The EU obliged the Member States to implement Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the Protection of Persons who Report Breaches of Union Law (Official Journal EU L 305 of 26.11.2019, p. 17 and EU Official Journal L 347 of 20.10.2020, p. 1, the "Directive") by December 17, 2021. In Poland the Directive is to be implemented in the Act on the Protection of Persons who Report Breaches of Law (the "Act "). So far, four versions of the draft have been published on the website of the Government Legislative Centre, including the last version of July 22, 2022, which was submitted for consideration to the Committee for European Affairs. The latest changes introduced to the draft are corrective and linguistic in nature, which might imply that it is going to be the final version. Therefore, it is worth getting acquainted with the planned regulations as we will soon need to implement them.

The general intention of the Act is to protect whistleblowers against retaliation, i.e., those who wish to make reports on breaches of law in a work-related context. The Act prohibits any forms or attempts of discrimination, mobbing, or unjustified or unfavorable treatment of whistleblowers. On the other hand, the Act provides for a number of protective measures to persons concerned, as well as ensures the implementation of institutional and organizational solutions related to reporting breaches of law.

From the entrepreneur's point of view, the most important regulations concern:

  • The obligation to establish an internal channel or designate a person within the organizational structure to receive reports of breach of law, or outsource this obligation to an external entity;
  • The obligation to establish an impartial, internal channel or designate an impartial person to follow-up on the reports, verify them and communicate with the whistleblower. These tasks may also be outsourced to an external entity authorized to receive notifications, provided that they guaranty impartiality;
  • The obligation to establish and implement an internal reporting procedure - through consultations with the company's trade union organization or - in the absence of such an organization - with representatives of the entrepreneur's employees, which obligation has been imposed on all entrepreneurs employing 50 or more people and all entities operating in the area of financial services, products and markets, and prevention of money laundering and terrorist financing, transport safety and protection of the environment that fall under Union acts listed in parts I.B and II of the Annex to Directive 2019/1937, regardless of the number of employees;
  • The minimum requirements set for the internal reporting procedure include:
  • the obligation to indicate an internal organizational unit or person within the organizational structure of the legal entity or a third party, authorized to receive the reports,
  • information on how the report is to be made, which includes the correspondence or e-mail address;
  • the obligation to indicate an impartial, internal organizational unit or a person within the organizational structure of the legal entity, authorized to take follow-up actions, including verification of the report and further communication with the whistleblower, including the requests for additional information and giving feedback to the whistleblower; this role may be performed by an internal organizational unit or a person referred to in point 1, if they ensure impartiality;
  • confirmation that the report has been received within 7 days, unless the whistleblower has not provided the contact address;
  • the obligation to diligently undertake follow-up activities by an impartial organizational unit or a third party (a person or an entity);
  • the deadline to give feedback to the whistleblower;
  • a system of incentives to encourage the employees to use the internal reporting procedure;
  • comprehensible and easily accessible information on external reports to the Ombudsman or public authorities and, where applicable, to the institutions, bodies, offices or agencies of the European Union.

Due to the obligation to implement the internal reporting procedures, each entrepreneur must undertake adequate technical measures allowing them to establish oral and written channels to be used by the individuals employed in the organization to inform about breaches of law.

As regards the oral channel, it could be a special hotline or another voice communication system, including a telephone line or a recordable or non-recordable system. Reports made via a recordable telephone line or another recordable system should, upon the whistleblower's consent, be documented in the form of a recording of a conversation or its complete and exact transcript. On the other hand, an oral report, made with the use of a non-recordable hotline or another non-recordable system should be documented in the form of minutes. The whistleblower is authorized to check, correct and approve the transcript or minutes by their signature.

The legislator has also provided for an obligation to organize a meeting in person within 14 days following the request to this effect provided that the whistleblower consents. If such a meeting is organized, such a report is recorded or minutes are drawn up from this meeting. In the latter situation, the whistleblower is also authorized to verify, correct and approve the minutes from the meeting by placing their signature.

As regards the written reports, these may be made in written and electronic form.

The legislator has not provided for the possibility to make reports anonymously. The Directive does not require it either. Nevertheless, it does not mean that anonymous reports are prohibited by the Act. The entrepreneur will have to decide on its own whether it is going to accept anonymous reports. There is only one case mentioned in the Act, namely when information on breach of law has been anonymously reported to the entrepreneur, and subsequently the identity of the whistleblower is revealed and they have been the subject of retaliation, which is when provisions on the prohibition against applying retaliation measures and allowing for means of protection of whistleblowers will apply, provided that the conditions specified in Art. 6 of the Act have been satisfied, i.e., if at the moment of making the report the whistleblower could have reasonably believed that the information reported or publicly disclosed is true and that the information constitutes information on breach of law.

