A mid-sized logistics company operating across three Polish provinces discovered, in the spring of 2025, that none of its internal reporting channels met the requirements of the Ustawa o ochronie sygnalistów (Whistleblower Protection Act, WPA). The company had over 250 employees. It faced fines of up to PLN 40,000 per violation and potential personal liability for managers who had failed to implement the required procedures. The gap between what existed on paper and what the WPA demanded was significant.
Polish law requires every employer with 50 or more employees to establish an internal reporting channel and a formal whistleblower protection policy. The Whistleblower Protection Act, which implements EU Directive 2019/1937, sets a maximum 7-day acknowledgement period and a 3-month deadline for follow-up feedback to the reporting person. Failure to implement compliant procedures exposes both the company and its managers to criminal and administrative sanctions.
This case study traces how the logistics company resolved its compliance gap. It outlines the background, the strategic choices made during the drafting process, the implementation steps, and the lessons that apply to any employer now building or auditing a whistleblower policy in Poland.
What was the compliance gap, and why did it matter?
The company had an informal "open-door" reporting culture. It had no written procedure, no designated reporting channel, and no documented acknowledgement or feedback process. Under the WPA, this position was not compliant – and the company had been in breach since the Act's obligations for larger employers came into force. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) had already begun spot checks in the sector.
The WPA covers a wide range of reportable areas: violations of labour law, tax law, anti-money laundering (AML) obligations, environmental rules, and financial services regulation. ESG reporting requirements under CSRD Poland had also raised the profile of whistleblower compliance across the logistics sector. Investors and auditors were asking for documented evidence of functioning internal channels. The reputational risk was real.
Three specific gaps required urgent attention. First, there was no channel that allowed anonymous reporting. Second, no person had been designated to receive and handle reports. Third, there was no policy prohibiting retaliation – which is a standalone criminal offence under Polish law, carrying a penalty of up to 3 years' imprisonment for the responsible manager.
- No written reporting procedure or channel
- No acknowledgement or feedback timeline in place
- No anti-retaliation clause or disciplinary framework
- No designated internal compliance contact
We were engaged in March 2025. The client needed a fully compliant policy within 30 days – before a scheduled audit by its German parent company. The stakes were clear. Failure to deliver would forfeit the audit sign-off and risk suspension of the group's ESG certification.
How did we approach the drafting strategy?
The drafting strategy rested on three decisions made at the outset. First, we recommended an internal channel rather than outsourcing to an external provider. The company had a compliance officer in place. An internal channel, properly structured, would be faster to implement and more credible to employees. Second, we built the policy around the WPA's mandatory minimum – then added optional provisions covering the company's specific risk areas, including AML and road transport regulation. Third, we drafted in parallel: the policy document, the channel procedure, and the employee communication template.
The policy had to satisfy the WPA's formal content requirements. These include: a description of the reporting channel, the identity or role of the designated recipient, the acknowledgement and feedback deadlines (7 days and 3 months respectively), a clear anti-retaliation statement, and a data protection notice compliant with the General Data Protection Regulation (GDPR). For a company with operations in Mazowieckie, Silesia, and Pomerania, the policy also had to address multi-site reporting logistics.
We cross-referenced the WPA requirements with the company's existing internal regulations. The works council (rada pracowników) had to be consulted before the policy could be adopted – a procedural step that many employers overlook. Consultation must last at least 5 days. We built this into the project timeline from day one. Our team secured works council sign-off within 8 days, allowing the policy to be formally adopted on schedule.
For clients with cross-border structures, the approach differs. A subsidiary of a foreign group may rely on a group-level reporting channel – but only if the channel meets Polish WPA requirements and is genuinely accessible to Polish employees. We have addressed this issue in detail in our guide on compliance programme design for Sweden subsidiaries in Poland.
What were the key process steps and outcomes?
Implementation followed a four-stage process. Stage one was the gap analysis: mapping existing procedures against WPA requirements and identifying every missing element. This took five working days. Stage two was drafting: producing the policy, the channel procedure, and the supporting documents. Stage three was consultation with the works council. Stage four was adoption, employee notification, and channel activation.
