Protecting whistleblowers. Continuation of legislative work and a new project
After several months, work on regulating a new set of obligations for entrepreneurs – the creation of an internal protection apparatus for so-called whistleblowers, i.e. individuals who report violations of law in enterprises and public entities – is back on the legislative track. By implementing an effective whistleblower procedure, these entities will have a chance to remedy violations internally without having to report them to the Ombudsman or a competent public authority.
Currently, Poland is already more than 6 months late with the implementation of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, so-called Whistleblowers Directive.
The first draft of a bill on the protection of persons who report breaches of law (so-called “whistleblowers”) was published as recently as last year. However, it did not go beyond the leading stage of legislative work and on April 12th 2022 a new draft regulation on the protection of whistleblowers was published. It extends the vacatio legis, which will be 2 months rather than 14 days. It also provides a month for the introduction of an appropriate whistleblowing procedure, which entrepreneurs will be entitled to, already after the law enters into force. However, as the preparation and implementation of such procedure requires proper organization, it is advisable to start preparing for this obligation now.
Obligation for a wider group of entities
The new version of the bill provides that the obligation to adopt and implement procedures for the protection of whistleblowers will be extended to legal entities (and not, as originally adopted, to “employers”) for which work is performed by at least 50 persons. However, for private entities (entrepreneurs) for which work is provided by between 50 and 249, the obligation to implement the procedures has been pushed back to December 17th, 2023. This means that the limits will include not only employees, but also persons who cooperate with the entrepreneur on the basis of a civil law agreement. This will expand the circle of entities that will meet the quantitative criterion provided for in the draft.
The limitation of the number of persons shall not apply to entities performing activities in the areas of financial services, products and markets, prevention of money laundering and terrorist financing, transport safety and environmental protection, which means that this group of entities will probably be treated, as far as obligations related to whistleblower protection are concerned, like companies with at least 250 collaborators or public entities with 50 collaborators. Both of these groups will therefore be affected by the new statutory requirements in the first place.
The obligation to adopt and implement whistleblower protection procedures will be extended to legal entities for which work is provided by at least 50 persons. With respect to businesses for which work is provided by between 50 and 249, the obligation to implement procedures has been pushed back until December 17, 2023. However, the limits will include not only employees but also persons who will be bound with the entity obliged to implement the procedure only by a civil law agreement.
Protection of whistleblowers
The purpose of the proposed regulations is invariably the protection of so-called whistleblowers, i.e. persons who signalize violations of law in various areas, including personal data protection, consumer protection, public procurement, prevention of money laundering, environmental protection, transport safety, security of networks and ICT systems. In principle, a whistleblower can be any person who in the course of their current or future activities related to their work, has become aware of irregularities occurring in the operation of an enterprise (as well as a public entity), such as an employee, former employee, trainee, intern, supplier, partner in a legal person, self-employed person, contractor, officer of relevant services or professional soldier.
The whistleblower may not be subjected to any negative consequences for disclosing such information, provided it is true. In the open catalog, the legislators provide an example of a list of prohibited behaviors (the so-called retaliatory actions) towards a whistleblower, including actions aimed at worsening work and pay conditions, as well as mobbing, discrimination, causing financial or intangible losses, or even damaging the reputation of a whistleblower, e.g. in social media. It is worth mentioning that the new bill prohibits not only the retaliatory actions themselves, but also any attempts or threats to use them.
Retaliation against a whistleblower will be punishable by a fine, restriction of freedom, or imprisonment for up to 2 years, but if the number of retaliatory actions exceeds 2, then the upper limit of imprisonment will increase to 3 years. Persons who attempt to thwart a whistleblower – including by threat, violence, or deceit – will have to reckon with a penalty of up to 2 years imprisonment. The whistleblower himself will be subject to a fine, restriction of liberty or imprisonment for up to three years if he knowingly reports or publicly discloses false information.
A legal entity (business enterprise, public entity) that will be required to put in place an internal procedure for reporting violations by whistleblowers also faces liability. The legislature provides for criminal liability in the form of a fine for failure to meet this obligation (or for introducing a procedure that does not comply with the requirements of the act).
Thus, one of the main goals of the new regulation is to ensure that the entities subject to the new obligations have efficient internal procedures that will, on the one hand, provide whistleblowers with an accessible mechanism for notifying violations and, on the other hand, guarantee that such notifications will be made without negative consequences.
What should the procedure be like?
When designing an internal whistleblowing procedure, an entrepreneur or public authority should take into account that the procedure:
- it does not have to and should not even be complicated – the draft act formulates a framework list of elements it must contain,
- should be universal and contain clear and legible rules for making notifications, including the methods for making notifications,
- it should provide whistleblowers with security consisting of:
– guarantee of confidentiality of the reporting person’s data,
– lack of negative consequences for submitting a report – protection against retaliation,
– responsiveness – an undertaking should entrust coordination to a person or entity (appointed within its own structure or as an external entity) that will observe the procedure and take actions specified in the procedure, as well as guard the observance of protection principles so that whistleblowers have confidence in the effectiveness of the procedure,
- is to guarantee transparency by, among other things, the obligation to keep a register of internal reports,
- should be a voluntary tool for the whistleblower – the whistleblower can immediately use the external whistleblowing channel (reporting to the Ombudsman or the relevant public authority)
- should be developed through dialogue – preparation of an internal whistleblowing procedure requires consultation (7-14 days) with the company’s trade union organization or, if the employer does not have a company’s trade union organization, with employee representatives selected in accordance with the procedure adopted by the employer.
Incentives can be used
Since whistleblowers can skip the internal channel and use the external channel (reporting violations directly to the Ombudsman or to the competent public authority), an effective internal whistleblowing procedure gives the company a chance to remedy violations internally. It is worth mentioning that the new draft act provides for the possibility of using incentives mechanisms for whistleblowers to use the internal procedure. Therefore, it is worth designing the procedure in a way that is as simple as possible, but at the same time well thought-out, to provide employees with a tool that they themselves will want to use.