Defining the scope of activities.

Pursuant to the Whistleblower Protection Directive, breaches may be reported not only by all persons who perform their duties on the basis of an employment relationship, but also those who witnessed irregularities in the context of employment, regardless of the legal basis, a form of benefit and whether a given legal relationship is yet to be established, or has just ceased. Importantly, protection covers both the persons submitting the report, as well as those who help the person reporting irregularities and third parties related to the Whistleblower. Employers are responsible for taking appropriate actions, keeping records, and assigning new competencies to employees in the field of ticket management. The provisions of the directive and the Polish act also provide for the obligation of companies to create an internal channel for managing reports, which may be, for example, Whistleblower.

‍

Establish report procedures.

Violation of the provisions means omission and taking illegal actions or actions aimed at circumventing the law in the areas specified by the act. Tasks of entrepreneurs are:

• Diagnosing irregularities to take appropriate investigation actions.
• Assessment of the truthfulness of the report.
• Conducting a conversation with people directly related to the report.
• Making decisions on the next steps in managing the report.
• Deciding whether to conduct an internal investigation or refer the case to specific law enforcement or public authorities.

‍

Ensuring the protection of Whistleblowers against retaliation.

All persons who submitted a report are subject to the protection of the confidentiality of their identity. The third draft proposed a flexible approach concerning the possibility of implementing an anonymous internal and external reporting procedure. It is assumed that the provisions of the Act are applied to reporting information on violations anonymously only if they are provided for in the internal reporting regulations or the procedure for reporting violations of law to a public authority.

Retaliation cannot be taken against persons who report irregularities and are employed under a contract of employment. If there is a justified fear that such actions will occur, then the employer is to bear the burden of proof and prove that the actions taken by him are not retaliatory.

‍

Proceedings in the event of damage as a result of Whistleblower actions.  

Violation of the rights of other persons or obligations under the law may be the basis for the initiation of specific proceedings on general principles. Following the law, the reporting entity shall not be financially responsible for any damages resulting from the report or disclosure of a breach. Signaling situations that are inconsistent with the provisions may not result in civil law consequences, also if the consequence is the occurrence of damage.

‍

Compliance with the legal aspects of managing reports and GDPR.

Under the new act, the employer is to keep a register of internal reports and be the administrator of the data collected therein. The basis for an entry in the documentation is submitting internal reports by Whistleblowers. It is important that the processing, exchange, and transfer of personal data of persons is carried out in accordance with the provisions of the GDPR and the DODO Directive. Personal data needed to manage requests may be stored for no longer than 5 years from the date of their receipt.

To sum up, in connection with the entry into force of the provisions on the protection of Whistleblowers, employers have many new obligations. In order to meet the challenges and comply with the guidelines, they need an effective tool to protect the confidentiality of the identity of persons reporting irregularities, such as a Whistleblower.

‍