One should bear in mind that the personal data of the whistleblower allowing to identify them must not be disclosed to unauthorized individuals, unless the reporting person expressly grants their consent to do so. This does not apply to situations in which disclosure is a necessary and proportionate obligation arising from provisions of law in the context of the explanatory or court procedures conducted by respectively public bodies or courts, also to guarantee protection to parties concerned.

Notwithstanding the above, the entrepreneur is obliged to guarantee that the internal reporting procedure and the underlying data processing protect the identity of the whistleblower, the party concerned and any third party referred to in the report. The confidentiality obligation concerns any information that may allow identification of such individuals, directly or indirectly. Only persons having written authorization of the entrepreneur are allowed to receive and verify reports, undertake follow-up activities, and process personal data of whistleblowers, the parties concerned and third parties referred to in the report. They must keep the personal data so received in confidence also upon the end of the employment relationship.

As I have already mentioned, an entrepreneur may outsource the tasks related to receiving the reports and the follow-up actions under an agreement which will oblige the outsourced entity to use technical and organizational solutions that will guarantee the compliance of the undertaken actions with the Act and will specify detailed rights and obligations related to the processing of personal data. Of importance,, the execution of such agreement does not release the entrepreneur from liability for performance of obligations related to the application of the internal reporting procedure, in particular as regards the confidence, giving feedback and undertaking follow-up activities. Moreover, this type of a service agreement must specify the rights and obligations of an external entity related to the processing of personal data, as referred to in particular in Article 28 sec. 3 of the EU Regulation 2016/679 (RODO).

The draft Act also stipulates that private individuals employing from 50 to 249 persons, may contractually outsource the HR and organizational tasks in the area of receiving and review of reports and performing the explanatory procedures, provided that the undertaken acts comply with the Act.

Irrespective of the foregoing, the Act obliges the entrepreneurs to maintain a register of internal reports. The entrepreneur may authorize an internal organizational unit or an individual within the company's structure to maintain this register or outsource it to an external entity. The specific data to be contained in this register have been set. The personal data and the other information contained in the register of internal reports should be kept for 15 months after the end of the calendar year in which the follow-up activities were completed or after the end of the procedures initiated by these actions.

The Act also enumerates specific actions that are classified as retaliation. However, please note that some of these actions, such as coercion, threatening or workplace bullying have been prohibited even before the Act was proposed. One should also remember that the burden of proving that the undertaken actions do not constitute a revenge is on the entrepreneur. The person undertaking revenge actions faces potential criminal liability. Pursuant to the Act, these are subject to a fine, limitation of freedom or imprisonment of up to 2 years. If the perpetrator uses more than 2 types of retaliatory actions, they shall be subject to imprisonment of up to 3 years. Criminal liability is also expected for individuals who hinder the submission of a report, also by using violence, threats or deceit, which is punishable by a fine, limitation of freedom or imprisonment of up to 2 years.

The assessment of whether the information reported is true and constitutes information on the breach of law is on the whistleblower. In other words, the Act guaranties the whistleblower protection against retaliatory actions provided that the reporting person could have reasonably believed that the information reported is true and proves that the law has been breached. If the whistleblower makes the report being aware that this information is untrue, she/he may be subject to criminal liability – a fine, limitation of freedom or imprisonment of up to 2 years.

Moreover, a person who has suffered damage due to an intentional report or public disclosure of untrue information is authorized to receive compensation from the whistleblower in the amount of at least one average monthly salary in the business sector valid as of the day of submission of the report or making a public disclosure (in October it was PLN 6687,20/approx. EUR 1450). An exception constitutes a situation in which a whistleblower had reasonable grounds to believe that the public disclosure was necessary to reveal that the law had been breached, as stipulated in the Act.

Under the transitional laws, an entrepreneur employing between 50 and 249 people is obliged to establish internal procedures by December 17, 2023. Those employing 250 employees and more and all entities falling under the Union acts listed in part I.B and II of Annex to Directive 2019/1937, i.e., such that are active in the financial services, products and markets, prevention of money laundering and terrorist financing, transport safety and protection of the environment have 2 months following the entry of the Act into force.

Failure to establish the internal reporting procedure or establishing such procedures that do not satisfy the minimum wording requirements are subject to a fine.

The Act in the current wording sets a 2-month vacatio legis. Therefore, it is worth to get ready to implement the new requirements now since their complexity may prove that 2 months will not be enough.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.