A mid-sized logistics company operating in central Poland had employed over 250 people for three consecutive years. That threshold triggered a hard legal obligation under the Polish Whistleblower Protection Act – the employer had to introduce an internal reporting channel and a formal whistleblower policy. The company had no such document. Management assumed a brief HR notice would suffice. It would not.
Polish law on whistleblower protection, enacted to implement the EU Whistleblowing Directive, requires employers meeting the 50-employee threshold to establish a written internal reporting procedure, designate a responsible unit, and confirm receipt of reports within seven days. Failure to introduce the procedure at all is a criminal offence carrying a fine or restriction of liberty. The obligation applies to both Polish-owned businesses and foreign subsidiaries operating in Poland.
This case study traces how the logistics company identified its exposure, what a compliant policy actually requires, and what lessons apply to any employer drafting or reviewing a whistleblower protection policy in Poland today. The structure follows four stages: background, strategy, drafting process, and transferable lessons.
What was the company's actual exposure?
The logistics company had crossed the 250-employee threshold in 2022. The Whistleblower Protection Act entered into force for large employers in September 2024. By early 2025, the company still had no internal reporting channel. That gap carried direct criminal risk for the management board – not a regulatory fine assessed against the company, but personal criminal liability for individual board members. The irreversible consequence was a criminal record, not a correctable administrative penalty.
A preliminary review identified three compounding problems. First, the company's existing code of conduct contained a single paragraph on "reporting concerns" with no procedural detail. Second, the AML compliance function operated in a separate silo with no link to the new whistleblower framework. Third, the company's parent, registered in Germany, had assumed its group-level policy covered Polish subsidiaries. It did not – Polish law requires a locally applicable procedure in Polish, tailored to the employer's structure. Our team flagged this gap for a comparable manufacturer in Silesia (autumn 2024), securing a compliant procedure before a State Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) audit was announced.
The exposure checklist at this stage looked as follows:
- No written internal reporting procedure in Polish
- No designated unit or person responsible for receiving reports
- No seven-day acknowledgement process in place
- No anti-retaliation provisions communicated to staff
- No record-keeping system for submitted reports
What did a compliant policy actually require?
Polish whistleblower legislation sets out mandatory content for the internal reporting procedure. The document must name the unit authorised to receive reports, describe accepted reporting channels (written, oral, or both), confirm the seven-day acknowledgement deadline, and set a maximum three-month deadline for follow-up action. It must also specify the scope of reportable matters and the anti-retaliation protections available to the whistleblower.
The strategy chosen for the logistics company was a modular policy: a core procedure document supplemented by three operational annexes. The core document covered statutory requirements. Annex A addressed the AML reporting interface – because whistleblower reports touching on financial crime needed routing to the AML compliance officer without breaching the whistleblower's confidentiality. Annex B set out the internal investigation protocol triggered once a report was accepted. Annex C contained the record-keeping template required under Polish data protection rules enforced by the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO).
One design decision proved particularly important. The company initially wanted a single anonymous reporting inbox managed by HR. Legal advice was that anonymous reports are permitted but optional under Polish law – the procedure must accept identified reports and may additionally accept anonymous ones. Conflating the two would have left identified whistleblowers without the statutory protections they are entitled to claim. The final design separated the two channels entirely, with the anonymous channel routed to an external provider to preserve operational credibility.
For foreign investors, this is a recurring complexity. A compliance programme designed for a German or Czech subsidiary in Poland must address the local statutory content requirements rather than simply translating a group template. See our analysis of compliance programme design for Germany subsidiaries in Poland for the structural differences that commonly arise.
How did the drafting process unfold?
The drafting process ran over six weeks in three phases. Phase one – diagnostic – took ten days. The team reviewed the existing code of conduct, the AML policy, employment contracts, and the group-level whistleblower template from the German parent. The diagnostic produced a gap map with 14 items requiring action before a compliant procedure could be finalised.
Phase two – drafting – took three weeks. The core procedure was drafted in Polish with a parallel English translation for group reporting purposes. Each mandatory statutory element was flagged in the document margin so the company's legal team could verify coverage independently. The three operational annexes were drafted in parallel. The UODO data protection impact assessment (DPIA) was completed during this phase, covering the personal data processed when a report is submitted, stored, and investigated. Retaining report data beyond the statutory 15-month limit is a separate compliance risk that many employers overlook.
