The Whistleblowers’ Protection Act was enacted by the Polish Parliament on 14 June 2024. It was the implementation of EU Directive 2019/2937 on the same subject. However, the Polish act falls short of providing detailed regulations on conducting internal investigations. There are also no clear guidelines provided by public authorities, except for general information on specific issues related to internal investigations (such as data protection).
Legal framework
It needs to be underlined from the outset that the Whistleblowers’ Protection Act is not the only basis for internal investigations. It is not only the entities listed in the act (generally: businesses that employ at least 50 people on any legal basis) that are entitled to introduce a speak-up (whistleblowing) policy, receive reports and conduct internal investigations. There are also numerous legal regimes forming the basis for internal investigations. Businesses need to conduct them after an accident at work and in the event of a suspicion of mobbing or harassment.
Investigators and their position
Businesses should indicate and authorise a specific individual or organisational unit to be responsible for receiving reports from whistleblowers and conducting internal investigations. Usually these tasks lie upon compliance officers or in-house lawyers. However, businesses that do not have such a position can entrust internal investigations to the head of HR (P&C) or internal audits, or to an external unit such as a law firm.
The investigators’ position should be clearly described in internal procedures (such as the whistleblowing policy). Investigators should be entitled to analyse all company documentation and resources, ask anyone to provide information or explanations and perform interviews.
Investigative activities
Not even the Whistleblowers’ Protection Act sets out any specific provisions on investigations. There are no clear rules on analysing documentation, correspondence or performing interviews. It is commonly accepted that investigators can perform all kinds of activities that are compliant with the general rules of law, such as the labour law, rules on privacy or data protection.
Investigators can secure and analyse electronic devices and evidence, if they are the company’s property and were only entrusted to an employee as a tool. Employers are not entitled to analyse any private tools or devices, though they can analyse any publicly available information, such as Facebook and other social media, the employees’ activities and publicly available registers etc.
Employees can also be involved in internal investigations as witnesses. Employers are authorised to ask them to participate in investigations and provide evidence, information and explanations.
Confidentiality
Ensuring confidentiality is one of the most important obligations for investigators. It is also one of the few issues related to investigations that has been provided for in the Whistleblowers’ Protection Act in detail. Only individuals who are authorised to process personal data and to conduct investigations on behalf of the company are permitted to perform any activities in internal investigations. Under the Whistleblowers’ Protection Act, it could even be a criminal offence to reveal a whistleblower’s identity to anyone not authorised to receive such information (the same applies to anyone who provides any assistance to the whistleblower or anyone related to them).
Reports and recommendations
There is no legal obligation to provide a written report after concluding the investigation. However, it is highly recommended in most cases. The investigators should provide general information on the course of the investigation, indicate the outcome and recommend appropriate preventive measures or a remediation plan.