Whistleblower channel setup – compliance guide

A mid-sized logistics company operating from Warsaw receives an anonymous tip that a procurement manager has been accepting kickbacks from suppliers. The company has no internal reporting channel, no written procedure, and no designated person to handle the complaint. Under Polish law, that gap is not merely an administrative oversight – it is a direct breach of the Whistleblower Protection Act, which entered into force in September 2024 and imposed mandatory channel obligations on employers meeting the relevant thresholds.

Polish law requires employers with 50 or more employees to establish an internal whistleblower reporting channel and adopt a written reporting procedure. The obligation flows from the Ustawa o ochronie sygnalistów (Whistleblower Protection Act, WPA), which transposed EU Directive 2019/1937 into Polish law. Failure to implement a compliant channel by the statutory deadline exposes the employer – and individual managers – to criminal liability and forfeits the procedural protections the law otherwise extends to the organisation.

This guide covers the full compliance cycle: who must act, what the channel must contain, where employers typically go wrong, how cross-border structures complicate the picture, and what a self-assessment checklist looks like in practice. Each section opens with the direct answer, then works through the detail.

Who must set up a whistleblower channel under Polish law?

The WPA draws the primary threshold at 50 employees. Any private-sector employer reaching that headcount on a rolling basis must establish an internal reporting channel. Public-sector entities face the obligation regardless of size. Employers in financial services, anti-money-laundering-regulated sectors, and public procurement are subject to the obligation even if they fall below 50 employees – the law mirrors the tiered approach of the EU Directive. The deadline for compliance has already passed, so any employer still without a channel is currently in breach.

Calculating the headcount matters. The WPA counts all persons performing work on a basis other than a civil-law contract – so full-time employees, part-time employees, and workers on employment contracts count toward the threshold. Contractors engaged under umowy zlecenia (mandate contracts) or umowy o dzieło (specific-task contracts) do not count unless they work in a manner that resembles employment. Groups of companies present a separate question: each legal entity counts its own headcount independently. A holding structure with a 30-person parent and a 40-person subsidiary does not automatically trigger the obligation at either entity – but both entities must still run the analysis.

The National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) is the primary enforcement body for workplace compliance obligations under the WPA. The National Court Register (Krajowy Rejestr Sądowy, KRS) reflects the legal entity structure relevant to headcount analysis. Employers regulated by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) face parallel obligations under financial-sector rules that may require a separate or enhanced channel.

One common misconception is that a group-wide channel operated by a foreign parent satisfies the Polish obligation. It does not, unless the channel meets every WPA requirement and is formally designated as the internal channel for the Polish entity. We assisted a manufacturing client in the Mazowieckie region (autumn 2025) in restructuring a group-wide reporting tool into a WPA-compliant local channel – avoiding a PIP enforcement action that had already been signalled.

The practical takeaway: run the headcount test now, map the legal entities, and do not assume a group solution covers the Polish subsidiary without a formal compliance review.

What must a compliant whistleblower channel contain?

A compliant channel has three core elements: a secure reporting mechanism, a written internal procedure, and a designated person or unit to handle reports. The WPA requires acknowledgement of receipt within 7 days and a substantive follow-up response within 3 months. Missing either deadline is a standalone compliance failure – independent of whether the underlying report had merit.

The reporting mechanism can be digital, paper-based, telephone-based, or a combination. What matters is that it allows anonymous submission if the reporter chooses anonymity, and that it prevents access by persons not authorised to handle reports. Many employers use third-party SaaS platforms. Those platforms must comply with the Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR) and must not route data outside the European Economic Area without adequate safeguards. A channel that technically works but stores data on servers outside the EEA without standard contractual clauses is non-compliant on two fronts simultaneously.

The written procedure must be consulted with the workplace trade union or, in the absence of a union, with employee representatives. The consultation period is at least 5 days. Employers sometimes skip this step on the assumption that the procedure is a unilateral management decision. It is not. A procedure adopted without the required consultation has no legal effect – which means the channel formally exists but the procedure underpinning it is void.

