Polish whistleblower act: time to indroduce whistleblower protection is running out

Private sector companies will soon be covered by the so-called Whistleblower Act (the „Act”). Polish lawmakers are still working on the final wording of the Act, which according to the Whistleblower Directive ((EU) 2019/1937), should enter into force no later than December 17th, 2021. Although it is now obvious that this deadline will not be met, it is already worth considering how to adapt the functioning of companies to the upcoming changes and be prepared once the Act is finally in force

Deadlines for implementing the whistleblowing system

Each company with at least 50 employees will be required to adopt internal whistleblowing system for reporting violations of the law. Under the draft Act, companies with at least 250 employees will have to establish internal whistleblowing channels after a 14-day vacatio legis period and companies with between 50 and 249 employees will have time to do so until December 17th, 2023.

Companies will be obliged to involve employees in the process of establishing whistleblowing regulations, either through consultations with trade unions or (where there are no trade unions) with employees’ representatives. Consequently, creation and implementation of whistleblowing procedures and policies will have to be carried out with an active and documented participation of employees. Implementation of the internal whistleblowing system will also require that the employees be effectively familiarized with how this system works.

Scope of legal protection

A whistleblower can be any person who reasonably suspects a violation of the law in his/her professional environment and (in good faith) reports such violation. Protection will be granted to employees (also former employees), job candidates, persons providing services on a B2B basis, trainees, volunteers, shareholders, members of governing bodies, staff of subcontractors or suppliers. Protection will also be available to persons who assisted a whistleblower in making the report (such as the whistleblower’s relatives).

The scope of infringements that can be subject to whistleblowing will cover areas indicated by the Act, to include public procurement, product or transport safety, consumer and competition protection, personal data protection, IT safety, AML, and environmental protection. Individual cases will not be subject to’ protection under the Act; however, the draft Act allows for a broader catalogue of protected violations, which may include employment law, internal regulations or ethical standards applicable in a given company. 

Internal reporting regulations

Companies will be required to have internal reporting regulations setting out an internal procedure for reporting and following up on violations. The regulations will come into effect 2 weeks after they have been communicated to employees in a manner adopted by the company.

Reports can be made orally or in writing.  According to the draft Act, the identity of a person making an internal report will be protected as confidential, but not anonymous; however, a company will be able to decide to accept anonymous reports. Implementation and management of the reporting channel and handling on whistleblowers’ reports can also be outsourced (for example to a law firm).

Companies will be obliged to confirm the receipt of the whistleblower report within 7 days of its receipt and to provide a whistleblowers with a feedback no later than within 3 months from the acknowledgement of the report receipt.

The companies will be also required to maintain a register of internal notifications and the data will have to be stored for a period of 5 years from the report receipt.

External and public reporting channels

The draft Act does not provide for a priority of reporting through internal channels. It also offers two other methods of reporting:

  • external reporting – available through the relevant state authorities,
  • public disclosure – available through traditional or social media.

Therefore, it seems particularly important to introduce effective internal procedures that guarantee confidentiality so that employees are encouraged to use internal channels first and foremost. An early detection of existing violations of the law will enable a company (respectively its officers) potentially exposed to liability to take advantage of, for example, the voluntary disclosure, a criminal law institution that allows to avoid (or reduce) liability for committing a prohibited act.

In the case of a public disclosure, a whistleblower will be able to benefit from protection, provided that he/she first used internal or external reporting channels, but no timely action has been taken in response to such report. The above shall apply in case a whistleblower has reasonable grounds to believe that the violation may pose an immediate or obvious threat to a public interest or he/she can expect retaliation or the violation is unlikely to be effectively remedied.

Protection against retaliation

Whistleblowers will be protected against retaliation for reporting, in particular against disciplinary action, termination of employment or other legal relationship, change of employment conditions to less favorable ones, harassment or discrimination as a form or reprisal, civil suits for defamation, damages or infringement of personal rights.

