Poland adopts new whistleblower protection law


Poland’s parliament recently passed the Whistleblower Protection Act, implementing EU Directive 2019/1937 concerning the protection of whistleblowers. The law implements the key provisions of the Directive such as the obligation of a the employers to implement an internal whistleblowing system and to provide feedback and protection to the whistleblowers. The Polish law also contains local differences, which companies should be aware of.

Who does the new law apply to?

The law applies to companies from financial sector, anti-money laundering (AML) obliged entities and all other companies employing 50 or more employees. People cooperating under non-labour law(e.g. B2B) contracts should also be included in the company headcount if the company does not employ personnel to perform this work.

What can be reported?

A whistleblower can report any infringements of law in the areas covered by the EU Directive 2019/1937, as well as local law regulating the same area (e.g. competition, environment law). In addition, the Polish Whistleblower Protection Act covers corruptionand violations of constitutional rights, but the latter only applies to public authorities. Labour law violations were eventually excluded from protection under the Act. Companies can also elect to allow reporting violations of internal regulations and ethical standards.

What should the Companies do?

Companies subject to the new law have three months after the law’s enactment to implement the new whistleblowing procedures by adopting the regulations or adapting existing procedures to comply with the new law. It will be necessary to meet certain Labour Law criteria when implementing the procedures. For example,  trade unions or staff representatives will need to be consulted before implementation, and these policies must be communicated to employees. The additional time needed to do this will have to be figured into a company’s implementation schedule.

Accepting reports and providing feedback to the whistleblower can be outsourced. All persons who process personal data as a result of a report must receive  written authorisation to do so.

What about Group whistleblowing policies?

The Whistleblower Act allows for companies from the same capital group to establish a common whistleblowing procedure, provided that the procedure meets the law’s requirements. This means that a procedure must apply to areas subject to the Polish Whistleblower Protection Act and must follow data retention rules. Procedures must also be communicated in the Polish language.

There is some controversy concerning the delegation of follow-up measures, particularly investigations and deciding on further actions based on the results of investigations. The legislative process, however, suggests that the government wanted to allow a relatively high degree of freedom in group whistleblowing channels.


The sanctions provided in the Act include criminal liability, such as imprisonment for impeding a whistleblower from making the report, retaliating against a whistleblower, and disclosing a whistleblower’s identity.  Moreover, the Act provides for the right of the whistleblower to claim damages (for material damage suffered but no less than average monthly salary in Poland) and compensation for non-material damage (i.e. pain and suffering). Failure to implement a procedure or improper implementation of an internal whistleblowing channel will be subject to fines as petty offences.

For more information on Poland’s new whistleblower law and how it could affect your Polish business, contact your CMS client partner or these CMS experts: Arkadiusz Korzeniewski, Mariusz Minkiewicz, and Maciej Kópczyński.