A mid-size logistics company in Mazowieckie discovers, three weeks before a scheduled audit, that its internal reporting channel fails every technical requirement under Poland's whistleblower legislation. The channel has no encryption, stores reporter identities in plain text, and lacks any acknowledgement mechanism. The audit proceeds. The company faces a fine and – more damaging – loses its eligibility for public procurement contracts for 12 months.
Poland's Ustawa o ochronie sygnalistów (Whistleblower Protection Act, WPA) imposes specific technical standards on internal reporting channels for organisations employing 50 or more workers. The channel must guarantee confidentiality of the reporter's identity, protect personal data under the General Data Protection Regulation (GDPR), and deliver a written acknowledgement within seven days of receipt. Non-compliance triggers fines of up to PLN 1.5 million and, for regulated entities, may constitute a breach of AML obligations enforced by the General Inspector of Financial Information (GIIF).
This alert covers three areas: what the technical requirements actually demand, which organisations are affected and when, and the immediate steps your compliance team must take before the next supervisory review.
What do the technical requirements actually demand?
The WPA does not prescribe a single software solution. It prescribes outcomes. The channel must achieve confidentiality, integrity, and traceability – three properties that map directly onto technical controls. Any system that cannot demonstrate all three will fail a review by the Państwowa Inspekcja Pracy (State Labour Inspectorate, PIP) or a sector regulator such as the Polish Financial Supervision Authority (KNF).
Confidentiality means the reporter's identity is inaccessible to anyone outside the designated compliance function. End-to-end encryption is the standard approach. Storing names or email addresses in a shared drive, even password-protected, does not satisfy this requirement. The system must also support anonymous reporting – the WPA does not require anonymity, but it prohibits technical designs that make anonymity impossible.
Integrity means the report cannot be altered after submission. Immutable audit logs, timestamped and hash-verified, satisfy this requirement. A simple email inbox does not. Traceability means the organisation can demonstrate, to a regulator, the full lifecycle of every report: receipt, acknowledgement, investigation status, and closure. The acknowledgement deadline is seven days. The follow-up communication deadline is three months from acknowledgement.
- End-to-end encryption for all report data in transit and at rest
- Anonymous submission pathway (technically enabled, not merely permitted)
- Immutable, timestamped audit log for every report event
- Automated or manual acknowledgement within seven days of receipt
- Separate access controls limiting visibility to the compliance function
We secured a remediation of a non-compliant channel for a financial services client in Mazowieckie (autumn 2025), replacing an email-based system with an encrypted platform within 14 days – ahead of a KNF supervisory visit that would otherwise have identified the deficiency.
Who is affected and when – and what happens if you miss the deadline?
The WPA applies in two waves based on headcount. Organisations with 250 or more workers were required to establish a compliant channel by 25 September 2024. Organisations with 50 to 249 workers face the same obligation, with the deadline set at 1 January 2025. Both deadlines have passed. If your channel is not yet compliant, you are already in breach.
The threshold is calculated on a per-entity basis, not group-wide. A Polish subsidiary of a multinational with 60 employees in Poland must maintain its own channel, even if the parent operates a group-level system. The group system may be used – but only if it meets every Polish technical requirement and the Polish entity retains documented control over its own reports. Many group systems do not meet the anonymous submission requirement, which is a common gap we identify during gap assessments.
The consequences of non-compliance compound quickly. A fine of up to PLN 1.5 million is the headline figure. For entities subject to AML supervision – banks, payment institutions, investment firms, and real estate intermediaries – the GIIF may treat a deficient channel as a systemic compliance failure, triggering a separate enforcement track. Public procurement rules add a third layer: a finding of WPA non-compliance can disqualify a supplier for up to 12 months. That disqualification is not easily reversed once a contracting authority has recorded it.
For foreign investors, the interaction with compliance programme design for US subsidiaries in Poland is direct. A US parent that operates a Sarbanes-Oxley hotline will need to verify that the Polish entity's channel meets WPA standards independently – the SOX hotline alone does not satisfy Polish law.
What immediate action steps does your organisation need to take?
The window for voluntary remediation is narrow. PIP has signalled increased inspection activity in 2026, and sector regulators are embedding WPA compliance checks into routine supervisory cycles. Acting now, before an inspection is announced, preserves the ability to demonstrate good-faith remediation – a factor that regulators consider when calibrating fines.
Start with a technical gap assessment against the five controls listed above. The assessment should produce a written record. If an inspection occurs during remediation, that record demonstrates awareness and active response – both of which reduce enforcement risk. The assessment itself takes between three and ten working days depending on the complexity of your existing systems.
Employment law intersects here in a way that surprises many clients. The internal regulations governing the channel – who manages it, how conflicts of interest are handled, what happens when a report implicates a board member – must be embedded in a formal procedure document. That document requires consultation with employee representatives before it takes effect. For the procedural framework, see our analysis of employment law compliance for companies in Poland.
We assisted a manufacturing client in Silesia (winter 2025) in completing a full channel redesign – technical build, procedure document, and employee representative consultation – within 21 days, meeting a deadline imposed by a pending public tender requirement.
- Commission a written technical gap assessment within 10 working days
- Confirm anonymous submission pathway is technically enabled
- Verify acknowledgement and follow-up deadlines are met by system workflow
- Draft or update the internal procedure document and consult employee representatives
- Document the remediation timeline for use in any regulatory interaction
If your organisation has already addressed the technical layer but has not yet reviewed the procedural document, review our earlier analysis of whistleblower channel design – technical requirements for the full procedural framework.
Specific circumstances – particularly for regulated entities or those with group-level channel arrangements – require tailored assessment. A generic checklist will not identify every gap. To receive an expert assessment of your channel's compliance status, contact info@kordeckipartners.com.
Frequently asked questions
Q: Can a small Polish subsidiary use its parent company's group whistleblower hotline?
A: Yes, but only under specific conditions. The group system must meet every technical requirement of the Whistleblower Protection Act, including the anonymous submission pathway and the seven-day acknowledgement deadline. The Polish entity must retain documented control over reports submitted by its own workers. Many group systems – particularly those designed for US or UK regulatory purposes – do not satisfy the anonymous submission requirement and require technical modification before they can be used for Polish compliance.
Q: How long does it take to build a compliant channel from scratch?
A: A purpose-built encrypted platform can be configured and tested within 10 to 14 working days for most organisations. The technical build is rarely the longest step. Drafting the internal procedure document, obtaining employee representative consultation, and publishing the channel to staff typically adds another 10 to 15 working days. The full process – from gap assessment to live channel – runs between three and six weeks depending on organisational complexity and the availability of employee representatives for consultation.
Q: Is an email inbox or a shared mailbox sufficient as a reporting channel?
A: No. A shared mailbox or standard email inbox does not satisfy the confidentiality or integrity requirements of the Whistleblower Protection Act. Email systems do not provide end-to-end encryption by default, do not generate immutable audit logs, and typically do not support anonymous submission. A dedicated encrypted platform – whether built in-house or procured as a software-as-a-service solution – is required. This is one of the most common misconceptions we encounter during gap assessments.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower programme design, and CSRD Poland reporting obligations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating AML, compliance lawyer Warsaw mandates, and ESG reporting frameworks. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.