What about the whistleblowers? – first penalties and the third installment of the whistleblower protection bill.

25 Jul 2022
Jakub Wietrzyński
Protecting the whistleblower

Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on on the protection of Union law whistleblowers, is already in effect as of December 17, 2021. However, until today (25.07.2022), a law clarifying the requirements of the Directive has not appeared in the Polish legal order.

Up to three times apiece

What may come as a surprise are the changes that occurred between the first, second and most recent, third iterations of the Whistleblower Protection Act. It was published on July 7, 2022. On the website of the Government Legislation Center. So if you have already developed a whistleblowing procedure you may be waiting to update it.

The most significant changes in the new third iteration of the Whistleblower Protection Law.

  • Retention period – Personal data and other information in the irregularity register are to be retained for a period of 15 months after the end of the calendar year in which the follow-up actions were completed or after the completion of the proceedings initiated by these actions.
  • Longer transition period – For entities with at least 250 people working for them, the transition period is 2 months. Entities employing at least 50 but no more than 250 people will be required to establish a whistleblowing procedure by December 17, 2023.
  • Public bodies – Local government bodies have been designated as public bodies. The Fire Chief has been removed.
  • Violation of personal property – Replaced the indication of damage to the whistleblower’s reputation on social media with a broader term referring to the violation of the whistleblower’s personal property.
  • Secure form of reporting – The whistleblowing procedure should address how to make a report securely and without leaving traces in the information system (ability to ensure the whistleblower’s privacy).

The Italian regulator has imposed an administrative fine on a public hospital and a system provider regarding a breach reporting system the hospital used

The Italian regulator has imposed an administrative fine on the public hospital. The penalty was imposed due to the failure to bring the breach notification process in line with the requirements of RODO. Details of the reason for the penalty on both the system provider and the hospital can be found here: https://edpb.europa.eu/. Today, I will not focus on the reason for the aforementioned penalty, but on pointing out the elements we should keep in mind when designing a breach notification process in accordance with RODO.

  • Can IT services, identify the whistleblower. Consider whether the reporting channel you are using can be accessed by your organization’s IT services (e.g., a dedicated e-mail box), or whether they can (e.g., based on network traffic) identify the person making the report.
  • Have you updated the RCP and developed information clauses. Remember that newly implemented processing activities should be included in the register of processing activities, and information clauses should be provided to those whose data you will be collecting.
  • Data Protection Impact Assessment. Before you start the process of reporting violations perform a DPIA and its results agree with your DPO.
  • Verify your supplier. If you use an IT system provided by an external entity to report violations, be sure to regulate the area of entrustment of personal data processing. Verify that the company is actually safe. You are responsible for it as an administrator. Learn about the audit service>>>


If the topic of whistleblowers spends your sleep, contact us:

  • We provide a secure and dedicated notification channel.
  • We help implement whistleblower protection requirements and the process of handling the request.
  • We are developing a whistleblower notification and protection procedure.
  • We conduct DPIA analysis of the personal data processed.

BLUE energy will be happy to help you with all aspects related to personal data – GDPR requirements audit service

Read about UODO penalties


See also

02 Nov
More penalties from the DPA

The Office of Personal Data Protection in September this year. imposed another administrative penalty on an entity that failed to comply with obligations that stem directly from the RODO.

Read more arrow
19 Apr
As an Administrator, can you choose the appropriate technical and organizational security measures necessary to ensure compliance with the GDPR?

The President of the Personal Data Protection Office imposed an administrative fine on the President of the District Court in Zgierz. The fine is not spectacular in terms of amount (PLN 10,000) and was imposed last year, but it is still worth paying attention to.

Read more arrow
Did not find what you are looking for?
Write to us arrow