A mid-sized Warsaw logistics company received a letter from the State Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) in early 2026 advising that it had no functioning internal reporting channel. The company employed 68 people. Under Poland's Whistleblower Protection Act, that threshold triggers a mandatory compliance obligation. The board had assumed the law applied only to large corporations. That assumption cost the company a formal enforcement proceeding.
Poland's Whistleblower Protection Act – implementing EU Directive 2019/1937 – requires employers with 50 or more workers to establish an internal reporting channel and adopt a written whistleblower protection policy. The policy must cover the procedure for receiving reports, timelines for acknowledgement (within 7 days) and follow-up (within 3 months), and the scope of protected disclosures. Failure to comply exposes the employer to criminal liability and personal liability of board members for obstruction of lawful reporting.
This guide walks through the drafting process step by step. It covers the legal framework, mandatory policy elements, the most common drafting errors, and what three different business scenarios – a manufacturing plant, an IT company, and a foreign-owned subsidiary – need to address differently. A practical checklist and FAQ close the guide.
What does Polish law require employers to include in a whistleblower policy?
The Whistleblower Protection Act sets a binding minimum. Any policy that falls short of that minimum is treated as non-compliant, even if the employer acted in good faith. The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) and the Ombudsman (Rzecznik Praw Obywatelskich, RPO) share oversight responsibilities. The Office for Personal Data Protection (Urząd Ochrony Danych Osobowych, UODO) reviews data-processing aspects of reporting channels.
Every policy must identify the categories of breach that can be reported internally. The Act covers violations of Polish and EU law across a wide range of fields – public procurement, financial services, anti-money laundering (AML), product safety, environmental protection, and more. CSRD Poland requirements have pushed ESG reporting violations onto that list for larger entities. Employers may voluntarily extend coverage to internal code-of-conduct breaches, but the statutory categories cannot be narrowed.
The policy must also specify:
- The designated channel (electronic form, dedicated email, phone line, or physical drop box);
- The person or unit responsible for receiving and handling reports;
- The 7-day acknowledgement deadline and the 3-month follow-up deadline;
- Confidentiality safeguards for the reporter's identity;
- A prohibition on retaliation, with examples of prohibited acts.
Employers with 50 to 249 workers may share a reporting channel with other companies in the same group, provided each entity retains its own policy document. That sharing arrangement must be recorded in writing. Employers above 249 employees must maintain a wholly independent channel. The distinction matters – a shared channel used without a formal agreement is treated as no channel at all.
One drafting trap is worth flagging early. The Act requires that the policy be agreed with employee representatives or a trade union before adoption. That consultation is not optional. Skipping it renders the policy procedurally defective. Allow at least 5 days for the consultation process, though unions may request up to 30 days in practice.
How should employers structure the internal reporting procedure?
A well-drafted procedure answers three questions for every report: who receives it, what happens next, and within what timeframe. The Act sets two hard deadlines – acknowledgement within 7 days of receipt, and a substantive response or update within 3 months. The employer may extend the 3-month period once, but must notify the reporter of the extension before the original deadline expires.
The receiving function should sit with a named individual or a small dedicated unit. Outsourcing to an external compliance lawyer in Warsaw or a specialist provider is permitted, but the employer remains legally responsible for meeting the statutory deadlines. Where the compliance function is internal, that person must have sufficient independence from line management to handle reports about senior staff without conflict of interest.
We secured a policy redesign for a manufacturing client in the Mazowieckie region (autumn 2025) after PIP flagged that its original procedure routed all reports to the HR director – who was herself named in two of the first three reports received. The redesigned procedure created an independent compliance officer role reporting directly to the supervisory board.
The procedure should also address anonymous reports explicitly. The Act does not require employers to accept anonymous disclosures, but many employers choose to do so. If anonymous reports are accepted, the policy must explain how the employer will communicate with an anonymous reporter – typically through a secure portal that assigns a reference code. Deciding in advance avoids ad hoc decisions under pressure.
Whistleblower compliance requires documenting every step. A register of reports – recording receipt date, acknowledgement date, actions taken, and closure date – is not expressly mandated by the Act, but it is the primary evidence an employer will rely on when PIP or a court asks whether the procedure was followed. Build the register into the policy from day one.
What retaliation protections must the policy address?
Retaliation protection is the core of the Act. A whistleblower who suffers a prohibited act – dismissal, demotion, salary reduction, harassment, negative performance review, or exclusion from training – is entitled to compensation of at least the minimum wage multiplied by 12 months (currently approximately PLN 50,400 annually). That floor applies regardless of actual loss. The employer bears the burden of proving that any adverse action was unconnected to the report.
The policy must list the forms of prohibited retaliation. A generic reference to "the Act" is insufficient. Drafters should reproduce the statutory list and add employer-specific examples. A technology company, for instance, should reference project exclusion and access revocation as forms of retaliation. A manufacturing plant should address shift reassignment and safety-role removal.
