Update

We still do not know the final wording of the Act on the Protection of Persons Reporting Violations of the Law (the so-called Whistleblower Protection Act), but given the approaching deadlines for fulfilling the obligations imposed on a significant group of private and public sector entities, work on designing an effective whistleblowing system in the organization should begin as soon as possible.

Which entities do the regulations apply to?

Ultimately, the regulations on the protection of so-called whistleblowers will apply to entities from both the public and private sectors.

Internal regulations regarding whistleblowers are required to be implemented by:

  1. public entities and local government units employing over 50 employees
  2. private entities employing more than 250 employees until December 17, 2021.
  3. private entities employing between 50 and 250 employees until December 17, 2023
  4. Private entities employing fewer than 50 people may establish an internal reporting procedure.

Obligation to establish reporting channels

The Directive of the European Parliament and of the Council on the protection of persons reporting breaches of EU law requires that, among other things, obligated entities establish reporting channels. These channels should ensure that authorized persons can report information about breaches of law.

EU regulations do not specify the types of reporting channels or the requirements associated with them. The latest draft of the Polish act of 6 April 2022 indicates that internal reporting may be done orally, on paper, or electronically. Therefore, the organization is required to establish at least one of these channels.

Oral submissions

The most stringent type of channels in the current draft law are oral submissions.

The first group includes reports made by telephone or other voice communication systems with the reporting party's consent, which must be documented in the form of a retrievable recording of the conversation or a complete and accurate transcript of the conversation. However, if an unrecorded telephone line or other unrecorded voice communication system is used, a transcript of the conversation must be prepared. In both cases, the reporting party must have the opportunity to review, correct, and approve the transcript or transcript by signing it.

The second group is in-person reporting. At the request of the reporting party, it can be made through a face-to-face meeting organized within seven days of receiving the request. In such a case, with the reporting party's consent, the report is documented in the form of a retrievable recording of the conversation or a detailed transcript of the meeting. In this case, the reporting party must have the opportunity to review, correct, and approve the transcript or transcript by signing it.

Written and electronic submissions

Other types of reporting channels provided for by the legislature include written and electronic channels. No specific obligations or requirements are set for these channels.

In practice, the most common channels from these groups are postal reports, paper reports to a designated mailbox within the organization, a dedicated e-mail address, surveys available as part of popular office services or special software (of which there is an increasing number on the market).

When designing procedures and selecting the reporting method, it's important to consider eliminating financial, reputational, and legal risks. It's also important to consider whether the channel allows for two-way, encrypted, and fully confidential communication with the whistleblower.

Which channels to choose?

It's important to remember that each time a reporting channel or channels are selected, thorough analysis should be performed. The primary goal is to protect the confidentiality of the whistleblower, the perpetrator, and other individuals who may be involved (e.g., witnesses).

Each channel generates different risks that may result in a breach of identity confidentiality. A few examples are provided below.

  • Written reports – monitoring of the room where the reporting box is located.
  • Notifications by letter – failure to provide the envelope with an appropriate annotation, which resulted in unauthorized persons reading the correspondence.
  • Email reports – hacking into the email inbox/application (inadequate security, including lack of two-factor login) or lack of control over messages sent and received (possibility of deletion from the server).
  • Reports via the application – lack of appropriate security measures (e.g. unencrypted channels), lack of appropriate accountability of program activities or access control.

Furthermore, the potential effectiveness of the whistleblowing system established should be considered. Different channels will be appropriate in a manufacturing company than in a consulting company. There may also be organizations where multiple reporting channels are appropriate, depending on the department, division, and staff.

This article is for informational purposes only and does not constitute legal advice.

Legal status as of September 20, 2023

author:


|

author/editor of the series:
Mateusz Grosicki

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl

    Have any questions? Contact us – we'll respond as quickly as possible.

    Post Views: 16