The company activated its internal reporting channel on 14 April 2025 – within 32 days of our engagement. The channel accepted both written and oral reports. Anonymous reporting was enabled through a dedicated email address accessible only to the designated compliance officer. The policy was published on the company's intranet and distributed to all employees in writing, satisfying the WPA's notification obligation.
We secured full audit sign-off from the German parent in late April 2025. The auditors confirmed that the policy met both WPA requirements and the group's internal ESG standards. This outcome protected the company's ESG certification and removed the risk of personal liability for the managing director – who had been personally identified as the responsible officer in the gap analysis.
A comparable outcome was achieved for a manufacturing client in Wielkopolska (summer 2025), where we drafted a whistleblower policy from scratch within 21 days to meet a banking covenant deadline. The lender had required documented whistleblower compliance as a condition of a EUR 4m credit facility renewal.
What lessons apply to every employer drafting a whistleblower policy?
The logistics case produced four transferable lessons. Each applies regardless of company size, sector, or ownership structure – provided the employer meets the 50-employee threshold under the WPA.
- Start with the works council timeline. Consultation cannot be skipped or shortened below 5 days. Build it into the project plan from day one.
- Designate a named or role-identified recipient. A generic "HR department" designation does not satisfy the WPA's requirement for a specific, identifiable contact.
- Enable anonymous reporting. The WPA does not require anonymity, but failing to offer it undermines employee trust and reduces reporting rates.
- Document every acknowledgement and feedback action. The 7-day and 3-month deadlines are enforceable. Missing them exposes the company to sanctions.
The compliance lawyer Warsaw market has seen a sharp increase in WPA-related instructions since 2024. Many relate not to initial implementation but to policy audits – where companies discover that an existing policy is formally deficient. A policy that names no recipient, sets no deadlines, or omits the anti-retaliation clause is legally equivalent to having no policy at all. The WPA does not reward partial compliance.
For employers in regulated sectors – banking, insurance, investment firms – AML and financial services obligations add a further layer. The policy must address reporting of AML violations separately, with reference to the relevant supervisory body, the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF). Cross-border groups should also review our analysis of compliance programme design for Switzerland subsidiaries in Poland and our joint venture framework under Polish corporate law for related structural considerations.
The personal liability risk is the most underestimated element. Under the WPA, a manager who retaliates against a whistleblower – or who fails to implement the required procedures – faces criminal exposure. That risk is irreversible once a complaint is filed. Acting before a report arrives is always less costly than responding after one does.
Your company's specific situation – its size, sector, and ownership structure – determines which WPA requirements apply and how urgently. A gap that seems minor today can preclude audit sign-off, forfeit financing, or trigger personal liability tomorrow. To receive an expert assessment of your whistleblower compliance position, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the Whistleblower Protection Act apply to companies with fewer than 50 employees?
A: The WPA's internal reporting channel obligation applies to employers with 50 or more employees. Employers with between 50 and 249 employees may share a reporting channel with other entities in the same group. Employers below the 50-employee threshold are not required to establish an internal channel, but they remain subject to the WPA's anti-retaliation provisions and cannot lawfully penalise a person who makes a protected report.
Q: How long does it take to implement a compliant whistleblower policy?
A: Implementation typically takes between 3 and 6 weeks, depending on whether a works council consultation is required and how quickly internal stakeholders can review drafts. The works council consultation alone requires a minimum of 5 days. Companies facing an urgent deadline – such as an audit or a financing condition – should allow at least 3 weeks from the date of engagement to the date of policy adoption.
Q: Is a group-level whistleblower policy sufficient for a Polish subsidiary?
A: A group-level policy can satisfy Polish WPA requirements, but only if it meets all of the Act's formal content requirements and is genuinely accessible to Polish employees in Polish. Many group policies drafted to satisfy EU Directive 2019/1937 in another member state do not automatically meet Polish law requirements. A local legal review is advisable before relying on a group policy as the basis for Polish compliance.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower policy implementation, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.