Phase three – consultation and adoption – took ten days. Under Polish law, the procedure must be consulted with employee representatives or a trade union (if one exists) before adoption. The consultation period is at least five days. The logistics company had no trade union, so consultation was conducted with elected employee representatives. The procedure was then adopted by management board resolution and communicated to all staff. The National Labour Inspectorate (Główny Inspektorat Pracy, GIP) has indicated it will treat the consultation record as primary evidence of procedural compliance during inspections.
The process also addressed a practical question that rarely appears in policy templates: what happens when a report concerns a board member? The procedure designated an external law firm as the fallback receiving unit in that scenario, removing the structural conflict that would otherwise arise. For businesses reviewing office infrastructure decisions in parallel, our note on office lease review for Poland tenants covers related governance considerations when restructuring legal and compliance functions.
What lessons transfer to other employers?
Four lessons from this matter apply broadly. First, the threshold question is binary. An employer with 50 or more employees in Poland is legally required to have a procedure. There is no grace period after the threshold is crossed. The criminal exposure falls on individual board members, not the company as an abstract entity – that personal liability dimension changes the risk calculus entirely.
Second, ESG reporting obligations under CSRD Poland requirements are converging with whistleblower compliance. Companies preparing their first sustainability reports under the Corporate Sustainability Reporting Directive will need to describe their internal reporting mechanisms. A policy drafted solely to satisfy the minimum statutory floor may not meet the disclosure standards expected in an ESG reporting context. Drafting with both audiences in mind from the outset saves significant rework.
Third, the AML interface matters. For employers subject to AML obligations – banks, payment institutions, certain professional service firms – the whistleblower channel and the AML suspicious transaction reporting channel serve different legal purposes and must be kept operationally distinct. Merging them creates both a compliance gap and a confidentiality risk. We assisted a financial services client in Małopolska (spring 2025) in separating previously merged channels without disrupting ongoing AML monitoring.
Fourth, the procedure is a living document. Polish whistleblower law requires the procedure to be reviewed when the employer's structure changes materially – for example, when headcount crosses a new threshold or when a new business unit is added. Treating the policy as a one-time deliverable, rather than part of an ongoing compliance programme, is the most common mistake employers make after adoption. For Czech-linked businesses operating in Poland, the interaction between local and group-level compliance frameworks raises comparable issues – see our guide on compliance programme design for Czech Republic subsidiaries in Poland.
A practical preparation checklist for employers beginning this process:
- Confirm employee headcount and applicable threshold date
- Map existing reporting channels and identify overlaps with AML or GDPR procedures
- Identify the responsible receiving unit and a fallback for board-level reports
- Prepare the DPIA before finalising the data retention schedule
- Document the employee consultation process with dated records
The specific facts of your company's situation – headcount, sector, group structure, existing compliance infrastructure – determine which elements require the most attention. Leaving the procedure undrafted forfeits the statutory protections available to the employer and exposes individual board members to criminal liability that cannot be reversed after the fact.
To receive an expert assessment of your whistleblower compliance position, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the 50-employee threshold count all workers or only those on employment contracts?
A: Polish whistleblower legislation counts persons performing work on any legal basis – employment contracts, civil law contracts, and agency arrangements all count toward the threshold. Employers who rely solely on headcount figures from HR payroll records may undercount their actual workforce. A full threshold assessment should cover all working arrangements before concluding no obligation exists.
Q: How long must reports and investigation records be retained?
A: The Whistleblower Protection Act sets a 15-month retention limit for reports and related documentation, running from the end of the calendar year in which the report was submitted or the internal procedure was concluded. Retaining data beyond that period without a separate legal basis creates a risk under data protection rules enforced by the Personal Data Protection Office. The DPIA should address this retention schedule explicitly.
Q: Is an anonymous reporting channel mandatory?
A: No. Polish law requires the internal procedure to accept identified reports. Accepting anonymous reports is permitted but optional. Many employers choose to offer both channels. If an anonymous channel is offered, the procedure must describe how it operates and confirm that anonymous reporters receive the same substantive protections as identified whistleblowers, to the extent their identity remains unknown.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, whistleblower policy design, and internal investigations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.