Blog

Whistleblower protection in your company – what should it consist of?

January 6 2023

On 14 June 2024, the Sejm adopted a law aimed at protecting whistleblowers. This law is intended to implement Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law. Implementing a protection system enables whistleblowers to anonymously report violations in the workplace and eliminates retaliatory actions by the employer. Who are whistleblowers, and what steps must an organisation take to facilitate safe reporting?

Who are whistleblowers?

Whistleblowers are individuals who report irregularities in the functioning of an organisation. Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law obliges businesses to maintain a register of internal reports.

A whistleblower may be, among others:

  • an employee,
  • a shareholder/partner,
  • an intern,
  • a subcontractor,
  • a supplier,
  • a former employee,
  • a job applicant.

Managing the process of anonymous reporting of violations is the employer’s responsibility. It should be carried out in consultation with the Data Protection Officer (DPO). The main goal of systematic management of reports is to protect whistleblowers from retaliatory actions by the organisation. Such retaliatory actions may include termination of employment, financial penalties, or reassignment to a lower position.

What does whistleblower protection involve?

Whistleblower protection must ensure the safety of the person reporting irregularities. What does this procedure consist of? Specific guidance is provided by the Whistleblower Protection Act of 14 June 2024. The document outlines the permissible ways of processing a whistleblower’s personal data, the protective measures to be implemented, and the prohibition of retaliation, including public disclosure of their identity.

The procedure for protecting a whistleblower’s personal data includes, among other things, establishing rules for the processing of their personal information. The Act also comprehensively defines the procedure for handling internal reports, addressing, for example, the method of submitting a report.

Whistleblower Protection Act – key assumptions

The purpose of whistleblower protection is to ensure the safety of individuals who report violations, meaning the elimination of the risk of punitive actions taken against them for reporting irregularities.

According to DPO guidelines, whistleblower protection and systematic management of reports involve obligations not only for the company but also for the reporting individuals themselves. The directive requires them to monitor and report breaches in enterprises, as well as to counteract violations.

This applies to issues related to:

  • finance,
  • public affairs,
  • health and environmental protection,
  • protection of confidential and personal data,
  • food safety,
  • cybercrime.

Your success starts with the first message

We’ll help you find the best solution
Let's talk

How to meet the requirements of the Whistleblower Protection Act?

Whistleblowers are obliged to report violations through the information channels established by employers. The employer, in turn, is required to provide a channel through which anonymous reporting of violations can be carried out. The employer should implement a reporting system that ensures complete anonymity.

How can an organisation meet the requirements of the Whistleblower Protection Act? One way is to use whistleblower protection software that allows anonymous reporting. The OXARI Whistleblower System does not register data that could identify the device from which a report was submitted (IP address, computer name) and additionally encrypts transmitted information (the report text, attachments, and—if provided—contact details). The software includes solutions that automate the handling of service requests within organisations. It is fully compliant with EU law and ISO 37002 certification regarding the registration and handling of notifications of breaches within an organisation.

What are the consequences for employers who fail to implement whistleblower protection procedures?

Article 54 of the aforementioned Act also sets out the consequences for obstructing or preventing whistleblowers from reporting violations, which includes failing to implement whistleblower protection procedures. The responsible party may be subject to a fine, restriction of liberty, or imprisonment for up to one year. Negative consequences may also be imposed for retaliatory actions taken against a whistleblower after a report is submitted or for publicly disclosing their identity.

To ensure safety and the smooth functioning of the entire organisation, it is worthwhile not only to implement whistleblower protection but also to introduce additional systems that help manage company infrastructure, such as a service desk system. If you want to learn what incident management involves and how to effectively resolve issues related to the safety of people and company property, explore the other articles available on our blog.

What is a whistleblower incident reporting system?

A whistleblower reporting system enables the implementation of an anonymous violation-reporting process that is fully compliant with applicable European legal requirements. The tool includes ready-made scenarios for reporting irregularities and taking follow-up actions, as well as mechanisms that protect the data of reporting individuals. Users receive the address of a specially created website dedicated to submitting reports and sharing information about violations. A report can be registered at the workplace or from any other device with internet access.

What does the reporting management procedure look like in the system?

The process is divided into the following stages:

  • Reporting a violation
  • Receipt of the report
  • Assessment of the report’s validity
  • Follow-up actions (implementation of corrective measures, documentation)
  • Closure and archiving of the report

Why implement a whistleblower protection system in your company?

Implementing a system for handling violations allows organisations to meet the requirements imposed by the European Union on public and private entities regarding whistleblower protection. Providing an option for anonymous reporting—both for internal employees and external parties—offers the possibility of resolving issues internally before state control authorities intervene. Awareness among employees that an anonymous reporting option exists also helps create a positive development environment while minimising internal conflicts.

Check out other posts

The 5 Most Common ServiceDesk Problems and How to Solve Them

The 5 Most Common ServiceDesk Problems and How to Solve Them

Discover the most common ServiceDesk issues and learn how to solve them. Improve efficiency, automation, and communication within your IT team.
2025-11-12
more Arror right
How to Build a CMDB That Supports Incident and Change Management

How to Build a CMDB That Supports Incident and Change Management

Discover effective ways to manage incidents and changes in your company with a CMDB. Build a stable IT environment - see how OXARI does it!
2025-10-21
more Arror right
What Is Business Process Automation?

What Is Business Process Automation?

What is business process automation and how does it work? In which areas is it most effective, and what tools can help implement it? Find out!
2025-10-03
more Arror right

Are you interested?

Let’s talk and see what we can create together
Let's talk
Oxari
ul. Bystrzańska 94 43-300 Bielsko-Biała
+48 33 497 84 54
[email protected]
ul. Bakalarska 34 02-212 Warszawa
+48 22 841 00 88
[email protected]
Copyright © 2025 Infonet Projekt SA
Discover a new standard of ITSM systems