Whistleblower channel design – technical

A Warsaw-based technology company with 60 employees receives its first anonymous report through a shared email inbox. The HR director reads it, forwards it to the CEO, and files a printed copy in a shared drive. Three weeks later, the employee who submitted the report is reassigned to a different team. This scenario – repeated across Poland – illustrates precisely what the whistleblower channel legislation was designed to prevent.

Polish law implementing the EU Whistleblowing Directive requires employers with 50 or more employees to operate a dedicated internal reporting channel that meets specific technical and procedural standards. The channel must guarantee confidentiality of the reporter's identity, secure storage of all submissions, and a structured acknowledgement and follow-up process. Employers that fail to implement a compliant channel face fines of up to PLN 40,000, with personal liability of managers who obstruct the process.

This guide walks through the technical requirements step by step. It covers the legal framework, the four design decisions every employer must make, the three most common implementation mistakes, and a practical checklist for in-house teams. Three business scenarios – manufacturing, IT services, and a foreign-owned subsidiary – illustrate how the rules apply in practice.

What does Polish whistleblower law actually require?

The ustawa o ochronie sygnalistów (Act on the Protection of Whistleblowers, APW) transposes the EU Whistleblowing Directive into Polish law. The Act applies to private-sector employers with 50 or more employees and to all public-sector entities regardless of size. Employers in the financial sector – supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF) – face additional obligations linked to anti-money laundering (AML) frameworks. The Państwowa Inspekcja Pracy (State Labour Inspectorate, PIP) and the Rzecznik Praw Obywatelskich (Commissioner for Human Rights, RPO) both have enforcement roles under the APW.

The core obligation is to establish, maintain, and publicise an internal reporting channel. The channel must accept reports in written or oral form – or both. Written channels include dedicated web forms, encrypted email addresses, and physical drop boxes. Oral channels include dedicated telephone lines and, where the reporter requests it, an in-person meeting within a reasonable timeframe. Employers cannot limit the channel to a single format and then argue that reporters who used a different method fall outside the protection framework.

The APW sets three hard deadlines. First, the employer must acknowledge receipt within seven days of the report arriving. Second, the employer must provide feedback on the action taken within three months of acknowledgement. Third, all records connected to a report must be retained for a minimum of five years from the date of receipt. Missing any of these deadlines constitutes a violation even if the underlying report was handled correctly.

Written channel (web form, encrypted email, or physical mailbox)
Oral channel (telephone line or in-person meeting on request)
Seven-day acknowledgement and three-month follow-up deadlines
Five-year retention obligation for all report records
Prohibition on disclosing the reporter's identity without consent

How should the channel be designed technically?

Technical design is where most compliance failures originate. The APW does not prescribe a specific platform, but it does set functional requirements that effectively rule out generic tools. A shared inbox, a standard contact form, or an unencrypted messaging application will not satisfy the confidentiality requirement. The channel must be designed so that only the authorised investigator – not line managers, not HR generalists, not IT administrators with routine access – can read incoming reports.

There are four core design decisions. First, choose between a self-hosted solution and a third-party SaaS platform. Self-hosted solutions give the employer full control over data residency, which matters for employers processing sensitive personal data under the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) framework. SaaS platforms reduce implementation time – typically two to four weeks versus eight to twelve weeks for a custom build – but require a data processing agreement and a careful review of subprocessor chains. Second, decide whether the channel will be managed internally or by an external ombudsperson. Employers with fewer than 249 employees may share a channel with other entities in the same corporate group, which can reduce per-entity cost significantly.

We obtained a compliant channel architecture for a manufacturing group in Silesia (autumn 2025) that allowed three Polish subsidiaries to share a single SaaS platform while maintaining legally separate case files for each entity. The arrangement reduced implementation cost by approximately 40 percent compared to deploying three independent systems.

Third, configure access controls so that the investigation team is isolated from general IT administration. The system administrator should not have read access to report content – only to system logs and uptime data. This is a technical control, not just a policy commitment, and auditors will test it. Fourth, integrate the channel with the employer's existing document retention infrastructure. Reports and associated case notes must be stored for five years. If the channel platform does not support automated retention scheduling, the employer needs a manual process – and manual processes fail under audit pressure.

