Skip to content

The draft act on whistle-blowers – basic concepts

The current draft act on the protection of persons reporting breaches of law (the so-called whistle-blower protection provisions) aims to implement the provisions of the Directive of the European Parliament and of the Council (EU) 2019/1937 of 23 October 2019 on the protection of persons who report breaches of Union law. The final date of entry into force of the already significantly delayed implementation of this directive is still unknown, and the draft has been amended several times. Nevertheless, the most important concepts concerning the protection of whistle-blowers are not expected to undergo any significant changes in relation to the current draft of this act.

Breach of law

The draft act on the protection of whistle-blowers defines a breach of law as an act or omission that is contrary to the law or intended to circumvent the law. A breach of law refers to several areas, including public procurement, services, products and financial markets, product safety and compliance with requirements, environmental protection, public health, consumer protection, privacy and personal data protection. Additionally, an employer or another may allow reporting of breaches concerning the internal regulations or ethical standards applicable in that legal entity, which have been established by the legal entity on the basis of generally applicable law and are consistent with it. As a result, the scope of application of these provisions is very broad, although the draft provides for exceptions when these provisions do not apply, for example in the case of information covered by the provisions on the protection of classified information, or secrets related to the exercise of medical and legal professions.

Whistle-blower protection

According to the draft law, almost anyone can be a whistle-blower. In particular, this can be an employee, a temporary worker, a person performing work on a basis other than an employment contract (e.g. on the basis of a civil law contract) as well as a shareholder, a partner, or an intern who reports or publicly discloses information about a breach of law obtained in a work-related context. The draft law also applies to a natural person who acquired information about a breach of law before entering into an employment or other legal relationship or after that relationship has ended.
A person who reports a breach is protected from retaliatory actions. The draft law defines retaliatory actions as direct or indirect actions or omissions in a work-related context, which are caused by the reporting or by public disclosure and which violate or may violate the rights of the reporter or cause or may cause unjustified harm to the reporter, including the unjustified initiation of proceedings against the reporter. In the case of employees, retaliatory actions may include, in particular: refusal to enter into an employment contract, termination or dissolution of the contract without notice; in the case of fixed-term contracts: failure to conclude a subsequent contract, lowering of remuneration for work, withholding promotion or skipping over when promoting, suspension of work duties, negative evaluation of work, or mobbing.
A whistle-blower who has been subjected to a retaliatory action has the right to compensation in full.

What does the internal procedure for reporting breaches contain?

The draft law regulates what the internal procedure for reporting breaches should contain.
The procedure should indicate an internal organisational unit or person within the organisational structure of the given entity or an external entity to receive the reports. Next, it should determine, among other things, the method of submitting the reports by the reporter (e.g. email address), an impartial internal unit or person who will take follow-up actions, the obligation to confirm receipt of the report, the obligation to take follow-up actions, the deadline for providing feedback to the reporter, not exceeding three months after confirmation of receipt of the report, and clear and easily accessible information on making external reports to public authorities. The procedure may also contain additional information, such as indicating the risk factors corresponding to the profile of the legal entity's activity that favour the possibility of certain breaches of law, especially related to the violation of regulatory obligations, other obligations specified in legal provisions or the risk of corruption.

Reporting breaches procedure – how to adopt it?

An entity for which at least 50 people work or provide services should adopt a reporting breaches procedure. An entity that employs less than 50 people but carries out activities in the field of financial services, products and markets, as well as anti-money laundering and counter-terrorism financing, transport security and environmental protection, should implement the procedure regardless of the number of employees.
The internal procedure for reporting breaches should be adopted after consultations with the trade union organisation at the workplace, and if there are no unions in the given entity, with the representatives of the people providing work, selected in the manner adopted by the legal entity.
The draft law assumes that the consultations last no less than seven days and no longer than 14 days from the day of presenting the draft internal reporting procedure to the representatives of the people performing work. The procedure comes into force within 14 days of informing the people performing work about it.