In the case of retaliation or other unfavorable treatment, the whistleblower will be able to claim compensation in an amount not lower than the statutory minimum gross wage (in 2022 it will be PLN 3,010). The company will bear the burden of proof that the actions taken against the whistleblower were not in retaliation for the report made.

Criminal liability

The draft Act provides for criminal sanctions (a fine, restriction of liberty, imprisonment of up to 3 years) for failure to establish or properly establish internal reporting procedure, obstructing reporting, breaching the confidentiality of a whistleblower’s identity, taking retaliatory action against a whistleblower.

The draft Act does not specify who will be held liable for the above actions. Therefore, it should be assumed that it will be the top management and relevant employees, in accordance with the scope of their responsibilities (e.g. representatives of legal or HR departments). In this perspective, the proper division of responsibilities in the process of establishing the whistleblowing system seems to be all the more important.

It is worth mentioning that a person making a false report is also threatened with up to 3 years imprisonment.

Entry into force

The draft Act is currently in the public consultation stage. It provides that the regulations will come into force 14 days after the act is promulgated, potentially giving very little time to implement the relevant internal procedures. However, the employers employing up to 250 employees will not be obliged to establish internal whistleblowing channels until December 17th , 2023.


Privacy and cookies policy


The controller for personal data is LEGALIO Pietrzak Markowicz Lewandowska Lubaś sp. j. with its office registered in  Warsaw (00-342) at Topiel 23, and entered into the entrepreneurs’ register of the National Court Register held by the District Court for the Capital City of Warsaw in Warsaw, in the 13th Economic Division of the National Court Register, under KRS number 0000874696, tax identification number (NIP) 5272944924, and statistical number (REGON) 387767552 (“LEGALIO”).
LEGALIO processes personal data such as first and last names, e-mail addresses, phone numbers, and position names.
LEGALIO processes personal data on the terms specified in the provisions on protection of personal data, in particular those in the Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), as well as in the Act of 10 May 2018 on protection of personal data. LEGALIO keeps personal data confidential and secures the data against unauthorised access by third parties pursuant to the above-mentioned regulations.


