim compensation from an employer or the other party to a legal relationship for retaliatory actions in an amount not lower than the average monthly remuneration in the national economy in the previous year, announced for pension purposes in the Official Journal of Laws of the Republic of Poland "Monitor Polski" by the President of the Central Statistical Office, or be entitled to damages. On the other hand, if it is the whistleblower who knowingly reports untrue information - the victim of such an action will be able to claim compensation or damages for violation of personal rights from the whistleblower who made such a report or public disclosure.
Internal notifications
The obligation to implement an internal reporting procedure will apply to legal entities for which, as of 1 January or 1 July of a given year, at least 50 persons are performing a paid work. However, this threshold does not apply to a legal entity performing activities in the fields of financial services, products and markets and anti-money laundering and countering the financing of terrorism, transport safety and environmental protection, in which case the legal entity is obliged to establish a procedure regardless of the number of persons who perform paid work for it.
The Whistleblowers Act sets a specific deadline for the consultation of the internal reporting procedure - it is to last between 5 and 10 days. In turn, the procedure itself enters into force 7 days after it has been made known to the persons performing the work in the manner adopted in the legal entity. The potential job applicant must be informed of the internal notification procedure with the commencement of recruitment or pre-contractual negotiations.
The procedure for internal notifications must mandatorily specify:
- an internal organizational unit or a person within the organizational structure of the legal entity, or an external entity, authorized by the legal entity to receive internal notifications;
- the means by which a whistleblower may transmit internal reports, together with his or her correspondence address or e-mail address, hereinafter referred to as the "contact address";
- an impartial internal organizational unit or a person within the organizational structure of the legal entity with authority to take follow-up action, including the verification of the internal report and further communication with the whistleblower, including requesting additional information and providing feedback to the whistleblower; this function may be carried out by the internal organizational unit or person referred to in point 1 if they ensure impartiality;
- the procedure for dealing with information on infringements reported anonymously;
- an obligation to acknowledge to the whistleblower the receipt of an internal report within 7 days of receipt, unless the whistleblower has not provided a contact address to which the acknowledgement should be forwarded;
- the obligation to follow up, with due diligence, the internal organizational unit or person referred to in point 3;
- a maximum time limit for providing feedback to the whistleblower, not exceeding 3 months from the date of the acknowledgement of receipt of the internal report or, if the acknowledgement referred to in point 5 is not provided, 3 months from the expiry of 7 days from the date of the internal report, unless the whistleblower has not provided a contact address to which feedback should be provided;
- comprehensible and easily accessible information on making external reports to the Ombudsman or to public authorities and, where appropriate, to European Union institutions, bodies or agencies.
In addition - optionally - the procedure may also specify other aspects and, in particular, the legislator allows:
- indicating violations outside the statutory catalogue of areas of law and social life that may be subject to notification, if the legal entity has provided for the possibility of reporting such violations;
- the identification of risk factors corresponding to the legal entity's business profile, which are conducive to the possibility of certain breaches of the law related in particular to the breach of
- regulatory or other obligations laid down by law or to the risk of corruption;
- indicating that information about an infringement can in any case also be reported to the Ombudsman or to a public body without an internal reporting procedure;
- setting out a system of incentives for the use of the internal reporting procedure where the infringement can be effectively remedied within the organizational structure of the legal entity and the whistleblower considers that there is no risk of retaliation.
- According to the wording of the Act, the means of submitting internal reports must include, at a minimum, the possibility to make reports verbally or in writing.
The telephone call is subject to specific requirements according to which it is to be documented in the form:
- a searchable recording of the conversation, or
- a complete and accurate transcript of the call prepared by the unit, person or entity responsible for receiving the call.
A report made verbally and over a non-recorded telephone line is to be documented using an accurate record of the call by the unit, person or entity responsible for receiving the call, reproducing the exact course of the call.
The submitter has the right to check the correction and approval of both the interview transcript and the interview protocol by signing them.
Direct meetings (at the whistleblower's request) with the whistleblower's consent should be documented in the form of a recording or minutes.
Legal entities that are required to establish an internal notification procedure are also obliged to maintain an internal notification register. Such register should include:
- report number;
- the subject of the infringement;
- the personal data of the whistleblower and the reported person necessary to identify them;
- whistleblower contact address;
- the date of report;
- information on follow-up actions taken;
- the date of completion of the case.
Personal data protection
The Whistleblower Act regulates in detail the protection of personal data of the whistleblower. According to the wording of the legislation, personal data and other information allowing for the identification of the whistleblower will be subject to disclosure only if so indicated by the whistleblower. However, it should be emphasised that the necessity to keep the whistleblower's identity confidential will not be absolute.
