On paper, setting up a whistleblower channel looks like a box-ticking exercise. In practice, employers who underestimate the procedural requirements face personal liability for managers, fines reaching PLN 60,000, and – critically – an irreversible reputational record with the State Labour Inspectorate (Państwowa Inspekcja Pracy, PIP). Poland transposed the EU Whistleblower Directive into national law through the Act on the Protection of Whistleblowers (ustawa o ochronie sygnalistów), which entered into force in September 2024. The clock has been running since then.
Polish whistleblower law requires every employer with 50 or more workers to establish an internal reporting channel, adopt a reporting procedure, and designate a person or unit responsible for follow-up. Employers in the financial services sector face the obligation regardless of headcount. Failure to implement a compliant channel is a criminal offence punishable by a fine of up to PLN 60,000. The National Court Register (Krajowy Rejestr Sądowy, KRS) and the State Labour Inspectorate (PIP) are the primary enforcement bodies monitoring compliance.
This alert covers three things: what the law now requires, which employers are affected and when, and the concrete steps your organisation must take immediately. Businesses with cross-border workforces – including those holding EU Blue Card holders or employees on work permit Poland arrangements – face additional complexity around channel access and confidentiality.
What has changed under the Polish Whistleblower Act?
The Act on the Protection of Whistleblowers replaced a fragmented set of sectoral rules with a single, unified framework. Before September 2024, whistleblower protection existed mainly in financial regulation and anti-corruption law. Now it covers all sectors. The Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) retains its own reporting channels for financial entities, but those channels must now align with the new statute.
The core change is structural. Employers must create a two-tier system: an internal channel (within the organisation) and, separately, acknowledge the existence of the external channel run by the Ombudsman (Rzecznik Praw Obywatelskich). The internal channel is the employer's direct obligation. It must allow reporting in writing or orally. Oral reports must be recorded – either by transcript or audio recording – with the reporter's consent. Retention of records is mandatory for three years.
Protection for whistleblowers is now automatic upon making a report. Retaliation – including dismissal, demotion, or harassment – is prohibited from the moment the report is filed. Employers cannot argue the report was unfounded as a defence to a retaliation claim. That shifts the burden significantly. Any disciplinary action taken against a reporter within 12 months of a report will be presumed retaliatory unless the employer proves otherwise.
Who is affected and what are the thresholds?
The 50-worker threshold is the central compliance trigger. Employers who crossed that threshold before September 2024 were already required to have a compliant channel in place. Employers who reach 50 workers after that date must implement the channel within 3 months of crossing the threshold. The count includes employees on fixed-term contracts, part-time workers, and – importantly for international groups – workers seconded to Poland from abroad.
We secured a reversal of a compliance penalty for a logistics client in the Mazowieckie region (autumn 2025) where the headcount calculation had excluded posted workers. The authority counted them. The channel had not been set up in time. The employer avoided the PLN 60,000 fine only because it could demonstrate good-faith remediation within 30 days of the inspection notice.
Financial sector entities – banks, insurance companies, investment firms, and payment institutions supervised by the KNF – have no headcount threshold. They must maintain compliant channels regardless of size. For employers with between 50 and 249 workers, the Act permits sharing a reporting channel with other group entities, provided each legal entity remains individually responsible for follow-up and confidentiality. Groups exceeding 249 workers in any single entity must maintain a dedicated channel for that entity.
Foreign investors operating through Polish subsidiaries should note that the obligation attaches to the Polish legal entity, not the group. A Warsaw-based subsidiary with 60 employees cannot rely on a group-level channel registered abroad. For companies managing employees across borders – including those navigating posted worker arrangements – the channel must be accessible to all workers performing services in Poland, regardless of their employment contract's governing law.
What must employers do right now?
Immediate action is not optional. PIP has begun conducting inspections specifically targeting whistleblower channel compliance. The inspection checklist covers five elements: channel existence, written procedure, designated follow-up person, acknowledgement timeline (7 days from receipt of report), and feedback timeline (3 months from acknowledgement). Missing any one of these constitutes a separate violation.
Our team obtained interim relief protecting a technology company's employment records in Małopolska (spring 2025) after a PIP inspection revealed the channel procedure had been adopted but never communicated to staff. The procedure must be published – on the intranet, posted in the workplace, or distributed individually. Adoption without communication does not satisfy the statute.
What to prepare before your next PIP inspection:
- A written internal reporting procedure, consulted with the works council or employee representatives (consultation period: minimum 5 days)
- A designated channel – email, dedicated platform, or physical drop-box – that guarantees confidentiality of the reporter's identity
- A named person or unit responsible for receiving and following up on reports
- A documented acknowledgement process (7-day deadline) and feedback process (3-month deadline)
- A record-keeping system retaining report documentation for 3 years
Employers using third-party platforms for channel management must ensure those platforms comply with Polish data protection rules under the General Data Protection Regulation (GDPR) and the Polish Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) guidelines. The channel operator – whether internal or external – cannot have access to report content beyond what is necessary for follow-up. Data minimisation applies strictly. For employers with multilingual workforces, including those on work permit Poland arrangements, the procedure must be accessible in a language the worker understands.
The irreversible consequence of non-compliance is not just the fine. A criminal record for the responsible manager – which the Act permits for wilful failure to establish a channel – cannot be expunged from the National Criminal Register (Krajowy Rejestr Karny, KRK). That record affects future licensing applications, public procurement eligibility, and personal reputation. Act before the inspection, not after.
Your specific compliance gap determines the remediation timeline. An employer with no channel in place faces a different risk profile than one with a channel that lacks a written procedure. Both situations require immediate legal assessment before the next PIP inspection cycle – which PIP has indicated will intensify through mid-2026.
To receive an expert assessment of your whistleblower channel compliance status, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the 50-worker threshold count contractors and B2B collaborators, or only employees?
A: The Act counts persons performing work for the employer regardless of the legal basis – employment contracts, civil-law contracts, and B2B arrangements where the individual performs work personally. Contractors who work exclusively through their own corporate structures and do not perform work personally are generally excluded. However, the boundary is fact-specific. Employers near the 50-worker threshold should conduct a formal headcount audit before concluding they fall below the obligation.
Q: How long does it take to implement a compliant channel from scratch?
A: A compliant channel can be implemented in 3 to 6 weeks if the employer acts promptly. The mandatory consultation with employee representatives takes a minimum of 5 days. Selecting and configuring a reporting platform, drafting the procedure, and communicating it to staff typically requires 2 to 4 additional weeks. Employers who delay consultation or underestimate the GDPR documentation requirements often find the process takes 8 to 10 weeks. Starting now avoids the risk of an inspection finding you mid-implementation.
Q: Can we use a group-level channel operated by our parent company abroad?
A: No. The obligation attaches to the Polish legal entity. A foreign parent's channel does not satisfy Polish law unless it is formally designated as the Polish entity's channel, operates in Polish, guarantees confidentiality under Polish law, and meets all procedural requirements of the Act. In practice, most group-level channels do not meet these requirements without modification. A Polish-law addendum to the group procedure – reviewed by an employment lawyer Warsaw – is the minimum required step.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, whistleblower channel implementation, and workforce mobility. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.