Persons protecting the rights of the Union against public and public organizations

In reference to the adoption at the EU level of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of union law (hereinafter the Directive), new obligations have been imposed on private and public organisations. They refer to the provision of internal procedures for reporting irregularities, which should be understood as behaviours breaching the provisions of law, internal regulations or ethical principles in force in the organisation and the ensuring of protection of the reporting individual (a whistle-blower).

Work is currently underway on the adoption of the Law on whistle-blowers’ protection, which will be the implementation of the EU Directive on whistle-blowers’ protection into Polish law.

The obligation to implement internal procedures for reporting irregularities applies to:

• legal entities in the public sector,

• all entrepreneurs from the sector of services, products and financial markets as well as bound by the regulations on counteracting money laundering and financing terrorism,

• entrepreneurs employing from 50 to 249 individuals (for these entities the need to implement obligations has been postponed until December 17, 2023),

• entrepreneurs with at least 250 employees,

• potentially also entrepreneurs employing less than 50 persons, if performed risk assessment indicates the need to do it, taking into account the nature of the entities’ activities and the resulting level of risk.

The most important obligations of the entities

The entities will be responsible, first of all, to establish internal channels and develop procedures for reporting irregularities, while:

• Reporting channels must ensure the confidentiality of the reporting individual and the person indicated in the report and they must ensure that unauthorised staff members do not have access to such data;

• An officer or an organisational unit should be designated to receive reports;

• The individual submitting the report should receive the confirmation of its acceptance within 7 days of its receipt;

• The maximum time limit for providing the whistle-blowerwith feedback cannot exceed 3 months from the confirmation of receipt of his/ her report;

• An impartial person or an impartial organisational unit competent to undertake follow-up activities should be appointed.

Secondly, it will be the responsibility of private and public entities to keep a register of all accepted reports.

Thirdly – it will be the obligation of private and public entities to provide whistle-blowers with protection against retaliation in the form of dismissal, suspension, demotion, forced unpaid leave, change of job, reduction of salary, change of working hours, suspension of training, negative performance assessment or job evaluation, application of a disciplinary measure, failure to convert a fixed-term employment contract into an employment contract for an indefinite period when the employee could have had reasonable expectations that he/ she would be offered permanent employment. The list of such activities is long and open-ended.


The Directive requires Member States to establish sanctions for:

• obstructing the submission of reports,

• taking retaliation against whistle-blowers,

• breach of the obligation to maintain the confidentiality of the whistle-blower’s identity,

• failure to establish an internal procedure.

The draft Act on the whistle-blowers’protection includes provisions specifying criminal sanctions. The lack of an internal procedure regulating the process of reporting breaches of the law and the follow-up measuresmay trigger the fine, the restriction of liberty or imprisonment of up to three years. The legislator provided for the same sanctions in the event of hindering the reporting of a violation of the law, the disclosure of the whistle-blower’s data or retaliation against the reporting person.

The Law Officeprovides services aimed at the implementation of the above-mentioned duties, including in particular:

• The accomplishment of a pre-audit in the form of a checklist;

• The development of the internal whistleblowing regulations, which will define in particular the internal procedure for reporting irregularities as well as the procedure for conducting an investigation and taking follow-up actions;

• The development of the irregularity reporting form;

• The development of information clauses in order to meet the information obligation resulting from the provisions of the GDPR in connection with reporting irregularities and conducting investigation proceedings;

• The development of a sample register of accepted reports;

• The on-going monitoring of changes in regulations and adaptation measures to new regulations.