19.05.2021 Protection of whistleblowers

How to prepare your business for implementation of whistleblower protection?

From 17 December 2021, employers with more than 250 employees will be required to adopt procedures protecting whistleblowers. From 17 December 2023, the same obligations will also be imposed on smaller entities. In order to properly fulfil those obligations and to avoid possible liability related to the activities of whistleblowers, it will be necessary to conduct a legal audit.

Which businesses need to implement whistleblower protection in 2021?

The obligation to implement the provisions on whistleblower protection by 17 December 2021 applies to:

  • public entities operating in the public procurement regime, in the environmental protection or transport safety sector
  • private entities with more than 250 employees

Private entities employing from 50 to 249 individuals will become subject to the new obligations from 17 December 2023. By these deadlines, businesses must ensure channels and effective procedures for internal reporting and follow-up.

Protection of whistleblowers and legal audit

The implementation of Directive 2019/1937 for employers will not only mean new obligations related to the new regulations, but will also involve – what is hardly obvious – also the need to audit the compliance of the entire business of an entity obliged to apply the new whistleblower protection procedures. Businesses with over 250 employees, by no later than 17 December 2021, will have to thoroughly review the processes and procedures in place, analyse risk and statutory obligations and, based on this analysis, make appropriate updates or take specific corrective actions.

The most common requirements, in addition to specific sectoral requirements, include:

  • AML Procedure
  • Personal Data Protection Policy
  • Safety / Quality Policy
  • Organizational / Functioning Regulations
  • Financial, Mid-term planning, current forecasts policy
  • Anti-corruption Policy
  • Anti-discrimination and anti-mobbing policies
  • Work, Remuneration and Bonus Regulations
  • Regulations of the Management Board, Supervisory Board and Supervisory Board Committees
  • Procedures resulting from properly implemented ISO standards.

Channels for reporting irregularities

From 17 December 2021, the following persons will be able to report breaches and irregularities in companies covered by the new regulations:

  • employees (including those just recruited or no longer employed),
  • associates (also as part of their business),
  • shareholders,
  • partners,
  • members of governing bodies,
  • volunteers,
  • trainees (also unremunerated),
  • employees of contractors, subcontractors and suppliers of the obligated undertaking.

The channel created by the firm must be independent and autonomous, so it should be designed and operated in a way ensuring completeness, integrity and confidentiality of information. It must also be protected against unauthorized access.

Breach notification procedure

The firm will be obliged to inform the person notifying irregularities in due time about the acceptance of the notification, as well as about the method of handling it or about its further processing. In the event of a breach in the functioning of the company, the firm will be required to take follow-up actions, such as referring the case to the relevant state authorities or instituting disciplinary proceedings against the person responsible for the breach. An additional obligation will be to keep a record of notifications and store them for a specified period of time.

The list of entities that will be obliged to ensure the possibility of reporting any detected irregularities is very wide and also includes external entities whose interests do not coincide, and often in the case of disputes related to non-performance or improper performance of contract or dismissed employees, those interest may conflict with those of the obligated undertaking. Thus, it can be expected that these procedures will be often used, or even overused – the key will be therefore to construct them in a way that prevents a fraudulent use of these procedures, and to ensure internal compliance of activities and procedures with national and EU requirements. 

Learn more: Is an employer entitled to ask an employee about vaccivation against COVID-19?

Protection of whistleblowers – external reporting channels

In Directive 2019/1937, the lawmakers also imposed an obligation on Member States to establish external reporting channels and to follow up on notifications. To this end, Member States will be required to ensure that competent authorities establish autonomous and independent reporting channels designed to ensure the completeness, integrity and confidentiality of information and to prevent access to it by unauthorized staff members of the competent authority. The authorities will be bound to:

  • inform immediately about receiving the notification,
  • follow up on a notification,
  • provide feedback to the reporting person,
  • inform about the final results of the investigation.

In addition, Directive 2019/1937 ensures that any person will be able to make public information about a breach if:

  • the person first reported internally and externally, or directly externally, but no appropriate action was taken in response to the report within the set timeframe; or
  • the person has reasonable grounds to believe that the breach may constitute an imminent or manifest danger to the public interest, such as where there is an emergency situation or a risk of irreversible damage; or
  • the person has reasonable grounds to believe that in the case of external reporting, there is a risk of retaliation or there is a low prospect of the breach being effectively addressed, due to the particular circumstances of the case, such as those where evidence may be concealed or destroyed or where an authority may be in collusion with the perpetrator of the breach or involved in the breach.

In addition, Member States will be entitled to provide for other sanctions, including financial penalties, for failure to adequately protect whistleblowers, obstructing them from reporting or taking retaliation.

Regulations implementing the directive in Poland

In order to implement Directive 2019/1937, under Order No. 229 of the Prime Minister of 1 December 2020 (Polish Monitor of 2020, item 1112), the Minister of Development, Labour and Technology was appointed the “Designated Minister” for carrying out relevant legislative works at the governmental stage of legislative work. On 10 December 2020, the Minister of Development, Labour and Technology issued order no. 6 on the appointment of a team that will draft regulations implementing Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. Therefore, the Polish legislative body has only just started work on the draft act implementing Directive 2019/1937.

At the time of writing this article, it is impossible to predict whether the legislative body will implement Directive 2019/1937 on time. However, this does not mean that directive will not be effective even if not implemented. If a directive gives a citizen – be it a natural or a legal person – some rights with regard to the state, that citizen may exercise them against the state authority. It follows from settled case law of the Court of Justice of the European Union (e.g. in the case of Becker v. Finanzamt Münster Innenstadt, file no. 8/81). At the same time, as emphasized by the same Court, the same member state that failed to implement an EU directive on time cannot invoke its unimplemented provisions in a dispute with citizen (e.g. judgment in the case of Kolpinghuis Nijmegen BV v. The Netherlands, ref. No. 80/86). Undoubtedly, this will mean direct application of Directive 2019/1937 in public sector entities, as well as the need to launch and operate an external channel for reporting breaches of law, and thus it will be possible to publicize the breach or an identified problem in business entity – including a private entity. Therefore, it is worth considering to adopt appropriate procedures in advance, regardless of legislative actions.


Paweł Góra
Legal Adviser
TGC Corporate Lawyers

How can we help?

TGC Corporate Lawyers offers support in implementation of an effective fraud reporting system in the organization, as well as in the field of corporate audits or drafting and tailoring the required procedures. We help clients that operate in capital groups, but also small and medium-sized enterprises, public companies, non-governmental and non-profit organizations.

Want to stay up to date?
Subscribe to our newsletter!
Full version

TGC Corporate Lawyers

ul. Hrubieszowska 2
01-209 Warszawa

+48 22 295 33 00

NIP: 525-22-71-480, KRS: 0000167447,
REGON: 01551820200000. Sąd Rejonowy dla
m.st. Warszawy, XII Wydział Gospodarczy