Whistleblower channel design – technical

A Warsaw-based technology company with 55 employees receives its first anonymous report through a newly installed web form. The form has no encryption. The HR manager's email address is visible in the source code. The company has no documented response procedure. Under Polish whistleblower law, this setup exposes the business to fines and personal liability for the person responsible for the internal channel – before a single report is even investigated.

Polish law implementing the EU Whistleblowing Directive requires every employer with 50 or more employees to establish an internal reporting channel meeting specific technical and procedural standards. Failure to establish a compliant channel is a criminal offence carrying a fine. The channel must guarantee confidentiality, allow anonymous reporting, and be technically secure against unauthorised access.

This guide walks through the technical requirements step by step. It covers the legal framework, the four core design elements, the three most common implementation mistakes, and what each business scenario – manufacturing, IT, foreign investor – should prioritise. A checklist and FAQ close the guide for quick reference.

What does Polish whistleblower law actually require?

The ustawa o ochronie sygnalistów (Act on the Protection of Whistleblowers, APW) transposes EU Directive 2019/1937 into Polish law. It entered into force in September 2024. The Act covers employers in both the private and public sectors. Every private employer with at least 50 employees must have an internal reporting channel in place. Employers with fewer than 50 staff may be required to establish one if they operate in regulated sectors – including AML-obligated institutions and financial firms supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF).

The Act imposes three baseline obligations. First, the channel must be designed so that only authorised persons can access submitted reports. Second, the identity of the reporting person must be protected throughout the process. Third, the employer must acknowledge receipt within seven days and provide feedback within three months. These timelines are statutory – they cannot be extended by internal policy.

Registration requirements add another layer. Employers subject to the Act must register their internal procedure with the Państwowa Inspekcja Pracy (National Labour Inspectorate, PIP). The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) oversees the data-protection dimension of channel operation. Both authorities can conduct audits and impose sanctions independently.

The criminal penalty for failing to establish a channel reaches PLN 1,080,000. Personal liability attaches to the individual designated as responsible for the channel – not just the legal entity. That combination of institutional fine and personal exposure is the defining risk for boards and compliance officers.

Specific situation requiring immediate action? To receive an expert assessment of your channel design obligations, contact info@kordeckipartners.com.

What are the four core technical design elements?

Technical compliance is not achieved by installing any reporting tool. The APW specifies functional outcomes, not software brands. Meeting those outcomes requires deliberate design across four dimensions: access control, confidentiality architecture, data integrity, and audit trail.

Access control. The channel must restrict access to reports on a strict need-to-know basis. In practice, this means role-based permissions enforced at the system level – not just by internal policy. A manufacturing company in Silesia discovered during a PIP audit (autumn 2025) that its channel vendor had granted administrator access to the parent company's IT team in Germany. The access log showed 12 unauthorised views of pending reports. The employer was required to suspend the channel pending remediation and faced a formal warning. Role segregation must be configured before go-live, not retrofitted after an audit.

Confidentiality architecture. End-to-end encryption is the practical standard. Reports in transit and at rest must be unreadable to anyone outside the authorised access group. Where email is used as a reporting channel – which the Act permits as one option – the email account must be dedicated, password-protected, and accessible only to the designated handler. A shared compliance inbox that also receives supplier invoices does not meet this standard.

Data integrity. The system must prevent alteration or deletion of submitted reports. Version control, write-once storage, or equivalent technical controls achieve this. This matters because whistleblower reports may later become evidence in proceedings before the Prokuratura (Public Prosecution Service). Tampered records expose the employer to obstruction liability.

Audit trail. Every interaction with a report – opening, forwarding, status change, response – must be logged with a timestamp and user identifier. The log itself must be protected against modification. A minimum retention period of three years applies under the APW.

How should the three business scenarios approach implementation?

Implementation priorities differ significantly depending on company structure, sector, and headcount. Three scenarios illustrate the range.

Manufacturing company (200 employees, Mazowieckie region). The main risk is workforce trust. Workers on a production floor are unlikely to use a digital-only channel. The APW expressly allows multiple reporting formats – written, electronic, and in-person verbal reports. A manufacturing employer should offer at least two formats. In-person reporting requires a designated meeting room with no CCTV coverage and a documented protocol for converting verbal reports into written form. The written record must then enter the same secure system as electronic submissions. Budget for this scenario: PLN 15,000–30,000 for a mid-range software solution plus internal procedure drafting.

IT company (60 employees, Warsaw). The risk profile here is different. IT staff are technically literate and will scrutinise the channel's security architecture. A basic web form is unlikely to generate trust. The employer should deploy a dedicated platform with open-source cryptography, a clear privacy notice, and an option to report without creating a user account. CSRD Poland reporting obligations may also require the company to document channel effectiveness as part of its social governance disclosures. Integration between the whistleblower platform and the ESG reporting workflow saves duplication.

