Poland – Privacy implications of new whistleblowing rules

Poland has finally implemented the EU Whistleblowing Directive. The new law will enter into force on 25 September 2024, leaving little time to adapt to the new regulations. We highlight the key privacy implications of implementing the whistleblowing procedures in Poland and outline the actions organisations need to take in the upcoming weeks.

Scope and timing

Poland has finally implemented the EU Whistleblowing Directive (EU) 2019/1937 through the Act of 14 June 2024 on the protection of whistleblowers (the "Act").

The Act establishes rules and procedures designed to protect whistleblowers. Legal entities which, as of 1 January or 1 July of a given year, have at least 50 individuals perform paid work must implement an internal whistleblowing reporting procedure. This procedure may need to be consulted with trade unions or employee representative bodies, and employees must be informed about its implementation.

The Act will enter into force on 25 September 2024. As the Act does not provide for a transition period, organisations will need to have all necessary changes to their processes and procedures ready in less than three months from now.

For detailed insights regarding the employment aspects of the implementation of whistleblowing procedures, please see the latest edition of HR in the Know.

Processing of personal data in connection with whistleblowing

Whistleblowing inherently involves the processing of personal data, which may include special category data and personal data relating to criminal convictions and offences, from various categories of data subjects.

These subjects include: the whistleblower; the person who is alleged in the whistleblower’s report or public disclosure to have breached the law (referred to as the “person concerned”); and third parties, such as individuals who possess knowledge about the breach, affected persons, and witnesses. Hence, data protection laws should be taken into account while designing whistleblowing programs.

Data processing occurs at multiple stages of an internal whistleblowing process within an organisation. It begins with the notification of a breach of law, followed by the recording of this notification, the initiation and conduct of an investigation, taking follow-up actions, and the subsequent retention of the case file once proceedings have concluded.

Given the sensitive nature and potentially broad scope of personal data processed while handling whistleblowing reports, organisations should diligently address the data protection requirements while adopting the requirements of the Act.

Actions to be taken to address key privacy requirements

When implementing the Act within an organisation, it is crucial to consider the key data protection requirements arising from the Act itself and other applicable data protection laws. The EU General Data Protection Regulation (the "GDPR") will play a significant role in this context.

Organisations should undertake the following actions:

• Adaptation of group policies: Review and adapt group whistleblowing procedures to meet the specific requirements of Polish law, particularly those concerning the permissible scope of personal data processing, exceptions to GDPR information obligations, and specified retention periods.
• Privacy policies: Prepare separate, tailored privacy notices for whistleblowers, persons concerned, and third parties, acknowledging specific exceptions to GDPR disclosure rules provided by the Act.
• Authorizations for data processing: Develop and issue written template authorisations for those handling whistleblower reports, including confidentiality undertakings to ensure secure and lawful processing.
• DPIA: Conduct a Data Protection Impact Assessment (the “DPIA”) as mandated under Article 35 of the GDPR, recognising that whistleblowing system implementations require such assessments under Polish regulations (implementation of whistleblowing systems is included in the list of operations which are subject to the requirement for a DPIA, published by the Polish Data Protection Authority).
• Data processing agreements: Enter into data processing agreements if using external vendors for breach reporting channels.
• Intra-group transfers: For corporate groups, conclude or update intra-group agreements that regulate data transfers and processing within whistleblowing frameworks.
• Updating privacy documentation: Update all privacy documentation, including employee privacy notices, records of processing activities, retention policies, procedures for handling data subject rights, data deletion procedures and other internal privacy documentation.
• Training: Implement training programs on new whistleblowing procedures to ensure all personnel are informed and compliant.

Key data protection requirements under the Act

The Act introduces certain data protection mechanisms that extend beyond the GDPR requirements. These need to be taken into account while designing and implementing whistleblowing frameworks in Poland.

• Enhanced protection of the whistleblower's identity: Central to the Act is safeguarding the whistleblower’s identity against third-party disclosure. This is achieved by maintaining the confidentiality of the whistleblower’s personal data, unless the whistleblower gives explicit consent or is found to have reported in bad faith. The Act provides for some exceptions to this general rule.  Additionally, the Act supports anonymous reporting, allowing reports to be made without revealing the whistleblower's identity.
• Data subject rights: The Act introduces certain exemptions to data subject rights under the GDPR, e.g. the rights to know about the source of data are not applicable.
• Data minimisation: Organisations are required to collect only the essential personal data necessary for processing a whistleblower’s report and subsequent investigation. Any irrelevant data must be deleted within fourteen days of determination of its irrelevance.
• Retention: The Act specifies mandatory retention periods for holding whistleblowing data. For instance, it stipulates a general three-year retention period for personal data processed in connection with the handling of a whistleblower’s report, taking follow-up actions, and storing related documents. The same retention period applies to personal data contained in the register of internal reports.
• Access control: Access to data related to whistleblowing must be strictly controlled. Only specifically authorised individuals, who must also be under confidentiality obligations, should have access. This authorisation should be documented in writing and regularly reviewed to prevent unauthorised access.

Conclusions

The Act still raises concerns due to its inconsistencies and the failure to adequately address all the issues related to personal data protection, which could potentially affect compliance and the overall safeguarding of data subjects’ rights.

Given these doubts, the Polish Data Protection Authority will organise a seminar to clarify these uncertainties regarding the application of the Act's provisions in the area of personal data protection.

As the deadline to comply with this Act rapidly approaches, we recommend that organisations meticulously review and update their data protection documentation to align with the Act and broader data protection requirements. Such proactive measures are crucial not only to meet legal obligations but also to uphold the trust and safety of all parties involved in whistleblowing processes.