Secure submission mechanism (anonymous option mandatory)
Written procedure consulted with employee representatives (5-day minimum)
Designated handler – a natural person or internal unit
Acknowledgement within 7 days, substantive response within 3 months
GDPR-compliant data storage for report records

The designated handler is worth particular attention. The WPA permits outsourcing this function to an external provider – a law firm, compliance officer, or specialist service. Outsourcing does not relieve the employer of liability, but it does solve the practical problem of small compliance teams that cannot credibly handle reports about senior management. For employers with fewer than 250 employees, sharing a channel with other group entities is permitted, provided each entity's procedure remains separate and clearly identifies the shared handler.

To receive an expert assessment of your channel architecture and written procedure, contact info@kordeckipartners.com.

Where do employers most often go wrong?

Implementation failures cluster around four recurring patterns. Each pattern carries a different risk profile. Understanding the pattern is the first step to avoiding the irreversible consequence – criminal liability for the employer's management board members who were responsible for the breach.

The first pattern is the phantom channel: a reporting email address or a generic "contact us" form that was never designated as a WPA channel, never covered by a written procedure, and never communicated to employees. The WPA requires active communication – employees must be informed about the channel's existence, the procedure, and the protections available to them. An unreachable or unmarked channel satisfies none of those requirements.

The second pattern is the incomplete procedure. Many employers adopt a procedure that covers the reporting mechanism but omits the follow-up timeline, the anti-retaliation provisions, or the register of reports. The WPA requires a register of internal reports to be maintained for 5 years. Failure to maintain the register is a separate criminal offence under the Act, carrying a fine of up to PLN 1,080,000 for the legal entity and personal criminal liability for the responsible individual.

The third pattern is the retaliation gap. The WPA prohibits a defined list of retaliatory measures: dismissal, demotion, salary reduction, negative performance review, exclusion from training, and more. Employers sometimes implement the channel but fail to update their HR policies to reflect these prohibitions. When a whistleblower is subsequently dismissed – even for ostensibly legitimate reasons – the employer bears the burden of proving the dismissal was unrelated to the report. That reversal of the burden of proof catches many employers off guard.

The fourth pattern is the data-handling failure. Reports contain personal data about both the reporter and the reported person. The WPA restricts who may access report data, for how long, and for what purpose. Feeding report data into a general HR system, sharing it with line managers who are not authorised handlers, or retaining it beyond the 5-year limit are all GDPR violations layered on top of WPA violations.

Your channel is only as strong as the procedure behind it. A technically functional reporting tool with a void procedure or missing register is still a compliance failure.

How do cross-border structures complicate compliance?

For a foreign investor entering the Polish market – whether through a subsidiary, a branch, or a posted-worker arrangement – the WPA adds a layer that is easy to overlook in the initial setup phase. The parent company's group-wide channel may satisfy the requirements of the EU Directive in its home jurisdiction without satisfying the specific Polish transposition requirements. The differences are not cosmetic.

Poland's WPA imposes obligations that go beyond the minimum Directive standard in several respects. The list of protected reporting subjects includes not only EU law violations but also Polish domestic law violations across a broad range of areas: labour law, tax law, environmental law, consumer protection, and anti-corruption rules. A channel designed to capture only EU-law violations – which is the minimum required by the Directive – will miss a significant portion of the reports that Polish law protects.

Foreign employers with Polish subsidiaries also face the employee-representative consultation requirement. If the Polish entity has a trade union, the procedure must be agreed with that union. If the Polish entity has a works council (rada pracowników), the council must be consulted. A procedure adopted at group level by the foreign parent, without local consultation in Poland, does not satisfy this requirement. For employers with operations in multiple EU member states, this means running parallel consultation processes – each governed by national law.

We obtained a compliance clearance for a German investor's Polish subsidiary in Lower Silesia (winter 2025), adapting a group-wide channel to meet WPA requirements including local consultation, Polish-language procedure documentation, and a GDPR-compliant data processing addendum with the external platform provider.

For employers with posted workers moving between jurisdictions, understanding the interaction between local whistleblower obligations and cross-border employment structures is essential. Our insight on posted workers from Cyprus to Poland and A1 certificates addresses the employment-law baseline that sits beneath the WPA obligations. Similarly, employers expanding into Poland from Slovakia will find the compliance considerations mapped in our note on employment law compliance for Slovakia companies in Poland.

