On paper, drafting a whistleblower protection policy looks like a documentation exercise. In practice, the Polish Act on the Protection of Whistleblowers – which transposed the EU Whistleblowing Directive into national law – imposes a layered set of obligations on employers: internal reporting channels, strict confidentiality rules, a prohibition on retaliation, and documented follow-up procedures. Employers who treat the policy as a formality risk fines, personal liability of managers, and reputational damage that cannot easily be undone.

Polish law requires every employer with 50 or more workers to establish an internal reporting channel and adopt a written whistleblower protection policy. The policy must be agreed with employee representatives and published at least seven days before it takes effect. Non-compliance exposes the company to criminal liability of up to PLN 1,080,000 and personal liability of the officers responsible for implementation.

This guide walks through each drafting step in sequence. It covers mandatory content, consultation requirements, the timeline for rollout, costs, the three most common drafting mistakes, and practical scenarios for manufacturing, IT, and foreign-investor entities operating in Poland. Where relevant, it flags how the policy intersects with CSRD Poland obligations and AML requirements.

What does Polish whistleblower law actually require employers to do?

The Act on the Protection of Whistleblowers, in force since September 2024, applies to any employer that employs 50 or more persons – counting employees, civil-law contractors, and trainees together. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) supervises compliance for most private-sector employers. The Office of the Commissioner for Human Rights (Rzecznik Praw Obywatelskich, RPO) handles the external reporting channel at the national level. The Central Anti-Corruption Bureau (Centralne Biuro Antykorupcyjne, CBA) and the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) hold parallel supervisory roles in their respective sectors.

The law mandates three core deliverables. First, an internal reporting channel – a dedicated mechanism through which workers can report breaches of law. Second, a written internal reporting procedure that describes how reports are received, acknowledged, and followed up. Third, a register of internal reports, kept confidential and separate from personnel files. The procedure must be consulted with a trade union or, where none exists, with employee representatives elected specifically for this purpose.

The consultation window is a hard deadline. The employer must present the draft procedure to employee representatives and allow at least five days for their response. After consultation, the procedure may not take effect until seven days after it is published or otherwise made available to all workers. Miss either window and the procedure is legally defective – meaning the employer has no valid channel in place and is exposed to criminal liability from day one of the missed deadline.

  • Threshold: 50 or more persons (including contractors and trainees)
  • Consultation: minimum five days for employee representatives
  • Publication gap: seven days before entry into force
  • Report acknowledgement: within seven days of receipt
  • Follow-up: substantive feedback to the whistleblower within three months

How should employers structure the internal reporting channel?

The channel is the operational core of the policy. It must allow reports to be submitted in writing or orally, and – if the whistleblower requests it – in person. The employer may designate an internal person or unit to manage the channel, or outsource reception and initial triage to an external provider. Either way, the person handling reports must be organisationally independent from line management in the reported area. This independence requirement is not symbolic; PIP inspectors check it directly during audits.

We secured a compliance audit outcome that avoided a PLN 500,000 fine for a logistics client in the Mazowieckie region (autumn 2025). The key issue was channel independence: the compliance officer had a dual reporting line to the CFO, who was the subject of one of the reports. Restructuring that reporting line – and documenting the change – resolved the regulator's concern within 30 days.

Three channel formats are common in practice. A dedicated email address is the lowest-cost option but carries confidentiality risks if the mailbox is accessible to IT administrators who are not authorised handlers. A web-based reporting platform – several SaaS solutions are available in Poland – offers better audit trails and can be configured for anonymous submissions. A physical hotline (telephone or in-person meeting room) satisfies the oral-report requirement directly. Many employers combine two formats: a digital platform for written reports and a scheduled slot with a designated compliance officer for oral reports.

For groups of companies, a shared channel is permissible for entities with between 50 and 249 employees. Entities with 250 or more employees must maintain their own dedicated channel. This distinction matters for foreign investors structuring Polish subsidiaries: a Warsaw-based subsidiary with 260 staff cannot rely on a group-level channel hosted abroad and must set up its own compliant infrastructure locally.

What must the written policy document contain?

The written procedure is the document most likely to be reviewed by PIP, an employment tribunal, or – in a retaliation dispute – a civil court. It must cover seven mandatory elements under Polish whistleblower law. Omitting even one element renders the procedure defective. The seven elements are: the designation of the authorised recipient of reports; the accepted reporting methods; the confidentiality rules protecting the whistleblower's identity; the prohibition on retaliation and the consequences of violating it; the acknowledgement and follow-up timeline; the rules for handling anonymous reports (the employer may, but is not required to, accept them); and the information on external reporting channels available to the whistleblower.

Confidentiality deserves special attention. The identity of the whistleblower may be disclosed only with their express consent, or where disclosure is required by law in the context of criminal proceedings. This rule applies not only to the name of the reporter but also to any information that could indirectly identify them – the combination of their department, role, and the period in which the report was made can be enough to unmask the person. The policy must therefore include data-minimisation rules for the report register.

