We still do not know the final wording of the Act on the Protection of Persons Reporting Violations of the Law (the so-called Whistleblower Protection Act), but given the approaching deadlines for fulfilling the obligations imposed on a significant group of private and public sector entities, work on designing an effective whistleblowing system in the organization should begin as soon as possible.
Which entities do the regulations apply to?
As indicated in one of the previous articles in the series ( Who is obligated to implement whistleblowing systems? | Graś i Wspólnicy (kglegal.pl) ), ultimately, whistleblower protection regulations will apply to entities in both the public and private sectors. However, in the case of private entities, the obligation to implement appropriate procedures and channels will apply only to companies employing at least 50 employees. In the case of the public sector, only municipalities with fewer than 10,000 residents may be exempt from the obligation to implement internal procedures for reporting violations of the law.
Legal entities operating in the financial sector and in industries subject to specific regulations in the field of counteracting money laundering and terrorism financing, transport safety and environmental protection were subject to the directive, regardless of whether they belong to the public or private sector and regardless of the number of employees.
Obligation to establish reporting channels
The Directive of the European Parliament and of the Council on the protection of persons reporting breaches of EU law requires that, among other things, obligated entities establish reporting channels. These channels should ensure that authorized persons can report information about breaches of law.
EU regulations have not specifically defined the types of reporting channels or the requirements associated with them. The latest draft of the Polish act of 6 April 2022 indicates that internal reporting may be done orally, on paper, or electronically. Therefore, the organization is required to establish at least one of these channels.
Oral submissions
The most stringent type of channels in the current draft law are oral submissions.
The first group includes reports made by telephone or other voice communication systems with the reporting party's consent, which must be documented in the form of a retrievable recording of the conversation or a complete and accurate transcript of the conversation. However, if an unrecorded telephone line or other unrecorded voice communication system is used, a transcript of the conversation must be prepared. In both cases, the reporting party must have the opportunity to review, correct, and approve the transcript or transcript by signing it.
The second group is in-person reporting. At the request of the reporting party, it can be made through a face-to-face meeting organized within seven days of receiving the request. In such a case, with the reporting party's consent, the report is documented in the form of a retrievable recording of the conversation or a detailed transcript of the meeting. In this case, the reporting party must have the opportunity to review, correct, and approve the transcript or transcript by signing it.
Written and electronic submissions
Other types of reporting channels provided for by the legislature include written and electronic channels. No specific obligations or requirements are set for these channels.
In practice, the most common channels from these groups are postal reports, paper reports to a designated mailbox within the organization, a dedicated e-mail address, surveys available as part of popular office services or special software (of which there is an increasing number on the market).
Which channels to choose?
It's important to remember that each time a reporting channel or channels are selected, thorough analysis should be performed. The primary goal is to protect the confidentiality of the whistleblower, the perpetrator, and other individuals who may be involved (e.g., witnesses).
Each channel generates different risks that may result in a breach of identity confidentiality. A few examples are provided below.
- Written reports -> monitoring of the room where the report box is located.
- Notifications by letter -> failure to provide the envelope with an appropriate annotation, which resulted in unauthorized persons reading the correspondence.
- E-mail reports -> hacking into the e-mail inbox/application (inadequate security, including lack of two-factor login) or lack of control over messages sent and received (possibility of deletion from the server).
- Reports via the application -> lack of appropriate security measures (e.g. unencrypted channels), lack of appropriate accountability of activities in the program or access control.
Furthermore, the potential effectiveness of the whistleblowing system established should be considered. Different channels will be appropriate in a manufacturing company than in a consulting company. There may also be organizations where multiple reporting channels are appropriate, depending on the department, division, and staff.
Legal status as of June 15, 2022
This article is for informational purposes only and does not constitute legal advice.
author