Our team obtained a settlement exceeding PLN 120,000 for a whistleblower in the Silesia region (spring 2026) whose employer had removed her from a senior compliance role within three weeks of her submitting an internal report about procurement irregularities. The employer's policy contained the right words but lacked any mechanism for tracking adverse actions against reporters after submission.
The policy should also cover third-party retaliation – retaliation directed not at the reporter personally, but at associates, family members, or colleagues who assisted with the report. The Act extends protection to facilitators and support persons. Employers often overlook this extension, creating a gap that litigants have exploited.
Personal liability of board members arises where retaliation is found to be deliberate and where management was aware of the reporter's status. That personal exposure – separate from the company's liability – is the driver that makes board-level buy-in to the policy essential. For context on how personal liability attaches to directors in Polish law, see the analysis of board liability for tax arrears under Polish law.
How do three business scenarios change the drafting approach?
The statutory minimum is the same for all employers above the 50-worker threshold. What differs is how the policy is structured in practice, what categories of breach are most relevant, and where the compliance infrastructure sits. Three scenarios illustrate the range.
Manufacturing plant (200 employees, single site). The primary risk areas are environmental compliance, product safety, and occupational health. The policy should name those categories explicitly and assign a dedicated compliance contact at plant level. The 3-month follow-up deadline is manageable with a single internal officer. The trade union consultation requirement is particularly significant here – unionised workforces often scrutinise policies closely, and a rushed consultation creates grounds for challenge later.
IT company (55 employees, remote-first). The company sits just above the threshold. A shared channel with a group entity is permissible if properly documented. The primary risk areas are data protection and financial services (if the company processes payments). The policy must address electronic reporting channels carefully – a standard email inbox without access controls does not meet the confidentiality requirement. A secure portal with restricted access and audit logs is the minimum viable solution.
Foreign-owned subsidiary (150 employees, German parent). The subsidiary must comply with Polish law independently, even if the parent has an EU-wide whistleblower programme. Group policies drafted to comply with German or Dutch law often miss Polish-specific requirements – particularly the consultation obligation and the register-keeping duty. For guidance on how compliance programmes for foreign-owned entities are structured, see compliance programme design for subsidiaries in Poland. ESG reporting obligations under CSRD Poland and the European Sustainability Reporting Standards (ESRS) also interact with whistleblower channels for entities above the CSRD threshold – for implementation steps, see ESRS implementation steps for Polish reporting entities.
All three scenarios share one common drafting requirement. The policy must be published internally before the channel goes live, and employees must be informed of its existence and content. A policy filed in the HR archive but never communicated to staff is treated, for enforcement purposes, as no policy at all.
What to prepare before drafting begins:
- Headcount confirmation (to determine whether the 50 or 249 threshold applies);
- Identification of employee representative bodies or trade unions for consultation;
- A decision on channel type (in-house or outsourced, anonymous or identified);
- A designated receiving function with confirmed independence from line management;
- A data-processing impact assessment for the reporting channel (UODO requirement).
Employers that have not yet adopted a policy face criminal exposure for every day of non-compliance. Obstruction of the reporting procedure – including discouraging a potential reporter – carries a penalty of up to 3 years' imprisonment for the individual responsible.
Every compliance structure has specific gaps that only surface under scrutiny. A policy that looks complete on paper may leave the company exposed if the consultation record is missing or the channel fails a UODO data-audit. To receive an expert assessment of your current whistleblower policy or to commission a compliant draft, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the Whistleblower Protection Act apply to contractors and self-employed persons, or only to employees?
A: The Act extends protection to a wide category of persons, not just employees under an employment contract. Self-employed contractors, persons working on civil-law contracts, trainees, volunteers, and former employees who became aware of a breach during their engagement are all covered. The policy should reflect this scope explicitly – limiting the channel to "employees" in the narrow sense creates a compliance gap that PIP has already flagged in audits.
Q: How long does the full drafting and adoption process take, and what does it cost?
A: For a single-entity employer with no existing compliance infrastructure, a compliant policy can be drafted in 5 to 10 working days. The trade union or employee representative consultation adds up to 30 calendar days in the most complex cases. Legal fees for a standalone policy drafting engagement typically range from PLN 5,000 to PLN 15,000 depending on the size and complexity of the organisation. Integrating the policy into a broader compliance programme – including AML and ESG reporting elements – extends both the timeline and the cost.
Q: Can the employer investigate an anonymous report if the reporter's identity is unknown?
A: Yes. The Act does not require the employer to identify the reporter before conducting a follow-up investigation. The 3-month response deadline applies to anonymous reports in the same way as to identified ones. Where the employer cannot communicate a substantive response to an anonymous reporter (because there is no contact channel), it should document the investigation steps taken and close the report with a written record. That record is the employer's primary defence if the reporter later identifies themselves and challenges the adequacy of the follow-up.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower policy design, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.