Compliance programme design for Poland

A German parent company centralises its compliance function in Frankfurt. Its Warsaw subsidiary handles Polish contracts, employs local staff, and processes personal data – yet runs on a policy framework drafted for a different legal system. The gap between group-level intent and Polish regulatory reality is where enforcement risk accumulates quietly, then surfaces all at once.

Designing a compliance programme for a Polish subsidiary requires mapping three overlapping layers: Polish corporate law obligations, EU-derived regulatory requirements now embedded in Polish statute, and group-level governance expectations. Polish law imposes specific duties on board members of limited liability companies (spółka z ograniczoną odpowiedzialnością, sp. z o.o.) and joint-stock companies (spółka akcyjna, S.A.) that cannot be discharged by a parent's global policy. A well-designed programme addresses each layer with jurisdiction-specific controls, documented procedures, and clear accountability lines.

This page sets out how KORDECKI & Partners approaches compliance programme design for subsidiaries operating in Poland. We cover the regulatory framework, core programme instruments, practical pitfalls, cross-border considerations, and a self-assessment checklist. Each section is written for in-house counsel, CFOs, and regional compliance officers who need actionable guidance rather than abstract principles.

What does Polish law actually require of a subsidiary's compliance programme?

Polish law does not prescribe a single compliance programme statute. Instead, obligations arise across several regimes, each carrying its own enforcement mechanism. The Kodeks spółek handlowych (Commercial Companies Code, KSH) imposes a duty of due care on board members, which courts interpret to include maintaining adequate internal controls. Failure to do so can trigger personal liability for directors – an irreversible consequence that group indemnities rarely neutralise in practice.

Three regulatory regimes demand immediate attention. The Polish Act on Counteracting Money Laundering and Terrorist Financing (AML Act) applies to a wide range of "obligated institutions," including financial intermediaries, real estate agents, and certain professional service providers. Non-compliant entities face administrative fines of up to PLN 5 million or twice the benefit obtained. The whistleblower protection regime, introduced by the Act of June 2024 implementing the EU Whistleblowing Directive, requires companies with 50 or more employees to maintain an internal reporting channel by the end of 2024. Subsidiaries that missed this deadline are already exposed.

The National Court Register (KRS) records the composition of management boards and supervisory boards. The Polish Financial Supervision Authority (KNF) oversees compliance obligations in regulated sectors. The Office for Personal Data Protection (UODO) enforces the General Data Protection Regulation (GDPR) as applied in Poland, with fines reaching EUR 20 million or 4% of global annual turnover. These three institutions between them cover most enforcement risk for a typical industrial or services subsidiary.

AML internal procedures – mandatory for obligated institutions, reviewed annually
Whistleblower channel – required for employers with 50+ employees
GDPR records of processing activities – mandatory regardless of company size
Anti-corruption policy – required for public procurement participants
ESG reporting obligations under CSRD Poland timeline for larger entities

We helped a logistics subsidiary in Mazowieckie (spring 2025) identify that its group AML policy excluded Polish-specific customer due diligence requirements. Remediation took six weeks and avoided a KAS audit finding that would have triggered a formal investigation. The lesson: transposing a group policy verbatim into a Polish subsidiary context is not compliance – it is a documented gap.

How should the programme be structured for a Polish operating entity?

A compliance programme for a Polish subsidiary has four functional pillars: governance, risk assessment, controls, and monitoring. Each pillar must be grounded in Polish law, not merely consistent with it. The governance pillar begins with a formal compliance function assignment – either a dedicated compliance officer or a board member with explicit responsibility. Polish corporate legislation requires that accountability be traceable to a natural person.

Risk assessment is the most frequently underestimated pillar. A Polish subsidiary operating in construction, healthcare, or financial services faces sector-specific risks that a generic group matrix will not capture. The risk assessment should be documented, dated, and reviewed at least once every 12 months. It must cover bribery and corruption risk (relevant to public procurement under Polish public procurement law), AML exposure, data protection risk, and – for entities above the CSRD Poland threshold – ESG reporting obligations.

