Whistleblower protection policy – drafting guide

On paper, drafting a whistleblower protection policy looks like a box-ticking exercise. In practice, Polish employers routinely underestimate the procedural steps, the consultation requirements, and the personal exposure that follows a gap in the internal reporting channel. A manufacturing company in Mazowieckie discovered this the hard way when a former employee filed a complaint with the State Labour Inspectorate – and the company had no documented procedure in place at all.

The Ustawa o ochronie sygnalistów (Whistleblower Protection Act, WPA) obliges Polish employers with 50 or more workers to establish an internal reporting channel and a written whistleblower protection policy. The deadline for compliance passed on 25 September 2024. Employers who have not yet implemented a compliant procedure face fines of up to PLN 1,000,000 and personal liability for managers who actively retaliate against reporters.

This guide walks through the full drafting process: who must comply, what the policy must contain, how to consult trade unions or employee representatives, what mistakes to avoid, and how three common business scenarios – a manufacturing group, an IT services company, and a foreign-owned subsidiary – each require a slightly different approach. The FAQ at the end addresses the questions we hear most often from clients.

Who must comply and when?

The WPA applies to any employer with 50 or more workers calculated on a headcount basis as of 1 January or 1 July of a given year. The threshold covers employees, contractors, and persons performing work under civil-law agreements. Employers in the financial services sector, including those supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF), must comply regardless of headcount. Public sector entities are also covered without exception.

The obligation to establish an internal reporting channel took effect on 25 September 2024. Employers who crossed the 50-worker threshold after that date must implement their procedure within 14 days of crossing it. This is a tight window. Employers relying on an existing anti-corruption or AML policy should not assume that document satisfies the WPA – the Act sets out specific mandatory content that generic compliance documents rarely include.

Failure to establish a procedure is a criminal offence under the WPA, not merely an administrative infraction. The penalty range reaches PLN 1,000,000. More significantly, the absence of a documented procedure is treated as evidence of bad faith in any subsequent retaliation claim. That evidentiary shift is largely irreversible once a complaint is filed. For employers with whistleblower compliance gaps, delay forfeits the procedural defences the Act otherwise provides.

Headcount threshold: 50 workers (employees + contractors)
Financial sector: compliant regardless of headcount
Deadline: 25 September 2024 (or 14 days after threshold is crossed)
Maximum fine: PLN 1,000,000
Retaliation prohibition: applies from the moment a report is made

What must a compliant policy contain?

The WPA defines the minimum content of both the internal reporting channel and the written procedure. An employer must specify: (1) the entity or function designated to receive reports, (2) the reporting methods available (written, oral, in-person), (3) the acknowledgement timeline of seven days, (4) the maximum follow-up period of three months, and (5) the confidentiality safeguards protecting the reporter's identity. Each of these elements must appear in writing – verbal commitments are insufficient.

The policy must also describe the feedback mechanism. Within seven days of receiving a report, the employer must confirm receipt to the reporter. Within three months, the employer must inform the reporter of the actions taken or planned. This feedback obligation is often overlooked. A Silesian logistics firm we assisted in winter 2025 had a reporting channel in place but no documented feedback process – a gap that exposed the company to a separate WPA infraction.

Beyond the statutory minimum, a well-drafted policy should address: the scope of reportable violations (which must include at least the areas listed in the WPA, such as financial services, environmental law, and public procurement), the prohibition on retaliation and its consequences, the process for handling anonymous reports if the employer chooses to accept them, and data retention rules under the Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR). The register of reports must be kept for a minimum of three years.

Employers subject to CSRD Poland reporting obligations or ESG reporting frameworks should align the whistleblower policy with their broader governance disclosures. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) has issued guidance confirming that report registers are personal data records subject to full GDPR protection.

How does the consultation process work?

Before the policy takes effect, the employer must consult with either the company trade union or – where no union exists – with employee representatives elected for this purpose. The consultation period is a minimum of five days. The employer is not obliged to accept every proposed change, but must document the consultation and provide written reasons if suggestions are rejected. Skipping this step invalidates the procedure entirely.

The five-day minimum is a floor, not a target. Larger organisations with multiple trade unions or works councils should allow at least ten to fourteen days. Each union is entitled to submit its own opinion. Where opinions conflict, the employer must attempt to reconcile them before finalising the policy. This coordination is time-consuming and should be built into the project timeline from the outset.

Three practical points for the consultation phase. First, the draft circulated for consultation must already contain all mandatory content – sending a skeleton document and promising to add detail later is not compliant. Second, if employee representatives must be elected because no union exists, the election process itself takes time; budget at least two weeks before consultation can begin. Third, any amendment to the policy after initial adoption requires a fresh consultation cycle. This makes precision in the initial draft especially valuable.

For employers operating across borders, the consultation requirement applies at the Polish entity level. A foreign parent company's group-wide speak-up policy does not substitute for Polish consultation. For guidance on structuring compliance frameworks for subsidiaries, see our analysis of compliance programme design for Italy subsidiaries in Poland.

What are the three business scenarios?

Different employer profiles face different implementation challenges. Understanding where a business sits on this map determines how much time and resource the project will require.

