Whistleblower protection and reporting channels in Poland

There is currently no separate law on whistleblowing. The government is still working on a bill implementing the EU law on whistleblowing. Its final wording and implementation date are not yet known.

Currently, private entities are not obliged to establish a whistleblowing system except in some sectors where the law requires that companies establish an internal whistleblowing system (e.g. the financial sector). This is expected to change soon with passage of the new law on whistleblowing.

There are currently no sanctions or legal risks for an entity lacking a whistleblowing system due to an absence of relevant legal provisions. This is expected to change soon with the new law on whistleblowing.

Polish labour law does not impose mandatory requirements for establishing a whistleblowing system. The system for whistleblowing is not regulated by law, except for some sectors like the financial sector where the law requires that company internal regulations include provisions on the method of collecting reports, protection of a whistleblower’s confidentiality and follow-up actions. These provisions are expected to change soon with the new law on whistleblowing.

Currently, there is no explicit obligation to involve trade unions when introducing an internal whistleblowing system, although this may change with the new law on whistleblowing.

This is currently unregulated, and each situation needs to be assessed on a case-by-case basis. For example, the Polish Criminal Code imposes a reporting obligation for certain crimes such as terrorist financing and corruption. However, there may also be cases when the disclosure of irregularities/misconduct externally could be considered a breach of an employee’s statutory obligation not to act against the legitimate interests of their employer for which the employer could take appropriate disciplinary action.

Once the new whistleblowing law is adopted and becomes effective, employees who report irregularities/misconduct in line with the whistleblowing law will be protected against disciplinary action and other retaliation.

No, there is currently no explicit protection for whistleblowers except for some sectors such as the financial sector where whistleblowers are protected against retaliatory actions, discrimination and other forms of unfair treatment. This is expected to change soon with the new law on whistleblowing. Until the law is adopted, only general rules of Polish employment law on discrimination and termination of employment contracts apply.

No, there are currently no specific local requirements for the processing of data within whistleblowing procedures. Companies must only comply with the General Data Protection Regulation (GDPR) and the Polish Data Protection Act 2018. However, this is expected to change soon with the new Polish law on whistleblowing, which is currently being adopted.

In its current from, the new law is expected to regulate the processing of personal data within whistleblowing reporting channels, including guarantees of identifiability (and also confidentiality) of the whistleblower’s data, the disclosure of such data, the legal basis for processing, and rules on the deletion and retention of data collected in the reporting channel, as well as entrusting the processing of the whistleblower's reports to an external service provider.

For the time being, however, employers should comply with the GDPR rules, in particular processing data on a legitimate legal basis (as set out in Articles 6 and 9 of the GDPR), minimising the amount of data necessary for the specific report, and implementing data protection rules throughout the whistleblowing process (privacy by design and privacy by default).

In addition, adopting a reporting channel in the organisation triggers other obligations under the GDPR, such as to conduct a data protection impact assessment (Article 35 of the GDPR). This is particularly important as whistleblowing (regarding systems for reporting irregularities within organisations) is included on the list of processing operations subject to the data protection impact assessment requirement.

No. Since there is currently no separate local law on whistleblowing, a joint whistleblowing system is currently possible and not prohibited. However, according to the Whistleblowing Directive, entities in the private sector may cooperate to establish a joint whistleblowing system under certain circumstances.