Foreign investor (subsidiary of a German group, Lower Silesia). Group-level channels present a specific compliance risk. EU Directive 2019/1937 permits group-wide channels only if the Polish subsidiary with 50–249 employees shares resources with another entity. However, the Polish subsidiary remains independently responsible for the seven-day acknowledgement and three-month feedback obligations. A German parent operating a centralised channel must ensure the Polish subsidiary has a designated local handler with authority to meet those deadlines. For a detailed discussion of how German-group compliance programmes interact with Polish law, see our analysis of compliance programme design for Germany subsidiaries in Poland.

Your company's specific channel design raises questions about cross-border liability? For a tailored strategy on compliant channel architecture, reach out to info@kordeckipartners.com.

What are the most common implementation mistakes?

Three mistakes account for most of the channel deficiencies identified in PIP audits and client reviews during 2025.

Mistake 1: repurposing an existing HR or ethics hotline. Many employers assume that an existing ethics hotline satisfies the APW. It does not, unless the hotline meets every technical requirement of the Act – including the dedicated access control, encryption standard, and audit trail described above. An IT company in Pomerania that had operated a third-party ethics hotline since 2021 discovered (spring 2025) that the vendor had not updated the platform to meet APW standards. The company had to procure a new solution and relaunch internal communications, at a total cost exceeding PLN 40,000. Early vendor due diligence prevents this outcome.

Mistake 2: failing to consult employee representatives before adoption. The APW requires the employer to consult the internal procedure with the company trade union or, where no union exists, with employee representatives elected for that purpose. The consultation period is at least five days. Procedures adopted without consultation are legally defective. A defective procedure does not satisfy the obligation to establish a channel – even if the technical system itself is fully compliant. This mistake is easy to avoid and costly to correct after the fact.

Mistake 3: inadequate data-protection documentation. The channel processes personal data. A UODO-compliant data-protection impact assessment (DPIA) is required where the processing is likely to result in high risk to individuals – which it typically is, given the sensitivity of whistleblower data. The privacy notice presented to reporting persons must specify the legal basis for processing, the retention period, and the rights available to data subjects. Omitting the DPIA or using a generic privacy notice creates exposure under both the APW and the Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR). Subsidiary liability considerations in corporate groups further complicate the data-controller question – a topic explored in our guide on subsidiary liability in Polish corporate groups.

A fourth pitfall worth noting: neglecting the external reporting pathway. The APW requires employers to inform reporting persons about the option to report externally to competent authorities. Failing to include that information in the channel documentation is a procedural defect, even if the technical system is otherwise sound.

What to prepare – implementation checklist

Before submitting the internal procedure to PIP and going live with the channel, verify the following items. Each represents a distinct compliance obligation under the APW or GDPR.

Technical system configured with role-based access control, end-to-end encryption, write-once storage, and a tamper-proof audit log retained for at least three years.
Internal procedure drafted in Polish, covering reporting formats, authorised handlers, seven-day acknowledgement, and three-month feedback obligations.
Consultation with trade union or elected employee representatives completed, with a minimum five-day consultation window documented in writing.
DPIA completed and a GDPR-compliant privacy notice prepared specifically for the channel – not adapted from a generic employee privacy notice.
Staff training delivered to authorised channel handlers, covering confidentiality obligations, anti-retaliation rules, and escalation procedures.

For companies with Romanian subsidiaries operating in Poland, the compliance programme design considerations overlap significantly. Our separate guide on compliance programme design for Romania subsidiaries in Poland addresses those intersections in detail.

Frequently asked questions

Q: Can a company with fewer than 50 employees avoid establishing a channel entirely?

A: In most cases, yes – but sector matters. Employers in AML-regulated industries, financial services supervised by the KNF, and certain public-interest entities must establish a channel regardless of headcount. The threshold of 50 employees applies to general private-sector employers. Companies that grow past 49 employees mid-year must establish the channel within the timeframe specified by the Act – generally before the end of the calendar year in which the threshold is crossed. Ignoring this trigger is one of the most common oversights among fast-growing businesses.

Q: How long does implementation typically take, and what does it cost?

A: A straightforward implementation for a single-entity employer with 50–250 employees typically takes four to eight weeks from vendor selection to go-live. That timeline includes procedure drafting, employee-representative consultation, DPIA completion, and staff training. Software costs range from PLN 5,000 to PLN 25,000 annually depending on platform and headcount. Legal advisory fees for procedure drafting and DPIA typically add PLN 8,000–15,000 for a standard engagement. Group structures with multiple Polish entities and a centralised channel design require longer timelines – typically 10–14 weeks.

Q: Does an anonymous reporting option create investigative problems for the employer?

A: This is a common misconception. The APW does not require employers to investigate anonymous reports – but it strongly encourages acceptance of anonymous submissions. Many of the most significant internal compliance issues are reported anonymously first. A channel that discourages or technically blocks anonymous reporting loses its primary source of early-warning information. The practical solution is a two-way anonymous messaging function: the channel handler can ask clarifying questions without learning the reporter's identity. Most reputable whistleblower platforms include this functionality as standard. Whistleblower compliance is best served by designing for anonymity from the outset, not treating it as an obstacle.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower channel design, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.