Whistleblower protection directive in Q&A
What exactly is this Directive and why is everybody talking about it?
It is Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law („the Directive”), which has already entered into force. Now member states, including Poland, are obliged to transpose it to their national legal order.
What transposition stage is Poland in right now?
The Directive should be transposed by 17 December 2021 at the latest. The Ministry of Development, Labour and Technology is working on it.
At present, there is not even a draft law implementing the Directive. Although we cannot rule out that the implementation process will accelerate sometime soon, experience suggests that the Directive will be transposed to the Polish legal system either at the very last minute, which is on 17 December 2021, or just a moment before.
You can follow the progress of work here.
Will the new whistleblower protection obligations cover every employer?
The new whistleblower protection obligations will, in principle, cover all private and public sector employers. As an exception, Member States can exempt small employers with fewer than 50 employees from these duties. It will probably happen in Poland.
The largest employers with more than 249 workers are required to introduce whistleblowing procedures by 17 December 2021. Employers with 50 to 249 employees will have to comply with this obligation by 17 December 2023, unless otherwise decided by the Polish legislator.
However, we believe that even the smallest enterprises with less than 50 employees should consider introducing appropriate whistleblowing procedures. Why? Find out here.
Who is protected under the Directive?
The scope of the Directive is very broad. In principle, it aims to protect all employees, regardless of the basis for their legal relationship with the employer. The protection applies primarily to employees, but also to contractors (employed on a B2B basis), shareholders or partners, volunteers and trainees.
Moreover, the protection under the Directive should also cover candidates for employment as well as those who no longer work for the entity that use to employ them.
What are the conditions for granting whistleblower protection?
The Directive guarantees protection to whistleblowers on the following conditions:
- they had reasonable grounds to believe that the reported information was true at the time being;
- the reported breach falls within the ambit of the Directive; and
- the notification was made in compliance with the correct procedure.
It seems that the scope of the eligible notification issues should be broadened by the legislator to explicitly include matters related not only to workplace bullying, discrimination and harassment but also to bribery.
The protection will not apply to employees working in industries to which the Directive does not apply, such as the national security sector.
Can whistleblowers report also outside their organisation?
Yes, the Directive specifies three forms of whistleblowing:
- internal, which can be addressed to persons appointed to receive internal notifications
- external, which can be addressed to prescribed state authorities correct for the reported issue, e.g. UOKiK, KNF, PIP, CBA; and
- public, which can be addressed to other entities, which in practice means the media.
However, the Directive provides that whistleblowers should first report malpractice through internal channels, and use external channels only by way of exception. Public whistleblowing should be used only as a last resort when both internal and external channels have failed, or the case is very serious.
What can be reported?
The Directive sets out specific areas which may be subject to reporting. These include, but are not limited to: (i) public procurement; (ii) financial services, products and markets, as well as prevention of money laundering and terrorist financing; (iii) consumer protection, (iv) privacy and personal data protection, information systems and networks security.
Notably, matters related to workplace bullying, discrimination, harassment or bribery are not explicitly mentioned in the list. If Polish regulations will follow suit and not include those areas, we encourage you to incorporate them into your procedures anyway.
What are the most important obligations of employers concerning whistleblower protection?
First and foremost, employers should introduce internal reporting channels that ensure safety and anonymity, and encourage employees to use them before resorting to external reporting channels. Employers should also prohibit and strongly discourage any forms of retaliation against whistleblowers.
To encourage compliance with whistleblowing obligations, employers should actively carry out education policy and hold a dialogue with employee representatives and trade unions.
We recommend introducing internal acts, such as policies and codes of ethics, regulating the status of whistleblowers. It is not too early to consider appointing a body or persons responsible for investigating reports and for the overall whistleblowing management, such as a Compliance Officer.
How to establish internal whistleblowing channels?
Employers can either set up such channels themselves or outsource the task to a third party.
Legal entities in the private sector with 50 to 249 workers can share resources to manage together the whistleblowing reports and explanatory proceedings. This can prove to be very useful for capital groups consisting of several medium-sized companies, which can jointly handle whistleblower cases.
Law firms associated within the Littler network, including PCS Paruch Chruściel Schiffter | Littler Global, cooperate with WhistleB (provider of whistleblowing solutions) to relieve companies from the burden of developing their own reporting system.
Are employers with AML or industry-specific procedures in place exempt from the new obligations?
No, having such regulations in place does not remove the obligation to introduce a procedure that complies with the minimum requirements set out by the Directive. Some sectors, for example the banking sector, already have special provisions providing for a certain degree of whistleblower protection but they are not nearly as comprehensive as those under the Directive. Therefore, it will be necessary to review internal procedures and adapt them to the new provisions.
Can employers be fined for not establishing internal reporting channels?
The Directive does not explicitly stipulate any sanctions for failure to comply with this obligation. However, the Directive requires the Member States to provide for effective, proportionate and dissuasive sanctions against natural or legal persons who hinder or attempt to hinder reporting. The employer’s failure to put in place the required reporting channels may therefore be considered as obstruction of reporting and subject to sanctions.
Regardless of the above, we believe that an effective reporting system is not only an obligation but, above all, an opportunity for employers. It brings measurable benefits, including financial, image and organisational ones. Therefore, it is worth considering it not as yet another obligation imposed by law, but as an effective mechanism protecting employer interest.
Implementing whistleblower protection procedure in practice – what are the most common mistakes?
It often happens that existing procedures are not adjusted to the nature and type of the organisation they cover. For example, they provide for the reporting of breaches by company e-mail, while 70% of the workforce are production workers who do not have access to company e-mail.
We sometimes come across procedures written in convoluted legalese which renders them impossible to understand by an „ordinary” employee. As a result, those procedures exist only on paper and are not applied in practice. Therefore, the language of the procedures should be clear and concise.
Another major problem is the organisation culture. It often happens that whistleblowers are stigmatised as snitches. The best cure for that is to educate staff, for example through periodic training, to make them aware of how important and necessary it is to report every breach.
Finally, for the whistleblowing procedure to work, the employer must respond to every notification. The response may range from briefly acknowledging the receipt of the report as soon as it is received, to initiating explanatory proceedings and communicating the results to all parties involved. Potential whistleblowers need to be confident that their report will not go unnoticed.
WHISTLEBLOWER PROTECTION DIRECTIVE IN: