Earlier this week (24 June), the Whistleblower Protection Act was published in the Journal of Laws. Companies have three months, i.e. until 24 September this year, to adapt their organisations to the new provisions. The Act requires companies to implement internal channels for processing whistleblower reports concerning work-related issues.
In addition, the Act provides the rules for reporting and disclosing information about violations of the law, whistleblower protection measures and the conditions under which a whistleblower is protected, as well as the tasks of public authorities in relation to receiving external reports and taking follow-up action.
The new provisions apply to all companies with more than 50 employees. This limit does not apply to entities in the financial, transport safety and environmental sectors, which are covered by the Act regardless of the number of persons providing work for them. All of these entities are required to establish reporting channels, while smaller companies with fewer than 50 people may choose to implement such channels.
Business that already have reporting channels in place should review their existing channels and internal procedure to adapt them to the new rules. A bigger challenge awaits those that have yet to implement internal whistleblowing channels. For them, the new regulations mean designing and appropriately positioning their notification channels, including designating who is responsible for handling and following up on notifications.
Each organisation should verify that it has sufficient human and technical resources to do so, guaranteeing the confidentiality of reports, and develop appropriate documentation. If the company does not have sufficient resources to receive whistleblower reports within its organisational structure, it may use the support of an external entity. It is important that all persons receiving whistleblowing reports have the appropriate authorisations (including for processing personal data) and that appropriate agreements, including confidentiality agreements, are in place with them.
Before announcing an internal procedure, regardless of whether the company already has a notification channel or is just implementing one, it will have to consult the internal notification procedure with the company's trade union organisation or employee representatives, and in the absence of such representation, it will have to select one. The consultation usually lasts between five and 10 days.
Subsequently, training should be provided to all employees for the notification channels to serve their purpose. This could be another challenge for many organisations, given the limited time frame.
The Act enters into force on 24 September 2024, except for the provisions on the responsibilities of the Ombudsman and the acceptance of external reports by public bodies, which take effect six months after the date of promulgation.
Failure to comply with the new regulations, including the timely implementation of procedures, can result in sanctions, including misdemeanour or criminal liability.