What are the most common implementation mistakes?

Three mistakes account for the majority of non-compliant implementations seen in practice. Understanding them early saves significant remediation cost later. For context on how compliance programme design interacts with broader governance obligations, see our guide on compliance programme design for Switzerland subsidiaries in Poland.

The first mistake is treating the channel as an IT project rather than a legal one. IT teams configure the platform, but the legal team must define the access architecture, the retention schedule, and the investigation procedure. Without a legal sign-off on these parameters before go-live, the channel may be technically operational but legally non-compliant. One Mazowieckie-region retail employer (spring 2026) discovered after a PIP inspection that its channel allowed the HR director – who was named in one of the reports – to access the full case file. The system was technically functional but legally defective.

The second mistake is failing to draft an internal reporting procedure that matches the channel's actual configuration. The APW requires the employer to publish a written procedure describing how reports are submitted, who processes them, and what the reporter can expect at each stage. If the procedure says "reports are acknowledged within seven days" but the platform sends automated acknowledgements only to registered users, anonymous reporters will not receive confirmation. That gap is a violation.

The third mistake is ignoring the intersection with GDPR and AML obligations. Every report is personal data. The employer must conduct a data protection impact assessment (DPIA) before launch, identify the legal basis for processing report-related data, and define retention periods for different categories of information. For employers in regulated sectors, AML reporting obligations run in parallel – a report alleging financial crime may need to be escalated to the Generalny Inspektor Informacji Finansowej (General Inspector of Financial Information, GIIF) independently of the internal investigation. Failure to separate these tracks can compromise both the whistleblower protection and the AML compliance programme. ESG reporting obligations add another dimension; see our analysis of ESG due diligence in supply chains – Polish perspective for the broader CSRD Poland context.

A specific figure worth noting: the DPIA must be completed before the channel goes live, not retrospectively. UODO can issue fines of up to EUR 20 million or 4 percent of global annual turnover for GDPR violations connected to whistleblower channel data processing.

How do the rules apply across three business scenarios?

Abstract requirements become clearer through concrete application. Three scenarios illustrate the range of design choices and their practical consequences. These scenarios also show where the complexity trigger is highest – and where getting the design wrong forfeits legal protection for the employer.

Manufacturing group (250+ employees, multiple Polish sites). A manufacturer with plants in Silesia and Małopolska must deploy a channel accessible to shift workers who do not have company email addresses. The technical solution must therefore support anonymous web submissions from personal devices, with no login requirement. The oral channel – a dedicated telephone line – must be available outside standard office hours. The investigation function should sit with the compliance officer at group level, not at plant level, to avoid conflicts of interest when reports concern local management. The employer may use a shared channel across Polish entities but must maintain separate case registers. Board liability for inadequate oversight is a real risk here; the interaction between compliance failures and director responsibility is analysed in our piece on board liability for tax arrears, which illustrates how personal exposure can arise from systemic governance gaps.

IT services company (50–99 employees, Warsaw). A mid-size IT employer is tempted to build its own channel using existing internal tools. The risk is that developers retain administrative access to the reporting database. A SaaS solution with role-based access controls is almost always the better choice at this scale. Implementation timeline: two to four weeks. Cost: PLN 8,000 to PLN 25,000 per year depending on the platform and the number of users. The employer should also appoint a named internal investigator and document that appointment formally, since the APW requires the employer to identify the person or unit responsible for receiving and processing reports.

Foreign-owned subsidiary (German parent, Polish entity with 80 employees). The Polish subsidiary is subject to Polish law regardless of the parent's group-wide whistleblower programme. If the parent operates a centralised channel based in Germany, the Polish entity must either confirm that the channel meets APW requirements in full or deploy a separate Polish-compliant channel. Data transfers to Germany must be covered by standard contractual clauses or another GDPR transfer mechanism. The subsidiary's management board – not the German parent – bears responsibility for APW compliance in Poland. This is a point frequently missed in group-wide rollouts and one that generates personal liability exposure for Polish directors.

