On paper, setting up a whistleblower channel sounds like a one-afternoon task. In practice, Polish employers who underestimated the requirements have faced enforcement proceedings, personal liability of managers, and – in the most serious cases – criminal sanctions. The Act on the Protection of Whistleblowers (ustawa o ochronie sygnalistów, the Whistleblower Act) is now fully in force, and the grace period for non-compliance is over.

The Whistleblower Act requires every employer with 50 or more employees to establish an internal reporting channel and adopt a reporting procedure. Employers in regulated sectors – financial services, public procurement, transport safety – must comply regardless of headcount. Failure to establish a compliant channel is a criminal offence carrying a fine, restriction of liberty, or imprisonment of up to 3 years for the person responsible.

This alert covers three things: what the law now requires, which employers are affected and when, and the concrete steps your organisation must take immediately. If you are already operating a channel, the checklist in the final section will help you confirm it meets the statutory standard.

What has changed and who is affected?

The Whistleblower Act transposed the EU Whistleblowing Directive into Polish law. It introduced mandatory internal reporting channels, anti-retaliation protections, and a new supervisory role for the Commissioner for Human Rights (Rzecznik Praw Obywatelskich, RPO). The Office for Personal Data Protection (Urząd Ochrony Danych Osobowych, UODO) oversees data-processing obligations tied to the channel. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) may audit channel procedures during standard workplace inspections.

The headcount threshold is the first question every employer must answer. Employers with 50 or more employees must have a compliant channel in place now – there is no further transition period. Employers in financial services, public procurement, environmental protection, transport safety, food safety, and several other regulated sectors must comply regardless of whether they reach the 50-employee threshold. Local government units with fewer than 10,000 residents had a separate deadline; those units must also now comply.

The law counts employees broadly. Workers on fixed-term contracts, part-time employees, and – critically – persons performing work under civil-law contracts (umowy cywilnoprawne) count toward the threshold if the relationship is ongoing. An IT company with 30 permanent staff and 25 contractors on B2B agreements may well exceed 50 and not realise it. We helped a technology client in Mazowieckie region (spring 2026) identify exactly this exposure and implement a compliant channel before a PIP audit was announced.

What must a compliant channel include?

A compliant internal reporting channel has three core components: a secure reporting mechanism, a written procedure, and an anti-retaliation framework. The reporting mechanism must allow reports in writing, verbally, or both. If verbal reporting is offered, the employer must either record the conversation (with the whistleblower's consent) or prepare a written transcript. The whistleblower must be able to verify and sign the transcript. Anonymous reporting is permitted but not mandatory.

The written procedure must specify at minimum: who receives reports, the 7-day acknowledgement deadline, the 3-month maximum for feedback to the whistleblower, and the scope of persons authorised to process report data. The procedure must be consulted with the company trade union or, where no union exists, with employee representatives elected for that purpose. Skipping consultation is itself a compliance failure – and one that invalidates the procedure.

Data protection is a live issue here. Reports contain personal data of both the whistleblower and the reported person. The channel must comply with GDPR as implemented in Poland; UODO has already issued guidance on retention periods and access controls. For a detailed view of how UODO enforces data-processing obligations in employment contexts, see our analysis of GDPR fines in Poland and UODO enforcement trends. Report data may not be retained for longer than 5 years after the end of the calendar year in which the follow-up action was completed.

The anti-retaliation framework must prohibit dismissal, demotion, salary reduction, negative performance reviews, and any other detrimental treatment of a whistleblower. The burden of proof shifts to the employer: if a whistleblower claims retaliation, the employer must demonstrate that the adverse action was taken for reasons entirely unrelated to the report. This reversal of burden is one of the most commercially significant features of the Act.

What action must employers take now?

Three immediate steps apply to every employer above the threshold. First, audit your workforce composition to confirm whether you meet the 50-employee count under the Act's broad definition. Second, if you have no channel, establish one within the shortest possible timeframe – the offence is already crystallised for employers who have not yet acted. Third, if you have a channel, verify it against the statutory checklist below.

What to prepare:

  • Written reporting procedure, consulted with trade union or employee representatives
  • Secure reporting mechanism (written, verbal, or both) with transcript or recording capability
  • Designated authorised person or team to receive and process reports
  • GDPR-compliant data processing records and a 5-year retention schedule
  • Anti-retaliation policy integrated into the employment regulations (regulamin pracy)

Cross-border employers face an additional layer. A foreign parent operating a Polish subsidiary cannot simply extend its group-wide channel and treat Polish compliance as satisfied. The Polish procedure must be adopted locally, consulted locally, and published in Polish. Employers posting workers to Poland or managing mobile EU workforces should also review obligations under posted workers rules and A1 certificate requirements, since whistleblower protections extend to posted workers performing work in Poland. For employers with operations across multiple EU jurisdictions, our employment practice covering France illustrates how multi-jurisdiction channel strategies can be structured efficiently.

We assisted a manufacturing client in Lower Silesia (autumn 2025) in restructuring a group-wide channel that had been implemented without local consultation. The corrected procedure was adopted within six weeks, avoiding a PIP finding of non-compliance that would have triggered criminal referral against the HR director personally.

The criminal exposure is not theoretical. The person responsible for establishing the channel – typically the HR director, compliance officer, or a board member – faces personal liability. That liability is irreversible once enforcement proceedings begin. Acting before an inspection is the only way to eliminate it.

For a tailored assessment of your organisation's whistleblower channel compliance, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the 50-employee threshold apply to a group of companies or to each legal entity separately?

A: The threshold applies to each legal entity separately. A group with three Polish subsidiaries, each employing 30 people, does not automatically trigger the obligation at group level. However, employers in regulated sectors must comply regardless of headcount, and group-wide channels are permitted provided each Polish entity adopts its own locally consulted procedure.

Q: How long does it take to implement a compliant channel from scratch?

A: A realistic timeline is 4 to 8 weeks, depending on whether a trade union exists and how quickly employee representatives can be elected. The consultation process alone requires adequate time for representatives to review the draft procedure. Employers who attempt to compress this into a single week risk invalidating the consultation and, with it, the entire procedure.

Q: Can we use an external third-party platform for the reporting channel?

A: Yes. The Act permits outsourcing the technical channel to an external provider, including a law firm or a specialist platform. The employer remains legally responsible for the procedure, the follow-up process, and data protection compliance. The external provider must be bound by a GDPR data-processing agreement, and the identity of the authorised person handling reports must remain within the employer's control.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, whistleblower channel implementation, and workforce mobility. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.