Scope and purposes of personal data processing
In the course of its activities, LEGALIO collects and processes personal data for the following purposes:  
  • those resulting from legitimate interests pursued by LEGALIO as the data controller, in particular for purposes related to the provision of services to clients, informing clients or prospective clients about changes in the law or the practice of its application, conducting other correspondence, and initiating and maintaining contact with clients, potential clients, counterparts, and other persons, as well as enabling the use of LEGALIO’s profiles on social media – based on art. 6 section 1 letter f of the GDPR;
  • negotiating, concluding, and performing agreements with clients or other persons, as well as taking steps at the request of the data subject prior to concluding an agreement – based on art. 6 section 1 letter b of the GDPR;
  • conducting recruitment processes and performing legal obligations related to employment – based on, respectively, art. 6 sec. 1 letter a, art. 6 sec. 1 letter c, and art. 6 sec. 1 letter f of GDPR;
  • fulfilling obligations imposed by the law – based on art. 6 section 1 letter c of GDPR.
Transfer of personal data to other entities
In connection with the activities performed by LEGALIO, personal data may be disclosed to external entities providing services necessary for those activities, in particular to providers of accounting, IT, marketing, and postal services, courier operators, etc. Personal data will not be transferred to a third country.
Period of personal data processing
The period of personal data processing depends on the purpose of processing. In the case of processing personal data based on LEGALIO’s legitimate interest, personal data will be processed for the period enabling the implementation of this legitimate interest.
If personal data is processed for the purpose of negotiating, concluding or performing an agreement, personal data will be processed for the period of negotiating and concluding the agreement and, where applicable, also performing the agreement for the time necessary to determine and/or pursue a claim or make a defence against claims, and thereafter, in cases and to the extent required by law.
Where processing of personal data is carried out for the performance of legal obligations, the period of data processing shall be determined by the nature of these obligations.
Personal data will be processed until an effective objection is raised in this regard, respectively until the consent for the processing of personal data is withdrawn, in cases where such consent constitutes the sole basis for personal data processing.
Personal data processed as part of the profession of attorney at law (in Polish: adwokat or radca prawny) will be stored for 10 years from the end of the year in which the proceedings in which the personal data was collected ended.
Rights of persons whose personal data is processed
Persons whose personal data is processed have the following rights:
  • the right to access personal data and information about its processing, in particular information about the purposes and legal basis of the processing, categories of personal data processed, scope of personal data processed and entities to which the personal data is disclosed;
  • the right to obtain a copy of the personal data being processed;
  • the right to rectification of personal data;
  • the right to erasure of personal data the processing of which is not necessary for the purposes for which the data was collected;
  • the right to restriction of the processing of personal data;
  • the right to portability of the personal data processed by automated means under an agreement or consent, which consists of the ability to request the furnishing of the personal data provided by a given person and providing it in a structured manner and commonly used format;
  • the right to object to the processing of personal data for marketing purposes;
  • the right to withdraw consent to the processing of personal data at any time when the processing of the personal data is based on such consent, which, however, does not affect the lawfulness of data processing prior to the withdrawal of the consent;
  • the right to lodge a complaint to the President of the Personal Data Protection Office regarding the processing of personal data.
Some or all of these rights may not be available to a person whose personal data is processed insofar as their exercise could lead to a breach of legal professional privilege.
No requirement to provide personal data
Providing personal data is voluntary. However, providing personal data may be indispensable to establish and maintain contact, conduct correspondence, conclude or perform a given agreement, or receive information on changes in law or the practice of its application.
No profiling of personal data
Personal data is not subject to profiling or other automated decision-making.
Rules regarding cookies
Cookies are IT data, in particular text files which are stored in the end device of a website user and are intended to use subpages of this website. Cookies usually contain the name of the website from which they come, the time of storage on the device and a unique number.

Cookies are used for:


  • adapting the content of the website to the user’s preferences and optimizing the use of websites; in particular, these files allow for recognition of the website user’s device and appropriate display of the website, tailored to the user’s individual needs;
  • creating statistics which help to understand how website users use websites, which allows to improve their structure and content;
  • maintaining a website user session (after logging in), thanks to which a user does not have to re-enter login and password on each subpage of the website.

Two main types of cookies are used on this website: session cookies and persistent cookies. Session cookies are temporary files that are stored in the user’s device until logging out, leaving the website or switching off the software (web browser). Persistent cookies are stored in the end user’s device for the time specified in the parameters of cookies or until they are deleted by the user.

The website uses or may use the following types of cookies:


  • necessary cookies to enable the use of services available on the website, e.g. authentication cookies used for services requiring authentication on the website;
  • cookies used to ensure safety, e.g. used to detect misuse of authentication on the website;
  • performance cookies, enabling the collection of information about the use of the website;
  • functional cookies which make it possible to remember the user’s selected settings and personalize the user’s interface, e.g. with regard to the selected language or the region the user comes from;
  • analytical cookies – e.g. Google Analytics, which collect information about site visits, such as subpages, time spent on the site or transition between individual subpages. Google LLC cookies related to Google Analytics are used for this purpose.

In many cases, web browsing software (internet browser) allows the storage of cookies by default on the user’s device. Website users can change their cookie settings at any time. These settings can be changed in particular in such a way as to block the automatic handling of cookies in the settings of the web browser or inform on their placement in the device of the website user each time. Detailed information about the possibility and the ways of using cookies is available in the software (web browser) settings.

Using the website means consent to placing cookies on the user’s device. Restrictions on the use of cookies may affect some of the functionality available on the website.


Our website uses cookies in order to provide best user experience. You can change cookies storage setting in your browser Read more...