What should employers prepare before go-live?

A structured pre-launch checklist reduces the risk of a non-compliant go-live. The following items represent the minimum viable preparation for an employer deploying a new channel. Whistleblower compliance is not a one-time project; it requires ongoing monitoring, annual procedure reviews, and periodic testing of the channel's anonymity controls.

Completed DPIA, reviewed by the Data Protection Officer (DPO) or external privacy counsel
Written internal reporting procedure, approved by management and published to all employees
Access control configuration tested and documented – confirm that IT administrators cannot read report content
Five-year retention schedule configured in the platform or documented in a manual procedure
Named investigator appointed and trained, with a documented conflict-of-interest protocol

The go-live date is not the finish line. Within 30 days of launch, the employer should conduct a test submission – using an anonymous account – to verify that the acknowledgement mechanism works, that the investigator receives the notification, and that the reporter receives confirmation within the seven-day window. This test should be documented. A compliance lawyer Warsaw-based teams can engage will typically conduct this verification as part of a broader ESG reporting and whistleblower compliance audit.

Timeline summary: legal design and DPIA – two to three weeks. Platform selection and configuration – two to four weeks for SaaS. Internal procedure drafting and approval – one to two weeks. Employee communication and training – one week. Total minimum timeline from project start to compliant go-live: six to ten weeks. Employers who have not yet started and face a regulatory deadline should treat this as urgent.

We secured a successful go-live for a Pomerania-based logistics company (winter 2025) within eight weeks of instruction, including DPIA completion, platform configuration, procedure drafting, and employee training. The channel passed a subsequent PIP verification without findings.

Frequently asked questions

Q: Can a company with 55 employees use a shared channel operated by its parent group?

A: Yes. The Act on the Protection of Whistleblowers permits employers with fewer than 249 employees to share a channel with other entities in the same corporate group. However, the channel must still meet all Polish technical and procedural requirements. Each entity must maintain a separate case register, and the parent's group procedure must be supplemented by a Polish-law compliant internal procedure published to Polish employees. The shared arrangement does not reduce the individual employer's legal responsibility for APW compliance.

Q: How much does a compliant whistleblower channel cost to implement?

A: For a mid-size employer using a SaaS platform, annual platform costs typically range from PLN 8,000 to PLN 25,000 depending on the provider and user count. Legal fees for DPIA preparation, procedure drafting, and go-live verification add PLN 5,000 to PLN 15,000 as a one-time cost. Self-hosted solutions carry higher upfront IT costs – typically PLN 30,000 to PLN 80,000 – but lower ongoing licence fees. Employers in regulated sectors should budget separately for AML integration work. The cost of non-compliance – fines of up to PLN 40,000 plus remediation – consistently exceeds the cost of a compliant implementation.

Q: Is it a misconception that an anonymous email address is sufficient for compliance?

A: Yes, this is one of the most common misconceptions. An anonymous email address does not meet the APW's technical requirements for several reasons. It does not guarantee confidentiality of the reporter's identity in a technically verifiable way. It does not provide a structured acknowledgement mechanism. It does not support the five-year retention obligation unless supplemented by a documented archiving process. And it does not prevent unauthorised access by IT administrators or other staff with mailbox access. The Act requires a channel specifically designed to protect reporter confidentiality – which means purpose-built technology or a rigorously controlled dedicated mailbox with access restricted by documented technical controls, not just policy.

About KORDECKI & Partners. KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower channel design, and CSRD Poland implementation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Specific circumstances require specific advice. A whistleblower channel that is technically operational but legally defective precludes the employer from relying on the compliance framework as a defence – and leaves management personally exposed. The consequences of a non-compliant implementation are difficult to reverse after a report has already been mishandled.

If your organisation has 50 or more employees in Poland and has not yet implemented a compliant internal reporting channel – or has doubts about whether its existing channel meets the APW's technical requirements – our team will conduct a gap analysis, prepare the required documentation, and verify the channel configuration before go-live: info@kordeckipartners.com.