Poland implements whistleblower protection law: key provisions and implications

Approximately 3 years following the mandated implementation date of Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of whistleblowers, which was to be incorporated into the Polish legal system by December 17, 2021, this legislative gap has now been addressed. On June 19, 2024, the President signed the whistleblower bill, which was passed on May 23, 2024. The legislation includes amendments from the Senate, notably excluding labour law from the range of potential notifications.

Employer considerations and scope of applicability

From the perspective of the employers, the most critical provisions of the law concern the scope of its applicability, including: the categories of individuals to whom the law applies, the types of violations covered by the law, the requirements for internal reporting procedures, and the penalties for violating the prohibition on retaliation.

1. The law extends protection to individuals who report or disclose information or reasonable suspicions of legal violations, working in either private or public sector, provided they have obtained such information in a work-related context. Whistleblowers will be afforded guarantees and remedies irrespective of the basis and form of their work or service (this includes, but is not limited to, employment contracts, civil law contracts, the operation of a business by an individual, management contracts, voluntary work, internships, apprenticeships, or military service).
2. Whistleblower protection will be significantly enhanced in potential legal proceedings, notably by reversing the burden of proof (according to a model comparable to that of the Labour Code in proceedings for violation of the principle of equal treatment in employment). Similar protections will be afforded to individuals performing work under legal relationships other than employment relationships (unless the nature of the work or service performed precludes such protections from being applied to the whistleblower).
3. The imposition of liability, including disciplinary liability or liability for damages, for violations of the rights of others or obligations under the law (such as defamation, infringement of personal rights, copyright, data protection laws, and the obligation to maintain confidentiality, including business secrets) will be precluded against the whistleblower.
4. The internal procedure for reporting violations and follow-up actions will be subject to consultation with company trade unions or, in the absence of such unions, with the employees representatives.
5. Minimum standards for the internal procedure include specifying the organizational units or individuals responsible for accepting reports, taking follow-up actions, and providing feedback. Additionally, the procedure must outline the methods for reporting and confirming receipt of reports, as well as the deadlines for the various activities to be undertaken.
6. The legal entity will be required to provide information about the internal reporting procedure during the enrolment process, regardless of the legal basis for the provision of work or services. This information must be provided at the beginning of enrolment or pre-contract negotiations.
7. The law expands the scope of “violations” to encompass a broader scope. Protection for whistleblowers will extend to all breaches of law within the corresponding domains of national law as listed in the Directive. These domains include public procurement, services, financial products and markets, prevention of money laundering and terrorists financing, product safety, transportation safety, environmental protection, radiological protection and nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, privacy and personal data protection, and security of information and communication networks and systems.
8. The statutory definition of a violation will not be restricted to incidents where the violation within a particular area of law is exclusively regulated by a specific provision of EU law.
9. Employers may accept anonymous reports. The law provides discretion regarding the permissibility of this reporting method, stipulating that guidelines for accepting such reports should be appropriately outlined in the internal procedure.
10. Actions such as preventing or significantly impeding a report (including qualified type through the use of violence, unlawful threats, or deception), retaliating against whistleblower (including qualified type involving persistent actions), and disclosing the identity of a whistleblower, a person assisting in making the report, or individuals associated with the whistleblower, will be subject to criminal penalties. Conversely, it constitutes a criminal offense for a whistleblower or discloser, to file a report or make a public disclosure knowing that no violation of the law has occurred. Furthermore, an offence for failure to establish an internal reporting procedure or for establishing such a procedure in violation of its requirements has been introduced to the law.

Criminal penalties and data handling

Entities receiving notifications must ensure that handling of data collected in connection with a notification adheres to the principle of data minimization. Accordingly, processing of personal data should be limited necessary actions for verifying the notification and conducting follow-up actions. Upon expiry of the retention period, collected personal data should be deleted, and documents related to the above shall be destroyed. The retention period has undergone multiple revisions during the legislative process, in relation to the latest version of the act, it spans 3 years following the end of the calendar year in which the external notification was submitted to the competent public authority for follow-up activities or when such activities were completed, or after the conclusion of proceedings initiated through these activities. An exception applies to personal data processed by the Ombudsman in relation to the acceptance of an external notification, where the retention period extends to 12 months after the end of the calendar year in which the notification was transmitted to the competent public body for follow-up actions.

Data retention and DPIA requirements

It should be emphasised that, as communicated by the President of the Office for Personal Data Protection (UODO), whistleblowing systems are classified among the types of personal data processing operations necessitating an assessment of the impact of processing on the protection of personal data. This classification encompasses processing activities that may pose a high risk to the rights and freedoms of individuals. Therefore, before commencing processing, a data controller must conduct DPIA ( Data Protection Impact Assessment) on the whistleblowing procedure, as stipulated by Article 35 of the RODO.

Implementation timeline

The law on whistleblowers will take effect 3 months from its promulgation. Given the requirement to consult on the internal procedure with trade unions or the employees representatives, employers should initiate implementation efforts promptly, and the more preventive ones should be completing them diligently.