The European Union has made the diagnosis that a significant problem occurring in many organisations is illegal, improper or unethical activities occurring within them. In order to minimise such phenomena, a set of regulations to counteract this has been published, in the form of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law (hereinafter: the ‘Whistleblowers Directive’).
The regulations contained therein introduce, so-called, ‘whistleblowing’, i.e. a broadly defined procedure for reporting such irregularities that have occurred or are occurring in a specific organisation, together with the regulation of data protection rules for persons (so-called ‘whistleblowers’) who have undertaken such reporting.
In other words, in companies, there are to be detailed processes in place for how potential whistleblowers can make such reports about potentially emerging irregularities and how their identity will be protected and possible discrimination counteracted. Obviously, this Directive not only regulates the need to implement such regulations in companies, but also requires public institutions to adapt to it, as the form of whistleblowing is divided into reporting within companies and external reporting directly to public institutions. These provisions are intended to lead to greater protection of the public interest.
Turning to the Directive itself, it points out that protection of whistleblowers should include, first and foremost, protection:
- in connection with notifications of irregularities under EU and national law. These include, in particular, legislation on money laundering, tax fraud, irregularities relating to public procurement, environmental protection or consumer law;
- against various forms of discrimination when such a notification is made;
- in terms of reporting both within the company itself and directly to public institutions;
- concerning not only employees, but also persons related to them.
Importantly, this Whistleblower Directive applies not only to public sector institutions and municipalities with a population of 10,000 or more, but also to all businesses with 50 or more employees.
In Poland, these EU regulations are to be implemented through the Act on the Protection of Whistleblowers. The deadline for their implementation has already passed on 17 December 2021, title of which Poland was even fined by the European Commission. Thus, there has been a significant legislative acceleration on this topic recently. This means that we can expect the legislation to be enacted on 28 July 2023 at the latest, i.e. in the last session of the Sejm before the parliamentary elections.
In the latest version of the draft of the aforementioned law:
- the subjective scope has been established, i.e. what a breach of the law is within the meaning of the Act has been defined, together with the areas to be affected;
- the subject scope has been established, i.e. the persons who may be affected by the provisions have been defined;
- the manner and scope of protection of whistleblowers (the law uses the name ‘notifier’) was established, together with the conditions they are obliged to meet in order to obtain such protection and possible compensation if they would be subject to the so-called ‘retaliatory actions’ described therein.
- the requirements for the implementation of, inter alia, the internal procedure for so-called internal notifications in entities with more than 50 employees or the procedure for so-called external notifications in public institutions, are described in detail.
In addition, penal provisions for persons and entities that do not comply with these provisions are also regulated.
With regard to the entry into force of this Act, it is specified that, as a general rule, it enters into force 2 months after the date of promulgation with the exception of a few provisions which enter into force on the day following promulgation.
This exception is, for example, the obligation to implement an internal procedure which, in theory, in view of the bill submitted, should already be in force in the company the day after its entry into force. However, the provisions on sanctions are deferred, so while such an obligation will occur, failure to comply with it will not entail any sanctions.
Nevertheless, in view of the imminent entry into force of the regulations in question implementing the Whistleblower Directive, we recommend that you promptly:
- carry out an audit of existing internal regulations on whistleblower protection in the company;
- prepare an internal procedure on whistleblower protection on the basis of the Whistleblower Protection Act;
- conduct training for employees on the procedure and the regulations in force in this area.