Manufacturing group (Mazowieckie). A mid-sized manufacturer with 220 employees, two trade unions, and a production facility subject to environmental permit conditions. This employer must include environmental law violations in the reportable scope. The dual-union structure means parallel consultation tracks. Budget: four to six weeks from draft to adoption, plus a designated internal coordinator (typically the compliance or HR function). The reporting channel should accept both written and in-person reports to accommodate shift workers without regular computer access.

IT services company (Kraków). A 60-person software house with no trade union and a largely remote workforce. Employee representatives must be elected before consultation begins. The reporting channel can be fully digital. Anonymous reporting is commercially advisable here – the IT sector sees higher rates of reports involving intellectual property and data protection breaches. Budget: three to four weeks. The policy should cross-reference the company's existing GDPR and AML procedures to avoid overlap and contradiction.

Foreign-owned subsidiary (Lower Silesia). A German investor's Polish operating company with 80 employees and a parent-level code of conduct. The parent policy almost certainly does not satisfy Polish consultation requirements. A local Polish-language procedure must be drafted, consulted, and adopted separately. The subsidiary must also establish its own report register – the parent's register in Germany does not fulfil the three-year retention obligation under Polish law. For context on how foreign investment structures interact with Polish regulatory requirements, see our overview of foreign investment screening in Poland and UOKIK powers.

We secured a compliant policy adoption for a Lower Silesian manufacturing subsidiary of a Luxembourg-based group in spring 2025, completing consultation and registration within three weeks despite an existing group policy that required substantial localisation.

What mistakes should employers avoid?

The most common error is treating the whistleblower policy as a document project rather than a process project. The WPA does not require a long or complex document. It requires a procedure that actually functions: a designated recipient, a real acknowledgement mechanism, and a genuine feedback loop. A 20-page policy that no one has been trained to operate offers less protection than a four-page procedure with clear ownership and a tested inbox.

A second frequent mistake is ignoring the retaliation prohibition's reach. The WPA protects not just the reporter but also facilitators – colleagues who assisted in making the report. Retaliation against a facilitator triggers the same liability as retaliation against the reporter. Employers who narrow their anti-retaliation language to the primary reporter alone leave a significant gap. This gap precludes the good-faith defence in litigation.

A third mistake concerns the register of reports. Some employers maintain only a log of reports received. The WPA requires the register to contain the actions taken in response to each report. An incomplete register is treated as a failure to comply with the follow-up obligation. For employers with compliance programme obligations under Luxembourg or other group structures, see our article on compliance programme design for Luxembourg subsidiaries in Poland.

Designate a named function or individual to receive reports
Document the seven-day acknowledgement in writing
Record follow-up actions in the report register
Extend anti-retaliation protection to facilitators explicitly
Conduct a fresh consultation before amending the policy

Employers who have already adopted a policy should conduct an annual review. The WPA allows the Rzecznik Praw Obywatelskich (Commissioner for Human Rights, RPO) and the State Labour Inspectorate to audit internal procedures. An outdated or skeleton policy that does not reflect actual practice is worse than no policy in some enforcement scenarios – it suggests deliberate non-compliance rather than mere oversight.

A specific compliance lawyer Warsaw engagement we handled in autumn 2025 involved an IT employer in Małopolska whose policy had been adopted without consultation. The policy was void. We managed a retroactive consultation process and re-adoption within four weeks, avoiding a formal Labour Inspectorate finding.

Employers considering whether their existing AML or ESG reporting framework already satisfies the WPA should test the document against five questions: Does it name a designated recipient? Does it specify a seven-day acknowledgement? Does it commit to a three-month feedback deadline? Does it protect facilitators? Does it describe the report register? If any answer is no, the existing document is not compliant.

Frequently asked questions

Q: Can an employer use a third-party reporting platform instead of an internal channel?

A: Yes. The WPA permits employers to use external service providers to operate the technical infrastructure of the reporting channel. However, the employer remains responsible for the procedure, the acknowledgement timeline, and the follow-up obligation. The provider must be bound by a data processing agreement under GDPR, and the report register must remain accessible to the employer for the three-year retention period. Outsourcing the platform does not outsource the compliance obligation.

Q: How long does the full implementation process take and what does it cost?

A: A straightforward implementation – single entity, no trade union, digital channel – typically takes three to four weeks from instruction to adoption. Where trade unions exist or employee representatives must be elected, allow six to eight weeks. Legal costs depend on complexity, but employers should budget for drafting, consultation support, and a brief training session for the designated recipient. Attempting to implement without legal support is possible for simple structures; for group structures or multi-union environments, professional input is strongly advisable.

Q: Does the WPA apply to reports made before the policy was adopted?

A: The retaliation prohibition under the WPA applies from the moment a qualifying report is made, regardless of whether the employer had a compliant procedure in place at that time. This is a common misconception. An employer cannot avoid liability for retaliation by pointing to the absence of a formal channel. The protection attaches to the act of reporting, not to the existence of an internal procedure. This means that even employers currently non-compliant must treat any report received as protected under the Act.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower policy implementation, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Your company's specific situation requires a tailored assessment before a compliance gap becomes an enforcement finding. Delay at this stage forfeits the procedural defences the WPA provides to compliant employers.

If your organisation has 50 or more workers, operates in financial services, or is part of a group with CSRD Poland reporting obligations – we will review your existing procedure, identify gaps, and manage the consultation process: info@kordeckipartners.com.