A mid-sized Polish distribution company received an anonymous tip through its whistleblower channel in late 2024. The allegation: a procurement manager had been accepting payments from a preferred supplier over an 18-month period. The board had 72 hours to decide whether to act – and how.
Internal investigations in Poland are governed by a convergence of corporate law, the Whistleblower Protection Act of 2024, and AML obligations. A properly structured investigation must be independent, documented, and proportionate to the alleged misconduct. Failure to act promptly can expose the company to regulatory sanction and personal liability for board members who knew – or should have known – of the irregularity.
This case study traces the investigation from initial triage through evidence gathering and disciplinary outcome. It draws on an anonymised matter handled by our compliance team and identifies the methodology transferable to other Polish companies facing similar situations.
What was the background and initial risk assessment?
The company employed around 180 people and operated across three Polish regions. Its internal controls were typical for a business of that size – adequate on paper, but rarely tested. The whistleblower report named a specific manager, a specific supplier, and an approximate amount: payments exceeding PLN 200,000 in total. That figure triggered both internal disciplinary and potential criminal exposure under Polish penal law.
The board convened within 24 hours. Three immediate questions arose. First, had the company's own AML procedures been breached? Second, did the alleged conduct engage the company's ESG reporting obligations under CSRD Poland requirements? Third, could the company investigate internally without alerting the suspect prematurely?
Our team was engaged on day two. We advised the board to treat the matter as a formal internal investigation from the outset – not an informal inquiry. That distinction matters. An informal inquiry produces no structured record. A formal investigation, by contrast, creates a defensible audit trail if regulators or prosecutors later ask what the company did and when.
- Preserve all digital communications on the procurement manager's devices
- Freeze access to relevant supplier contracts without alerting the manager
- Identify internal witnesses likely to have relevant knowledge
- Appoint an independent investigation lead – not the direct line manager
How was the investigation strategy designed?
The strategy rested on three pillars: independence, proportionality, and speed. Independence meant the investigation lead reported directly to the supervisory board – not to the CEO, who had a prior working relationship with the suspect. Proportionality meant limiting the scope to the 18-month period identified in the tip, rather than conducting a company-wide forensic audit. Speed meant targeting a preliminary report within 21 days.
We structured the evidence-gathering phase into two parallel tracks. Track one covered documentary review: procurement records, supplier invoices, bank transfer confirmations, and email correspondence. Track two covered witness interviews. We interviewed seven employees over five days, using a structured question protocol designed to avoid leading the witnesses toward any particular conclusion.
One early decision proved significant. We advised against accessing the manager's personal mobile phone without a legal basis. Polish data protection law – administered by the Personal Data Protection Office (UODO) – imposes strict limits on employer access to personal devices. Overstepping those limits would have compromised the investigation's integrity and exposed the company to a separate UODO enforcement action. (This is a point many boards underestimate when they first instruct us.)
We also cross-referenced the findings with the company's existing compliance programme design to identify which control gaps had allowed the conduct to continue undetected for 18 months. That gap analysis fed directly into the remediation plan.
What did the process reveal – and what were the outcomes?
The documentary review confirmed payments to the supplier that were not supported by market-rate pricing. The supplier had charged a consistent 12–15% premium over comparable market rates across 34 purchase orders. Total overpayment was estimated at PLN 180,000 – slightly below the figure in the original tip, but still material.
Witness interviews revealed that two other employees had suspected irregularities but had not reported them. That finding was significant for two reasons. It indicated a cultural gap in whistleblower compliance. It also raised a question about whether those employees bore any secondary responsibility for failing to escalate. Our team advised that secondary responsibility was unlikely to be actionable in this case, but that the company should address the cultural issue through targeted training.
We secured a formal disciplinary outcome within 28 days of the initial instruction. The procurement manager's employment was terminated with cause under Polish labour law. The company also initiated a civil claim to recover the overpayment. Separately, our team prepared a board-level summary for disclosure to the company's auditors, given the potential impact on the prior-year financial statements – a step directly relevant to the company's ESG reporting obligations and its obligations under ESRS implementation steps for Polish reporting entities.
We also assisted the board in notifying the National Court Register (KRS) of the change in authorised signatories, and in reviewing the company's corporate governance documentation with reference to its obligations under Polish corporate legislation – work that intersected with our broader corporate and M&A practice in Poland.
What lessons does this matter transfer to other Polish companies?
Four lessons emerge from this matter. They apply to any Polish company operating a whistleblower channel or subject to AML and CSRD Poland obligations.
- Treat every credible report as a formal investigation from day one – not an informal inquiry
- Appoint an investigation lead who reports outside the line management chain
- Respect data protection limits on personal devices from the outset – a compliance lawyer Warsaw-side can advise on the boundary
- Run gap analysis alongside the investigation, not after – remediation is faster and more defensible
- Build the audit trail as though regulators will review it within 90 days
The 21-day preliminary report target is achievable in most mid-market matters. It requires a clear scope, disciplined evidence sequencing, and a team that understands both employment law and the AML framework. The General Inspector of Financial Information (GIIF) and the Financial Supervision Authority (KNF) both expect documented investigation protocols when reviewing whether a company met its statutory obligations. A well-run internal investigation is therefore both a risk-management tool and a regulatory defence.
One further point: the investigation itself generated data that fed into the company's subsequent ESG reporting cycle. Governance failures are now reportable under CSRD Poland where they are material. Companies that run investigations without documenting the remediation steps risk a gap in their ESG reporting narrative – a gap that external auditors will notice.
The specific situation your company faces will determine whether an internal investigation can be handled with existing resources or requires external counsel. That distinction is not always obvious at the outset, and misreading it early forfeits the ability to structure a defensible process before evidence degrades.
To discuss how an internal investigation methodology applies to your compliance situation, email info@kordeckipartners.com.
Frequently asked questions
Q: How long does a typical internal investigation take in a Polish mid-market company?
A: A well-scoped investigation in a company of 100–500 employees typically produces a preliminary report within 21 to 30 days. The full investigation, including disciplinary process and remediation plan, usually concludes within 60 to 90 days. Complexity increases significantly if the matter involves multiple jurisdictions or external counterparties subject to AML review.
Q: Is it a common misconception that Polish employers can access an employee's personal phone during an investigation?
A: Yes. Many boards assume that employment-related suspicion gives automatic access to personal devices. It does not. The Personal Data Protection Office (UODO) treats personal mobile phones as outside the employer's processing authority unless the employee has given explicit consent or a court order has been obtained. Accessing personal devices without a legal basis creates a separate regulatory exposure that can undermine the entire investigation.
Q: What does an internal investigation cost for a Polish company of moderate size?
A: Costs vary with scope and duration. A focused investigation covering one alleged actor over an 18-month period, as in the matter described above, typically involves between 40 and 80 hours of external legal time. Companies should also budget for forensic IT support if digital evidence is contested, and for employment law counsel to manage the disciplinary process in parallel. Early scoping reduces total cost significantly.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance, ESG, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.