The new rules provide for a derogation from the need to keep the whistleblower's identity confidential when such disclosure is a necessary and proportionate obligation under the law in connection with investigations carried out by public authorities or pre-trial or judicial proceedings carried out by the courts, including in order to guarantee the right of defence of the reported person. As one argument in favour of such a solution is that the person against whom an allegation is made should also be protected. This is because there is a risk of stigmatisation of the person concerned in connection with the alleged acts.
It is worth noting that the disclosure of a whistleblower's identity is subject to a number of safeguards, in particular the need for written or electronic notification of the intended disclosure of the whistleblower's identity together with an explanation of the reasons for such a decision, unless such notification could jeopardise the related investigation or legal proceedings.
Regulation 2016/679 of the European Parliament and of the EU Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the "General Data Protection Regulation") ("RODO"), includes in its scope of application personal data covered by the Whistleblowers Act. Accordingly, a legal entity, Ombudsman or public authority processing data on the premise of Article 6 sec. 1(e) of the RODO will only process data to the extent necessary to achieve the purposes of the Act and personal data not relevant to the analysis of the notification should not be collected or, if collected, should be deleted within 14 days of determining that it is not relevant to the case.
The Whistleblowers Act provides for certain derogations from the information obligation regulated by the provisions of the RODO. As a general rule, the legislator does not provide for an obligation to inform the data subject of the source of the acquisition of his or her personal data, unless the notifier does not meet the conditions for being considered a whistleblower pursuant to Article 6 of the Whistleblowers Act (at the time of the report, he or she did not have reasonable grounds to believe that the information that was the subject of the notification or public disclosure was true at the time of the notification or public disclosure and that it constituted information about a violation of the law) or he or she expressly consented to such communication.
The new rules also introduce a statutory data retention period. Personal data processed in connection with the acceptance of a notification by the Ombudsman will be retained for a period of 12 months after the end of the calendar year in which the external report was transmitted to the public authority competent to take follow-up action.
Personal data processed in connection with the acceptance of a notification and follow-up and documents related to those notifications shall be retained by the legal entity and the public authority for a period of 3 years after the end of the calendar year in which the external notification has been transmitted to the public authority competent for follow-up or follow-up has been completed, or after the proceedings initiated by those proceedings have been terminated.
Criminal sanctions
The Whistleblowers Act provides for the following criminal threat for each type of offence:
- preventing or obstructing submitting report by a whistleblower - punishable by a fine, restriction of liberty or imprisonment of up to one year;
- obstructing the reporting of a whistleblower by means of violence, unlawful threat or deception - punishable by a fine, restriction of liberty or imprisonment of up to 3 years;
- retaliation against the whistleblower, a person associated with the whistleblower or assisting the whistleblower - punishable by a fine, restriction of liberty or imprisonment of up to 2 years;
- persistent retaliation against protected persons - punishable by up to 3 years' imprisonment;
- breach of the duty to keep confidential the identity of the whistleblower, a person associated with the whistleblower or assisting the whistleblower - punishable by a fine, restriction of liberty or imprisonment of up to one year;
- intentionally making a false report - punishable by a fine, restriction of liberty or imprisonment for up to 2 years;
failure to establish or establishment of an internal notification procedure with substantial violation of the requirements under the Act – punishable by a fine.
Effective date
As requested by representatives of the private and public sector giving their opinion on the legislation draft, the final version of the legislation extends the transition period during which these entities will have the opportunity to prepare the organization for the requirements of the Whistleblowers Act.
In the case of the obligation for legal entities for which at least 50 persons are performing paid work to adopt an internal procedure, as well as for legal entities carrying out activities in the fields of financial services, products and markets, anti-money laundering and countering the financing of terrorism, transport safety and environmental protection as listed in the Whistleblowers Directive - regardless of the scale of employment - these entities will have 3 months to implement appropriate solutions in accordance with the procedure provided for in the Act.
On the other hand, the Ombudsman and public bodies - regardless of the scale of employment - will have six months to implement the mandatory solutions introduced by the provisions of the Whistleblowers Act.
In view of the above, the legislation will come into force in two parts, i.e. from 25 September 2024, the majority of the provisions of the Act, including those concerning the obligations of legal entities, will come into force, and from 25 December 2024, the remaining provisions concerning the part relating to external notifications will come into force.
By Agnieszka Stefanowicz-Baranska, Agnieszka Wardak, and Aleksandra Minkowicz-Flanek, Partners, Dentons