On May 25 th 2023, a new draft law on the protection of persons reporting breaches in law – so-called “whistleblowers” – appeared on the website of the Polish Government Legislation Centre. Work on the implementation of the EU directive had been going on for a very long time, and as a result, in the latest draft, the legislator adopted much shorter deadlines for businesses to implement the new obligations. This means that employers should already start preparing to adopt the necessary procedures and internal documents.
The legal protection provided by the act relates to a reasonable suspicion of an actual or potential infringement of the law that has occurred or is likely to occur, or an attempt to conceal such an infringement of the law in entities where the whistleblower has either participated in recruitment or contract negotiations, or works (has worked), or otherwise maintains a work-related contact. The protection will apply to natural persons and entrepreneurs, reporting or publicly disclosing infringement information obtained in a work-related context (whether in an employment relationship or in civil law contracts). Importantly, protection will also be available to members of the body of a legal entity, shareholders, employee/co-worker candidates, interns and trainees. Acts or omissions which are unlawful or aimed at circumventing the law relating to the spheres of activity set out in the Act will constitute a breach of the law – these include, for example, public procurement, anti-money laundering and countering the financing of terrorism, product safety and compliance, consumer protection, privacy and personal data protection. In addition to the areas of potential violations listed in the Act, the legislator also allows the internal procedure for reporting violations to also cover those relating to the legal entity’s internal regulations or ethical standards.
Legal entities employing at least 50 persons are required to establish an internal whistleblowing procedure and take measures to assess the incoming information and take appropriate protective actions. It should be taken into account that the adoption of the internal reporting procedure may take place after a consultation of at least 7 days – respectively – with the company trade unions or employee representatives, on the draft procedure prepared by the legal entity. In addition, the accepted internal notification procedure will enter into force 14 days after it has been made known to those performing the work. These deadlines are crucial for the timely implementation of the procedure, in line with the date of entry into force of the obligation. Given the wide range of covered entities, the procedures should provide not only for the reporting of a breach during the entity’s interaction with an employee/co-worker, but also at the recruitment stage. The procedure will include setting out the details of how whistleblower’s reports will be received, analyzed and followed up by the entity. When establishing internal procedures, employers should also take into account the appropriate and compliant security of the processing of personal data of such individuals. The requirement for the entity to keep a register of internal reports received is also important.
The legal entity will be required to establish an internal whistleblowing and follow-up procedure even before the act comes into force. The provisions relating to this requirement enter into force on the day following the date of promulgation of the Act. We note that the failure to establish an internal whistleblowing procedure or its establishment in material breach of the requirements under the act constitutes an offence punishable by a fine, but the provision penalizing the failure to establish procedures will not enter into force until 2 months after the date of promulgation of the Act.
Author:
Natalia Dobecka
Attorney-at-law trainee