Receiving and reviewing whistleblowing reports

At a glance

  • Who can report a violation of the law under an internal whistleblowing policy?
  • Who should have access to the internal whistleblowing policy?
  • What information should be provided to whistleblowers? Should they be informed that their report has been acknowledged, and that action has been taken?
  • Can companies within the same corporate group use the same solutions for handling internal whistleblowing reports?
  • If a corporate group uses the services of an external entity for receiving reports, does each company in the group have to sign an agreement with that entity?
  • Can an employer use the services of an external entity to receive and examine internal whistleblowing reports?
  • Does a legal entity have to give authorisation to every person who is responsible for handling a report?
  • What are the obligations of a legal entity regarding the registering of reports received? Who can be authorised to maintain the register of reports?

Who can report a violation of the law under an internal whistleblowing policy?

A violation can be reported by anyone who has obtained information about it in connection with their work. This applies in particular to:

  • People applying for employment in an employment relationship or other legal relationship for the provision of work, services or the performance of functions.
  • Current and former employees.
  • Temporary workers
  • People performing work on a basis other than an employment relationship, including based on civil law contracts.
  • Entrepreneurs, proxies, shareholders or partners.
  • Members of the governing bodies of legal entities.
  • People performing work under the supervision and management of a legal entity's contractors, subcontractors or suppliers.
  • Interns, volunteers and trainees acting on behalf of a legal entity.

Who should have access to the internal whistleblowing policy?

The internal whistleblowing policy should be made available to all employees, people working for the legal entity on a basis other than an employment relationship, as well as candidates for work, regardless of the planned form of relationship.

What information should be provided to whistleblowers? Should they be informed that their report has been acknowledged, and that action has been taken?

A whistleblower should be provided with confirmation of the receipt of their report within seven days of it being received, unless they have not provided a contact address to which the confirmation should be sent. In addition, within three months of confirming receipt of the report (or after the deadline for confirmation has expired), feedback must be provided to the whistleblower. This should include any follow-up actions planned or taken and the reasons for them. Feedback should be provided withing three month even if the investigation has not been completed within that timeframe.

Can companies within the same corporate group use the same solutions for handling internal whistleblowing reports?

Yes, provided that their actions comply with the requirements of the Act on the Protection of Whistleblowers. In practice, companies operating in multiple countries often introduce annexes to their global policies to adapt them to Polish law. It is also necessary to carry out an appropriate implementation process in each Polish entity, that takes account of the statutory consultation process.

In addition, the correct interpretation of the relevant legislative provision (as well as the interpretation provided by the labour ministry which is the body that authored the Act on the Protection of Whistleblowers) indicates that companies within a corporate group may jointly establish an internal whistleblowing policy and entrust one of their number with conducting investigations and fulfilling other obligations under the Act.

If a corporate group uses the services of an external entity for receiving reports, does each company in the group have to sign an agreement with that entity?

Yes. Under Polish law, authorising an external entity to handle internal whistleblowing reports requires a formal agreement that specifies the rules for receiving reports, confirming their receipt, providing feedback, and providing information on the internal whistleblowing policy. All these activities must comply with the Act on the Protection of Whistleblowers, that takes account of the relevant technical and organisational solutions. Each Polish company in a capital group that has implemented an internal whistleblowing policy and uses the services of an external entity should sign an agreement with that entity covering these issues.

Can an employer use the services of an external entity to receive and examine internal whistleblowing reports?

Yes, provided that an appropriate agreement is signed with the external entity authorising it to perform these functions. This issue should be addressed in the internal whistleblowing policy, which should specify the entities that are authorised to take these actions.

Does a legal entity have to give authorisation to every person who is responsible for handling a report?

Yes. Every person who is responsible for handling internal whistleblowing reports should have appropriate written authorisation from the legal entity. These people have a confidentiality obligation regarding the information and personal data obtained while verifying internal whistleblowing reports and taking follow-up action, even after the termination of their employment or other legal relationship under which they performed this work.

What are the obligations of a legal entity regarding the registering of reports received? Who can be authorised to maintain the register of reports?

The legal entity is required to maintain a register of internal whistleblowing reports. This register should contain the following information: the report number, the subject matter of the violation, the personal data of the whistleblower and the alleged perpetrator(s) of the violation, the contact address of the whistleblower, the date of the report, information on follow-up actions taken, and the date of closure of the case.

The register can be maintained by a person or organisational unit within the legal entity or by an external entity.