Controls translate risk findings into operational procedures. For a manufacturing subsidiary, this typically means a gifts and hospitality register, a third-party due diligence procedure for suppliers, and a conflicts-of-interest declaration process for board members. For a technology subsidiary, GDPR data processing agreements and an AI Act readiness review are now standard. The control set should be proportionate: a 60-person sp. z o.o. does not need the same infrastructure as a 2,000-person S.A., but both need documented controls that can be produced to a regulator within 48 hours.

Monitoring closes the loop. Internal audits, compliance reporting to the supervisory board, and annual policy reviews are the minimum. Whistleblower compliance requires a formal case management log and evidence that reports are investigated within the statutory 90-day response window. Any programme that lacks a monitoring mechanism is, in practice, a policy document rather than a compliance programme.

For a tailored strategy on compliance programme structure, reach out to info@kordeckipartners.com.

What are the most common pitfalls when adapting group policies to Poland?

The single most common pitfall is language. A compliance programme that exists only in English is unenforceable in Poland. Polish employment law requires that documents forming part of the employment relationship be provided in Polish. An employee disciplinary procedure based on an English-language code of conduct has been successfully challenged before Polish labour courts. The programme must be translated, not summarised.

The second pitfall is jurisdictional mismatch in the whistleblower channel. Several multinationals implemented a single EU-wide reporting hotline and assumed Polish requirements were satisfied. They were not. Polish law requires that the internal channel be accessible to employees, contractors, and suppliers, and that reports be handled by a designated, impartial person within the Polish entity. Routing all reports to a Frankfurt compliance team does not satisfy the Polish statute. The penalty for non-compliance is up to PLN 60,000 per violation – and the violation is ongoing until remediated.

Third: ignoring the AML dimension for non-financial subsidiaries. Many corporate groups assume AML is a bank problem. Under Polish law, the obligation extends to real estate transactions, certain leasing structures, and professional service providers. A subsidiary that occasionally facilitates property transactions for group companies may qualify as an obligated institution without realising it.

We assisted a technology group with a subsidiary in Małopolska (winter 2025) in restructuring its whistleblower channel after a labour inspection found the existing arrangement non-compliant. The investigation was closed within three months, but the reputational exposure during that period was significant. Speed of remediation matters – but prevention costs a fraction of the response.

Policies in English only – invalid under Polish employment law
Group whistleblower hotline without Polish-law-compliant local channel
AML scope underestimated for non-financial subsidiaries
No Polish-law governing clause in compliance procedures
GDPR records not updated after corporate restructurings

How do cross-border structures affect compliance programme design?

Cross-border structures create compliance friction at three points: data flows, anti-corruption obligations, and ESG reporting. For a subsidiary receiving personal data from a parent in a non-EU jurisdiction, Polish GDPR implementation requires documented transfer mechanisms – standard contractual clauses, adequacy decisions, or binding corporate rules. The UODO has issued enforcement decisions against Polish subsidiaries where the parent's data transfer mechanism was technically valid but not operationally implemented at the subsidiary level.

Anti-corruption compliance is particularly complex for subsidiaries with procurement authority. Polish anti-bribery law applies to conduct occurring in Poland regardless of where the parent is incorporated. A subsidiary that pays a facilitation payment to a Polish official – even under instruction from a parent in a jurisdiction where such payments are tolerated – faces criminal liability under Polish criminal law. Board members of the Polish entity bear personal exposure. That exposure cannot be contractually transferred to the parent.

ESG reporting adds a third dimension. Under CSRD Poland implementation, large Polish subsidiaries of EU parent companies may be required to produce standalone sustainability reports or contribute data to the parent's consolidated report under the European Sustainability Reporting Standards (ESRS). The first mandatory reporting period for large entities was 2024. Subsidiaries that have not yet mapped their ESRS data obligations are already behind the reporting cycle. For a detailed walkthrough of ESRS implementation steps, see our guide on ESRS implementation steps for Polish reporting entities.

