On July 4, 2022, the Ministry of Family and Social Policy published the third draft act on the protection of Whistleblowers in Poland. Currently, there is a high probability that the document will go to the Parliament, be approved, and enter into force at the turn of the third and fourth quarters of this year.
How is the new version of the project different from the previous ones?
Let us remind you that Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of Whistleblowers was to be implemented by all Member States of the European Union by December 17, 2021. Unfortunately, legislative work at government levels is still ongoing in most countries. Currently, the third version of the act on Whistleblowers has already appeared in Poland, which contains several more or less important proposals for changes. The 10 most important updates are presented below.
1) Changing the dates for the storage of personal data and documents related to the application. Regarding legal entities and public authorities, the period will be 15 months from the end of the calendar year in which the follow-up was completed. In the case of data held by the Ombudsman, this period is to be 12 months from the end of the calendar year in which the report was submitted to the relevant public authority. On the other hand, data that is not necessary when managing a given request should be deleted within 14 days.
2) Retaliation may not be taken against persons who report irregularities and are employed under a contract of employment. If there is a justified fear that such actions will occur, then the employer is to bear the burden of proof and proving that the actions taken by him are not retaliatory.
3) Obligation to register reports kept by legal entities, the Ombudsman, and public entities. They are to collect personal data of persons reporting violations, contact details, and personal data of the person whom the report concerns.
4) Change compared to previous projects regarding the creation and operation of an internal channel for reporting irregularities. Previously, it was 1 month, and the current draf tprovides for a deadline of 2 months from the date on which the act enters into force. Therefore, all companies covered by the provisions of the directive are obliged to implement an internal channel, they should immediately look for an effective, secure, and compliant reporting system, which may be, for example, a Whistleblower.
5) Persons whose task is to receive reports of employees of public authorities and the Ombudsman are to be selected based on professional qualifications, with an emphasis on expertise in the field of data protection law and practices.
6) Change the definition of a person related to the reporting person by deleting the term "witness".
7) Failure to resolve an external report is to be allowed if the breach mentioned therein was the subject of another report and the current report does not bring any new information to the case or the Ombudsman refrained from submitting it to the competent authority.
8) Clarifying the issue of penalties for failure to establish internal reporting procedures. The punishment will be based on the provisions of the Petty Offenses Code.
9) Addition of the term "local government administration bodies" to the definition of a public authority and deletion of the Chief Commander of the Fire Service.
10) Updating the rules on outsourcing the managing of external reports. Under this change, it is important to remember about concluding a cooperation agreement with the entity, as well as a data processing agreement. All personal data must be secured and removed after the end of the processing.
The new act assumes that it is to enter into force within 2 months from its publication in the Journal of Laws. All entities covered by the directive, i.e. those that employ at least 250 people, will be obliged to implement the provisions within the next two months. Therefore, it is worth providing your company with the best tool for managing Whistleblower reports now.