Cross-border M&A adds another dimension. An acquirer conducting due diligence on a Polish target should verify whether the target's WPA channel is compliant. A missing or defective channel is a contingent liability that transfers with the acquisition. For context on how regulatory thresholds interact with acquisition planning in Poland, see our analysis of UOKiK merger control thresholds and timeline.

What does a self-assessment checklist look like?

Before engaging external counsel, employers can run a rapid internal check. The checklist below covers the minimum requirements. If any item is marked "no" or "uncertain," that gap represents a current compliance failure – not a future risk. The WPA is already in force. Every day without a compliant channel is a day of ongoing breach, and personal criminal liability for board members accrues from the date the obligation arose, not from the date of enforcement action.

Headcount confirmed at 50+ employees (or regulated-sector threshold applies)
Internal reporting channel established and communicated to all employees
Written procedure adopted after consultation with employee representatives
Designated handler identified (internal or outsourced) with documented mandate
7-day acknowledgement and 3-month response timelines built into the process

Beyond the checklist, three business scenarios illustrate where the gaps typically appear. A manufacturing employer with 80 employees in Silesia may have a channel but no register of reports – a criminal-liability exposure of up to PLN 1,080,000. An IT company with 55 employees and a remote-first model may have a digital channel that routes data through a US-based server without standard contractual clauses – a simultaneous WPA and GDPR failure. A foreign investor's 60-person Polish subsidiary may rely on a group-wide channel that covers EU-law violations only – missing the broader Polish domestic law scope required by the WPA.

The decision matrix is straightforward. Employers below 50 employees in unregulated sectors should still consider a voluntary channel – the WPA's anti-retaliation protections apply to any report made in good faith, regardless of whether a channel was legally required. Employers at or above 50 employees must act immediately. Employers in regulated sectors must act regardless of headcount. In all cases, the cost of implementation – typically between PLN 8,000 and PLN 30,000 for legal and technical setup – is a fraction of the PLN 1,080,000 fine exposure, let alone the criminal liability risk for individual board members.

Your specific situation may involve a combination of these factors. A gap in any one element – procedure, handler, register, communication, GDPR compliance – precludes the full protection the WPA offers to compliant employers. That is not a theoretical risk. It is an immediate, measurable exposure.

If your company has 50 or more employees and has not yet implemented a WPA-compliant channel – or is uncertain whether its current setup meets the standard – we will conduct a compliance audit, draft the written procedure, manage the employee-representative consultation, and configure the handler mandate: contact info@kordeckipartners.com.

Frequently asked questions

Q: Does a small subsidiary of a large foreign group need its own Polish channel, or can it rely on the group's global tool?

A: Each Polish legal entity must satisfy the Whistleblower Protection Act independently. A group-wide tool can serve as the technical platform for the Polish channel, but it must meet every Polish-law requirement: the written procedure must be consulted with Polish employee representatives, the scope must cover Polish domestic law violations (not only EU-law violations), and the data processing arrangements must comply with Polish GDPR implementation. Simply pointing employees to a parent-company portal does not satisfy the obligation. A formal designation and a Polish-law procedure are always required.

Q: How long does it take to implement a compliant channel, and what does it cost?

A: From instruction to go-live, a straightforward implementation takes between 3 and 6 weeks. The main time driver is the employee-representative consultation, which requires a minimum 5-day period but in practice often takes 2 to 3 weeks when union negotiations are involved. Legal and technical setup costs typically range from PLN 8,000 to PLN 30,000, depending on employer size, the complexity of the group structure, and whether the handler function is outsourced. Ongoing maintenance – updating the procedure, managing the report register, handling annual reviews – adds a smaller recurring cost.

Q: What is the most common misconception employers have about whistleblower protection?

A: The most frequent misconception is that the Whistleblower Protection Act only protects employees who report fraud or corruption. In fact, the Act protects any person who reports a violation of Polish law or EU law in a work-related context – including contractors, trainees, former employees, and job applicants. The protection applies from the moment the report is made, not from the moment it is verified. An employer who takes any adverse action against a reporter – even before the report is investigated – may face criminal liability and a reversal of the burden of proof in any subsequent employment dispute.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to employment compliance, whistleblower channel setup, and workforce regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.