For subsidiaries with operations in multiple Central European jurisdictions, the compliance programme design must account for divergent national implementations of the same EU directive. Our analysis of compliance programme design for Hungary subsidiaries in Poland illustrates how even closely aligned legal systems produce materially different compliance obligations at the subsidiary level.

The corporate governance layer also intersects with compliance design. Subsidiaries that are parties to shareholder agreements or intragroup service contracts must ensure those arrangements do not inadvertently create conflicts with Polish regulatory obligations. Our corporate and M&A team regularly reviews these structures as part of programme design engagements. See our corporate and M&A practice page for the full scope of related services.

To receive an expert assessment of your subsidiary's cross-border compliance exposure, contact info@kordeckipartners.com.

What should a self-assessment checklist cover?

A self-assessment checklist is the fastest way for in-house counsel or a regional compliance officer to identify gaps before a regulator does. The checklist below reflects the minimum baseline for a Polish subsidiary with 50 or more employees. Smaller entities should treat it as an aspirational standard rather than a legal requirement. The 30-day remediation window that Polish labour inspection typically grants after a finding is not generous enough to build a programme from scratch.

Whistleblower channel operational, documented, and accessible to non-employees
AML scope assessment completed and obligated institution status confirmed or excluded
GDPR records of processing activities current and covering all intragroup data flows
Compliance policies available in Polish and signed by employees
CSRD Poland / ESRS reporting obligations mapped and data collection initiated

Beyond the checklist, three business scenarios illustrate where programmes typically break down. A manufacturing subsidiary with a procurement team faces the highest bribery and corruption risk: the checklist item to verify is whether the gifts register is actively used and whether procurement decisions above a defined threshold require dual authorisation. An IT subsidiary processing employee data across EU jurisdictions needs to confirm that data processing agreements with the Polish entity as processor are in place and that the local GDPR representative has been appointed. A foreign investor establishing a new sp. z o.o. should complete the compliance baseline within 90 days of registration in the KRS – not after the first audit.

The decision matrix is straightforward. A subsidiary with fewer than 50 employees and no AML exposure needs a GDPR procedure, an anti-corruption policy, and a conflicts-of-interest process. A subsidiary with 50 to 249 employees adds a whistleblower channel and an AML scope assessment. A subsidiary with 250 or more employees, or one that meets the CSRD Poland size thresholds, requires the full programme architecture described above, with board-level oversight and annual external review.

The specific situation of your subsidiary requires individual analysis. Generic checklists identify categories of risk; they do not quantify exposure or design controls. A gap left unaddressed for more than one reporting cycle precludes the "good faith effort" defence that regulators sometimes accept for first-time findings.

To discuss how a compliance programme applies to your subsidiary's specific situation, email info@kordeckipartners.com.

Frequently asked questions

Q: How long does it take to design and implement a compliance programme for a Polish subsidiary?

A: For a subsidiary with 50 to 200 employees and no regulated-sector activity, the design and implementation process typically takes between 8 and 12 weeks. This covers risk assessment, policy drafting in Polish, whistleblower channel setup, and staff training. Larger entities or those with AML obligations should budget 16 to 20 weeks. Costs vary with scope, but an initial gap assessment can usually be completed within two weeks of engagement.

Q: Does a group-level compliance programme satisfy Polish regulatory requirements?

A: This is the most common misconception. A group policy is a starting point, not a solution. Polish law requires that procedures be accessible in Polish, that the whistleblower channel be operated by a designated person within the Polish entity, and that AML procedures reflect Polish-specific customer due diligence requirements. A group policy that has not been localised does not satisfy these requirements, regardless of how thorough it is at the group level.

Q: What is the cost of non-compliance with the whistleblower protection Act in Poland?

A: Under the Polish Whistleblower Protection Act of June 2024, failure to establish a compliant internal reporting channel exposes the company to a fine of up to PLN 60,000 per violation. More significantly, individual managers who obstruct the reporting process or retaliate against whistleblowers face criminal liability, including imprisonment of up to 3 years. The reputational risk of a public enforcement action typically exceeds the direct financial penalty.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to compliance programme design, ESG reporting, and regulatory risk management. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.