Procedure for internal reporting in light of the draft whistleblower protection bill
The draft bill on the protection of whistleblowers, published on 17 April 2024, intended to implement Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of whistleblowers, provides detailed guidelines on requirements that obliged employers must meet in establishing internal reporting procedures.
How to establish the procedure
An entity obliged to establish an internal reporting procedure, or an entity that wishes to introduce such a procedure, although not subject to this requirement, must undertake consultations with:
- trade unions operating at the establishment; or
- representatives of the workforce, selected in accordance with the usual procedure at the entity, if it has no establishment trade union.
The consultations start with the employer submitting a draft of the internal reporting procedure to one of the above employee representatives. The consultations should last at least 5 and not longer than 10 days. It is worth noting that the consultation requirement is not tantamount to having to reach an agreement. It should be interpreted as meaning that during the consultations the employees’ side has an opportunity to raise comments, objections and express its opinion, but this opinion will not be binding on the employer.
Once the consultations have completed, the employer should make the procedure known to the workforce, in the way that is accepted at the establishment. The procedure will enter into force 7 days after the date of its announcement. In addition, the entity that has adopted an internal reporting procedure should, in each case, inform the persons with whom it has started contractual negotiations or whom it has included in a process of recruitment.
What should the internal reporting procedure specify?
According to the published draft bill, the procedure for internal reporting will have to specify:
- a person (e.g. a specific HR employee) or an organisational unit (e.g. HR department) within the employer’s structure or an external entity authorised to receive internal reports,
- how whistleblowers may communicate internal reports, together with their correspondence or e-mail address,
- an impartial person or organisational unit within the employer’s structure with the authority to undertake follow-up actions, including verification of a report and further communications with the whistleblower, and among others, requesting additional information and providing feedback to the whistleblower (this may be the same person/unit as in (a), as long as they meet the impartiality requirement),
- a procedure for dealing with anonymous reports,
- an obligation to acknowledge the receipt of the report to the whistleblower within 7 days of receiving it, unless the whistleblower has not provided a contact address,
- the obligation of the organisational unit or person referred to in (c) to take follow-up steps with due diligence,
- a maximum deadline for providing feedback to the whistleblower, of not more than 3 months from the date of acknowledging receipt of a report, or 7 days from the date of submitting a report (if no acknowledgement of receipt was issued in the case of an anonymous report), unless the whistleblower has not provided a contact address,
- comprehensible and easily accessible information on how to submit external reports to the Polish Commissioner for Human Rights (RPO) or public authorities and EU institutions.
Optionally, the internal reporting procedure may also set out a list of violations associated with the employer’s internal corporate regulations (e.g. regulations, procedures, standards of conduct), if the employer decides to allow such reporting. In addition, the procedure may include information on risk factors that correspond to the employer’s business profile and that are conducive to certain violations. The draft bill also provides for the possibility of the procedure stating that a report may be made outside the internal procedure, either directly to the RPO or to a public authority. Legislators have also proposed establishing a system of incentives for using the internal reporting procedure. The bill’s explanatory memorandum states that these should involve intangible incentives, such as training courses, and not financial rewards.
Methods of transmitting internal reports
Under the bill, employees should be able to submit reports orally or in writing – either on paper or electronically (additional reporting channels may be provided). Oral reports are to be made by telephone or electronic means of communication. Each conversation held over a registered telephone line should be documented, with the whistleblower’s consent, in the form of:
- a recording; or
- a transcription made by the person/unit authorised to receive reports.
In the case of reports made over a non-registered telephone line, the call must be documented in minutes that reproduce the exact course of the call, prepared by the person/unit authorised to receive reports. The whistleblower will be entitled to check, correct and approve the transcript of the call or the minutes by signing it.
In addition to the above methods, on the whistleblower’s request, an oral report may be made at a face-to-face meeting arranged within 14 days of receiving such a request. Such a meeting will be subject to registration, with the whistleblower’s consent, as a recording or minutes drawn up by the person/unit authorised to receive reports. The whistleblower will be given the same rights in relation to the minutes of the meeting as in the case of the transcript or minutes referred to above.
Authorisation to receive internal reports
It will be incumbent on the employer to ensure compliance with data protection legislation in the context of receiving and processing internal reports. First and foremost, the internal reporting procedure must prevent unauthorised parties from gaining access to the information in the report and guarantee confidentiality as to the identity of the whistleblower, the person to whom the report relates and any third party identified in the report (this includes all information that could directly or indirectly help identify those persons).
Accordingly, the receipt and verification of reports, following them up and processing the personal data of the persons concerned will require the employer’s written authorisation. Persons so authorised by the employer will be required to keep confidential all information obtained in connection with the reports being processed, even after the termination of employment.
If the employer decides to make an external entity responsible for accepting internal reports, that entity’s authorisation will require the conclusion of an agreement to entrust the handling of internal report submissions, acknowledging the receipt of reports, providing feedback and information on the internal reporting procedure using technical and organisational solutions that ensure that these tasks comply with the proposed bill. In addition, such agreement should set out the rights and obligations of the external entity in relation to the processing of personal data under the GDPR.
The draft bill assumes that entities with a workforce of 50 to 249 persons, will be able to share resources in terms of receiving and verifying internal reports and conducting investigations, by setting out in an agreement the common rules for these tasks. In such a case, though, each employer will remain a separate controller of data obtained in connection with receiving and verifying reports and will not have access to data obtained by another data controller (except if necessary for a follow-up by an employer that is not the controller in the specific case). The bill’s drafters have also provided for the possibility of establishing a common internal reporting procedure for local government bodies.
Significantly, irrespective of whether the receiving of reports is entrusted to an external entity or a joint report processing agreement is entered into with another employer, this will not relieve the entity of its responsibility to establish and comply with the internal reporting procedure, in particular in terms of confidentiality, providing information by return and following up.
Register of internal reports
Employers will be required to maintain a register of internal reports, which will record entries based on reports received. Under the proposed bill, the employer will be able to authorise the above-mentioned person or internal unit to maintain the register.
The register should contain the following information for each report:
- report number,
- subject of the violation,
- the personal data of the whistleblower and the subject of the report required to identify them,
- the whistleblower’s contact address,
- date of the report,
- information on follow-up actions taken,
- the date of completion of the matter.
The information held in the register is to be retained for a duration of three years after the end of the calendar year in which follow-up actions were completed or in which proceedings initiated by those actions end.
Dr Marcin Wujczyk, Bartosz Maciejewski