On paper, establishing a whistleblower reporting channel looks like a straightforward IT project. In practice, Polish employers are discovering that the legal obligations run far deeper – covering internal procedures, data protection safeguards, anti-retaliation rules, and staff training. Missing any element exposes the company to personal liability for managers and fines reaching PLN 60,000.

Poland's Ustawa o ochronie sygnalistów (Whistleblower Protection Act) entered into force in September 2024, transposing the EU Whistleblowing Directive into national law. Employers with 50 or more workers must maintain an internal reporting channel and a written procedure governing its operation. Failure to establish the channel is a criminal offence carrying a fine of up to PLN 60,000 for the responsible manager.

This alert explains what changed, which employers are caught by the thresholds, and what concrete steps must be taken now. It covers the three core compliance tasks: channel setup, procedure adoption, and ongoing case management. Foreign investors and Polish companies alike should treat this as an active compliance obligation, not a one-time registration exercise.

Who is affected and what are the key thresholds?

The Whistleblower Protection Act applies to every employer in Poland that meets the headcount threshold. The primary trigger is 50 workers – counted as employees under employment contracts, not just full-time equivalents. Companies in the financial services sector (supervised by the Komisja Nadzoru Finansowego, Polish Financial Supervision Authority, KNF) and public-sector entities face the obligation regardless of size. Municipalities with fewer than 10,000 residents are temporarily exempt.

The definition of "worker" is deliberately wide. It covers employees, contractors providing services personally, trainees, and volunteers. A Warsaw-based IT company with 45 employees but 10 long-term B2B contractors providing services personally will almost certainly cross the 50-person threshold. Employers should recount their workforce using the statutory definition – not the HR payroll figure alone.

For companies operating across multiple jurisdictions, the Polish obligation is independent of any group-level channel operated abroad. A German parent's EU-wide whistleblower hotline does not satisfy the Polish subsidiary's local obligation unless it meets all requirements of Polish law, including Polish-language access and a local procedure registered with the Państwowa Inspekcja Pracy (National Labour Inspectorate, PIP). Cross-border employers should review this carefully – a gap here precludes relying on the group structure as a defence.

  • Threshold: 50 or more workers (broad statutory definition)
  • Financial sector and public bodies: no minimum headcount
  • Deadline for compliance: the Act has been in force since September 2024
  • Penalty for non-compliance: up to PLN 60,000 per responsible manager
  • Group channels: satisfy Polish law only if fully compliant locally

We assisted a manufacturing client in the Mazowieckie region (autumn 2024) in recounting its workforce and identifying that its contractor pool pushed headcount above 50. The client established a compliant channel within six weeks, avoiding enforcement exposure.

What must the internal reporting channel actually contain?

Setting up a generic email inbox labelled "whistleblower" does not satisfy the Act. The channel must allow reporting in writing or orally (including by telephone), guarantee confidentiality of the reporter's identity, and provide an acknowledgement of receipt within seven days. The employer must then follow up with the reporter within three months, informing them of the action taken or planned.

The written internal procedure – which must be consulted with the trade union or employee representatives before adoption – needs to specify at minimum: the entities authorised to receive reports, the steps for verifying reports, the timeframes, and the anti-retaliation safeguards. This document must be made available to all workers before it takes effect. Skipping the consultation step invalidates the procedure and forfeits the employer's defence against retaliation claims.

Data protection is a parallel obligation. Reports constitute personal data of both the reporter and any named third party. The employer must prepare a Rejestr czynności przetwarzania (Record of Processing Activities) entry for the channel, set a retention period (no longer than five years after the case closes), and implement access controls. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) has signalled active interest in whistleblower data-handling practices.

Employment lawyers advising on employment law compliance for Spain companies in Poland frequently encounter the same gap: the channel exists technically, but the procedure is missing or was never consulted. That gap is the enforcement risk.

For employers managing mobile workforces or posted workers, the channel obligation follows the employment relationship. Guidance on related cross-border documentation is available in our note on posted workers from Czech Republic to Poland and A1 certificates.

What immediate action items should employers prioritise?

Three tasks are non-negotiable and time-sensitive. First, verify whether your headcount (using the statutory definition) crosses 50. Second, if it does, audit whether an existing channel meets all technical and procedural requirements – not just whether a channel exists. Third, confirm that the internal procedure has been formally consulted and adopted.

Beyond those three, employers should assign a named person or team responsible for receiving and handling reports. This role carries legal exposure: a person who deliberately obstructs a report or retaliates against a reporter faces criminal liability. Training that person – and line managers who may receive informal disclosures – is a practical priority, not a formality.

Foreign investors structuring their Polish operations should factor the whistleblower channel into their compliance setup from day one. Our note on the joint venture framework under Polish corporate law addresses how compliance obligations interact with governance structures in multi-entity arrangements.

We helped a logistics group in Silesia (spring 2025) implement a compliant channel across three Polish subsidiaries simultaneously, including coordinating with works councils and aligning data retention policies. The project took eight weeks from kickoff to final procedure adoption.

Employers holding work permit Poland obligations or managing EU Blue Card holders should note that the whistleblower channel obligation applies irrespective of workforce nationality. An employment lawyer Warsaw-based or otherwise will confirm that the Act draws no distinction based on the immigration status of workers covered.

The specific steps to address now:

  • Recount workforce using the statutory definition within 14 days
  • Audit existing channel against the seven-day acknowledgement and three-month follow-up requirements
  • Confirm the internal procedure was consulted with employee representatives
  • Update the GDPR Record of Processing Activities to include the channel

Specific circumstances at your company – workforce composition, existing group structures, or sector-specific rules – may alter the compliance path. Contact info@kordeckipartners.com for an assessment of your current channel setup and procedure documentation.

To receive an expert assessment of your whistleblower compliance position, contact info@kordeckipartners.com. Our team will review your channel, procedure, and data-handling arrangements and identify any gaps before an inspection does.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment law compliance, whistleblower channel implementation, and workforce management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.