The prohibition on retaliation is equally non-negotiable. The policy must list the specific forms of retaliation that are banned – dismissal, demotion, reduction of remuneration, negative performance review, harassment, and social ostracism are all expressly covered by the Act. It must also explain the reversal of the burden of proof: once a whistleblower claims retaliation, the employer must prove that the adverse action was taken for reasons wholly unrelated to the report. This is a significant litigation risk. A manufacturing client in Silesia faced a retaliation claim in early 2026; the absence of a documented, pre-existing performance improvement plan meant the employer could not discharge that burden.

The policy should also address the intersection with ESRS implementation steps for Polish reporting entities. Under CSRD Poland requirements, large undertakings subject to sustainability reporting must disclose whether they have a functioning whistleblower channel. A defective internal procedure therefore creates a dual exposure: criminal liability under the Whistleblower Act and a disclosure gap in the sustainability report.

What are the most common drafting mistakes – and how do you avoid them?

Three mistakes account for the majority of defective procedures encountered in practice. Each is avoidable with careful drafting, but each is also easy to miss when working from a generic template downloaded from the internet.

The first mistake is copying the statutory text without operational detail. The Act sets out minimum requirements; it does not tell you who in your organisation will receive reports at 11pm on a Friday, how the register will be stored, or what happens if the designated handler is on sick leave. A policy that simply restates the statutory obligations fails the "operational independence" test and leaves employees – and managers – with no practical guidance.

The second mistake is treating the consultation as a rubber stamp. Employee representatives have the right to submit comments within five days. If they do, the employer must either incorporate those comments or provide a written explanation of why they were rejected. Skipping this exchange – even informally – creates a procedural defect that can be used to challenge the validity of the entire procedure in later litigation.

The third mistake is failing to integrate the whistleblower policy with existing AML and data-protection frameworks. AML-obligated entities (banks, law firms, accountants, real estate agents) already operate internal reporting systems under anti-money-laundering law. The whistleblower channel must be distinct from the AML reporting line, but the two systems must be designed so that a report submitted to the wrong channel is not simply discarded. Similarly, the personal data of the whistleblower and the reported person are processed under separate legal bases; the RODO (General Data Protection Regulation, GDPR) records of processing activities must reflect both. For foreign investors managing cross-border compliance, the interaction between Polish whistleblower law and the EU's compliance programme design for Czech Republic subsidiaries is a useful reference point for multi-jurisdictional alignment.

A self-assessment checklist before finalising the policy:

  • Has the draft been presented to employee representatives with a documented five-day window?
  • Does the procedure name a specific, independent person or unit as the authorised handler?
  • Does the register design include data-minimisation rules that protect indirect identifiers?
  • Is the prohibition on retaliation accompanied by a burden-of-proof explanation for managers?
  • Has the procedure been cross-checked against the company's GDPR records of processing activities?

For companies with tax-related compliance obligations, the whistleblower channel may also receive reports touching on transfer pricing or VAT irregularities. Coordinating the response procedure with the firm's tax function – and understanding how those reports interact with KAS (National Revenue Administration) audit risk – is a step that many employers overlook. The firm's tax practice in Poland can assist with that coordination.

Specific situations arise differently across business types. An IT company with 55 employees and a flat management structure may find that the only person sufficiently independent to handle reports is an external ombudsman – a legitimate and increasingly common solution. A manufacturing plant with 800 workers and multiple shifts needs an oral-reporting slot that is genuinely accessible at shift-change times, not only during office hours. A foreign investor establishing a new Polish subsidiary should build the channel into the HR and compliance infrastructure during incorporation, rather than retrofitting it after the entity crosses the 50-person threshold – because the obligation attaches from the first day the threshold is met, not from the next reporting period.

Frequently asked questions

Q: Does the Polish Whistleblower Act apply to companies with fewer than 50 employees?

A: The obligation to establish an internal reporting channel applies only to employers with 50 or more persons. However, employers in certain regulated sectors – financial services, AML-obligated entities, and public procurement contracting authorities – are subject to whistleblower obligations regardless of headcount. All employers, regardless of size, are prohibited from retaliating against a person who makes a report, even if no formal channel exists.

Q: How long does it take to implement a compliant whistleblower policy from scratch?

A: A realistic timeline for a medium-sized employer is four to six weeks. This includes drafting the procedure (one to two weeks), conducting the employee-representative consultation (minimum five days), publishing the procedure, and waiting the mandatory seven days before it takes effect. Technology setup – configuring a reporting platform or designating a secure email address – can run in parallel. Employers that underestimate the consultation step often find themselves restarting the clock after representatives raise substantive objections.

Q: Is it a common misconception that anonymous reports can be ignored?

A: Yes. Many employers assume that because the Act does not require them to accept anonymous reports, they can adopt a blanket policy of disregarding them. This is legally permissible in the narrow sense – the employer may state in its procedure that anonymous reports will not be processed. However, if an anonymous report later turns out to describe a genuine breach, and the employer took no steps to investigate it, this can be used as evidence of bad faith in subsequent regulatory or civil proceedings. Best practice is to assess each anonymous report on its merits and document the decision-making process.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower programme design, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating compliance obligations under the Whistleblower Act, CSRD, and related frameworks. To discuss your situation, contact info@kordeckipartners.com.

Anna Witkowska specialises in compliance, ESG, and internal investigations.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.