The Whistleblower Protection Act of 14 June 2024 contains provisions to facilitate the introduction and application of internal reporting procedures in capital groups and to enable independent entities to merge into groups in order to jointly receive, verify and investigate reports of breaches of law. Although the introduced regulations open up new opportunities for joint management of the risk associated with breaches of law, the question arises to what extent these regulations can be used in practice.
It should be noted that Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law, which was implemented into the Polish legal system by the above Act, does not in principle refer to the possibility of establishing procedures in capital groups, except for a rather general mention in recital 55 to the Directive, where it is indicated that internal reporting procedures should also allow for the receipt of reports from the workers of subsidiaries and affiliates of the entity.
The Whistleblower Protection Act expands on this in Article 28(8) and explicitly introduces the possibility of establishing a common internal reporting procedure within a capital group, where such a group, in accordance with the provisions of the Act on Competition and Consumer Protection, means all the entrepreneurs controlled directly or indirectly by one entrepreneur, including that entrepreneur (Article 4(14) of the Act on Competition and Consumer Protection). The antitrust regulations treat a capital group as a single economic organism, which in matters concerning whistleblowers has the consequence, among other things, that the entities belonging to the group are not external to each other within the meaning of the Whistleblower Protection Act. Therefore, the establishment of a common procedure within a capital group is associated with the possibility of appointing a single entity to receive, handle and follow-up on reports, which may help to maintain uniformity in the treatment and resolution of cases of infringements within the group.
The Act introduces a condition for ensuring compliance of such activities with the Act, which may seem unnecessary (after all, every entity is obliged to act in accordance with the law), but this condition must be understood in such a way that each entity belonging to the group – despite the existence of a common procedure – will be individually held accountable for meeting such requirements and restrictions as maintaining confidentiality (in particular whistleblower data) and prohibiting retaliation against whistleblowers.
The matter becomes very complicated for international capital groups, which quite often already have and apply internal whistleblowing regulations, including established channels for reporting breaches of law. Due to the different regulations relating to whistleblowers in different countries (even within the European Union), it is generally not possible to establish a common reporting procedure when a foreign company forms part of the group, most often as an owner entity. Therefore, it is necessary to establish a separate procedure for the Polish part of the group. The fact that the procedure should be drawn up in Polish is a secondary obstacle and difficulty in this context.
The Directive treats the issue of joint receipt and handling of reports by private entities not related to each other in a slightly different wayif they employ from 50 to 249 workers. It seems that the introduction of such a possibility was guided by the idea of relieving such entities of the organizational and financial burden of protecting whistleblowers. Here, both the Directive and the Act contain a similar-sounding indication – that independent entities may, on the basis of an agreement, establish common rules for receiving and verifying reports and conducting an investigation.
As in the case of procedures in a capital group, the Act also contains a condition for ensuring compliance of the activities performed with the Act, which has been developed in Article 28(4) in such a way that the conclusion of an agreement which is to be the basis for cooperation between private entities does not exclude the individual liability of each of them for compliance with the obligations relating to internal reporting procedures, and so, among other things, to maintain confidentiality, provide feedback to the whistleblower and take follow-up actions.
It should be noted that it follows from the literal wording of Article 28(3) of the Act that this joining of forces may only concern the joint receipt and verification of reports and conducting an investigation. Therefore, it does not include follow-up actions, which is a key element of the system for receiving reports of breaches of law, from the point of view of the objectives of the Directive and the Act. This means that it is not possible to establish a common (as in capital groups) internal reporting procedure. Each entity should introduce its own procedure, while cooperation in the field of reporting (within the limits set by law) should be regulated in an appropriate agreement.
Importantly, unlike a capital group, in the case of cooperation between unrelated entities, each of such entities acts as a separate controller of personal data, which results directly from Article 28(6) of the Act and which means that any data processing activities by another entity would involve the need to meet the requirements of the GDPR, also with regard to sharing or entrusting the processing of personal data.
In the case of capital groups, when one considers the possibility of introducing a common internal reporting procedure and the homogeneity of the interests of group members and the possibility of ensuring uniform criteria for assessing breaches of law, including ethical principles, the answer seems positive. This is confirmed by the fact that in many capital groups there were already common procedures for reporting breaches before the new regulations came into force, which at most may need to be adapted to the requirements of the Whistleblower Protection Act.
The situation is slightly different in groups of private entities joining together to establish common rules for receiving and handling reports. It can be said that the possible benefits of such cooperation (in particular cost savings) will usually not outweigh the shortcomings and negative effects of such cooperation. Such a conclusion may result from the following circumstances:
Firstly, as indicated above, despite the conclusion of the agreement and the commencement of cooperation, each party to the agreement will still be held separately accountable for compliance with the Whistleblower Protection Act, and the cooperation must be limited to the areas indicated in the Act.
Secondly, it may be more difficult for different entities with different interests to maintain the confidentiality of data (not only the whistleblower’s personal data, but also the data covered by the report) and to establish appropriate communication channels that meet the statutory criteria, in particular the criterion of impartiality, and avoid the risk of misaddressing the report.
Thirdly, the sense of cooperation between unrelated entities in the field of reporting is questionable in the light of the declared objectives of the Directive and the Act, which are to ensure the possibility of introducing self-correction in a given organisation by detecting breaches or the risk of their occurrence at an early stage. In the case of cooperation between unrelated entities, these objectives may be more difficult to achieve due to the different – and it cannot be ruled out that also opposing – interests of the participants of such cooperation.
Incidentally, it should be pointed out that the conclusion of cooperation agreements in the field of reporting breaches of law, especially if between entities from the same industry, which seems to be natural, would have to take into account the risk of arousing interest in such an agreement on the part of the President of the Office of Competition and Consumer Protection – whether such agreement does not meet (even by exchanging information) the prerequisites for unlawful agreements restricting competition.
In general, therefore, the fact that private entities cooperate under Article 28(3) of the Whistleblower Protection Act does not necessarily mean that it is easier to receive and handle reports. It also does not have to lead to savings, given that independent determination and implementation of the internal reporting procedure is not so costly and is basically a one-off expense. Therefore, it is worth considering carefully whether connecting with other entities to receive and handle reports makes not only economic but also business sense.
Check our service: Protection of whistleblowers
ul. Hrubieszowska 2
01-209 Warszawa
Polska
+48 22 295 33 00
contact@tgc.eu
NIP: 525-22-71-480, KRS: 0000167447,
REGON: 01551820200000. Sąd Rejonowy dla
m.st. Warszawy, XII Wydział Gospodarczy