Whistleblower protection has stopped being a theoretical topic. The Polish act, which implements the EU directive, imposes a specific obligation on many companies: to set up an internal reporting channel and to protect people who report irregularities. For an SME owner or manager this means new procedures, new documentation and real responsibility for how the company responds to a signal of a breach. Below is a practical explanation of who this applies to and where to start.
Who a whistleblower is
A whistleblower is a person who, in a work-related context, reports information about a breach of the law. It is important that this is not only about employees on employment contracts. Protection covers a wide circle of people connected with the organisation:
- employees, including former employees and job applicants,
- contractors and people on B2B contracts,
- interns, trainees and volunteers,
- partners, shareholders and members of governing bodies,
- people cooperating with contractors and suppliers.
The point is that anyone who learns of an irregularity in a work-related context can report it without fear of retaliation.
Who the obligation applies to
The key criterion is the number of people performing work for the entity. The obligation to establish an internal reporting procedure applies to entities for which a defined number of people perform work, counted on a set day of the year. In practice, the threshold at which most companies must act is 50 people.
There are, however, exceptions. Some entities, for example in the financial sector or covered by anti-money-laundering rules, must implement the procedure regardless of the number of people employed. That is why counting positions alone is not enough, you also have to check the specifics of your sector.
From experience: companies just below the threshold often put the matter off, then cross it during the year with one larger contract and seasonal work. It is worth counting all people performing work, not only positions, because the threshold is easy to cross unnoticed.
What duties the act imposes
At the heart of the act is an internal reporting channel and a procedure that describes how the company handles it. The most important duties include:
- Establishing an internal reporting procedure and consulting it with the workforce or its representatives.
- Setting up at least one reporting channel that allows written, oral or both types of report.
- Ensuring the confidentiality of the identity of the whistleblower and of the people the report concerns.
- Appointing a person or unit responsible for receiving and verifying reports.
- Keeping a register of reports.
- A ban on retaliation against the whistleblower.
The reporting channel in practice
The channel must be secure and must genuinely protect the identity of the person reporting. It can be a dedicated mailbox, an online platform, a designated phone line or a face-to-face meeting at the whistleblower’s request. In practice, a digital solution with restricted access and full control of permissions works best, so that reports do not accidentally reach the people they may concern.
This is where a strong link with GDPR appears. Reports contain personal data, often sensitive, concerning specific people. You have to establish the basis for processing, retention periods and access rules. That is why the reporting channel is worth designing together with data protection, for example based on DPO outsourcing, so that from the start it is compliant with the rules rather than patched after the first report.
Deadlines to keep in mind
The act sets specific deadlines for handling a report, and these most often cause problems when there is no procedure. In practice you have to keep an eye on two key moments:
- Confirming receipt of the report to the whistleblower within 7 days of receiving it.
- Providing feedback on follow-up action within a reasonable time, no longer than 3 months from confirmation.
On top of this there are deadlines linked to implementing the procedure itself after crossing the threshold. If a company is only now noticing the obligation, there is no sense in delaying, because the absence of a procedure works against it straight away.
Consequences of non-compliance
The act provides for liability on several levels. Failure to establish an internal reporting procedure, obstructing a report and retaliation against a whistleblower carry sanctions, including financial penalties, and in more serious cases criminal liability of the responsible persons. A whistleblower who suffered retaliation can also pursue claims.
The real risk, however, is broader than the penalty itself. A badly handled report, a leak of the whistleblower’s identity or retaliation is a serious reputational and legal problem at once. A well-run channel works the other way round: it lets you detect an irregularity early and fix it inside the company before it grows.
How it fits with other obligations
Whistleblower protection does not stand apart from the rest of a company’s obligations. In organisations covered by new cybersecurity requirements, procedures for reporting irregularities and incidents often complement each other. If you are bringing compliance in order at the same time, for example with NIS2 compliance, it is worth planning both areas coherently so as not to multiply separate, conflicting procedures.
Summary
Whistleblower protection is an obligation that affects more and more companies, and disregarding it is risky legally and reputationally. A well-designed reporting channel, a clear procedure and full GDPR compliance turn this requirement into a real risk management tool, rather than another piece of paper for the drawer.
If you want to check whether your company is subject to the act and whether the reporting channel is secure, start with a diagnosis of the current state as part of a GDPR audit. On that basis we will help you launch a solution that genuinely protects both the whistleblower and the company, rather than just formally ticking off the obligation.