- Home
- Internal reporting regulations
Internal reporting regulations
2024/09/18
Chapter I. – General Provisions
§1
Pursuant to Article 24 of the Act on the Protection of Whistleblowers of June 14, 2024, internal reporting regulations are established at SoftSystem Sp. z o.o., specifying the internal procedure for reporting violations of the law and taking follow-up actions.
§2
These regulations were established after consultation with Staff Representatives.
§3
By establishing an internal procedure, the legal entity shall ensure the impartiality of the verification of reports by an internal entity or an external entity authorized to receive reports and undertake follow-up actions.
§4
Whenever the regulations refer to:
1) follow-up action – it should be understood as an action taken by a legal entity or public body to assess the veracity of the allegations contained in a report and, where appropriate, to counteract the violation of the law that is the subject of the report, including internal investigation, prosecution, action taken to recover funds, or closure of the procedure for receiving and verification of reports;
2) retaliatory action – it shall be understood as a direct or indirect act or omission that is caused by a report or public disclosure and that violates or may violate the rights of the whistleblower or causes or may cause harm to the whistleblower;
3) information about a violation of the law – it should be understood as information, including reasonable suspicion, regarding an actual or potential violation of the law that has occurred or is likely to occur in the organization where the whistleblower works or has worked, or in another organization with which the whistleblower maintains or has maintained contact in a work-related context, or regarding an attempt to conceal such a violation of the law;
4) feedback – it should be understood as the provision of information to the whistleblower on the planned or undertaken follow-up actions and the reasons for such actions;
5) work-related context – it should be understood as the totality of circumstances related to the employment relationship or other legal relationship forming the basis for the provision of work, within the framework of which information about the violation of the law was obtained;
6) public body – it should be understood as the chief and central government administration bodies, field government administration bodies, bodies of local government units, other state bodies and other entities performing public administration tasks by law, competent to take follow-up actions in the areas indicated in Article 3 (1) of the Act on the Protection of Whistleblowers;
7) the person concerned by the report – it should be understood as a natural person, a legal person or an organizational unit without legal personality, to which the law grants legal capacity, indicated in the report or public disclosure as the person who committed the violation of the law or with whom the person is associated;
8) person assisting in making a report – it should be understood as an individual who assists the whistleblower in a report or public disclosure in a work-related context;
9) a person related to the whistleblower – this should be understood as an individual who may experience retaliation, including a co-worker or family member of the whistleblower;
10) working person – it should be understood as a person employed by a legal entity regardless of the basis and form of work or service;
11) legal entity – it should be understood as a private entity or public entity employing persons performing work or service regardless of the legal basis and form;
12) private entity – it should be understood as a natural person conducting business activity, a legal person or an organizational unit without legal personality, which is granted legal capacity by law, or an employer, if they are not public entities;
13) public entity – it should be understood as the entity indicated in Article 3 of the Act of August 11, 2021 on open data and reuse of public sector information (Journal of Laws of 2023, item 1524);
14) internal entity – it should be understood as an internal organizational unit or person within the organizational structure of the legal entity authorized by the legal entity to receive internal reports, their verification and follow-up actions;
15) external entity – it should be understood as an external entity or person authorized by the legal entity to participate in verification of internal reports and in taking follow-up actions in situations where the internal entity does not have adequate resources;
16) whistleblower – it should be understood as a working person who reports or publicly discloses information about a violation obtained in a work-related context;
17) public disclosure – it should be understood as making information about the violation of the law public;
18) report – it should be understood as an internal report or an external report;
19) internal report – it should be understood as the transmission of information to a legal entity about a violation of the law;
20) external report – it should be understood as the transmission of information to the Ombudsman of Civil Rights or a public body about a violation of the law.
Chapter II. Subject of the report
§5
- Under this procedure for internal reports, only violations of the law specified in paragraph 2 shall be considered.
- A violation of the law is an act or omission that is unlawful or intended to circumvent the law concerning:
1) corruption
2) public procurement;
3) financial services, products and markets;
4) anti-money laundering and terrorist financing;
5) product safety and compliance;
6) transportation safety;
7) environmental protection;
8) radiological protection and nuclear safety;
9) food and feed safety;
10) animal health and welfare;
11) public health;
12) consumer protection;
13) protection of privacy and personal data;
14) security of networks and information and communication systems;
15) financial interests of the State Treasury of the Republic of Poland, local government units and the European Union;
16) the internal market of the European Union, including the principles of competition and state aid and corporate taxation;
17) constitutional freedoms and rights of man and citizen
Chapter III. Whistleblowers
§6
- Under this internal reporting procedure, only violations of the law reported by working people regardless of the basis and form of work are considered.
- A report, within the framework of the internal reporting procedure, made by an individual other than those listed in paragraph 1, shall be left unacknowledged.
- The legal entity, if the content of the report in § 6 paragraph 2 is found to be significant, may take appropriate follow-up actions or forward the report to the appropriate public bodies.
- In the cases referred to in paragraphs 2 and 3, the legal entity shall provide feedback to the whistleblower in accordance with the procedure provided for in these regulations.
Chapter IV. Internal reporting procedure
§7
- The internal entity authorized to receive reports is the Company’s Proxy.
- In special cases, a legal entity may temporarily authorize another person to receive internal reports.
- The internal entity is obliged to protect the personal data of the whistleblower and other persons whose personal data is processed in connection with the follow-up actions taken.
- The internal entity performs initial verification of the report, conducts further communication with the whistleblower, including requesting additional information and providing feedback to the whistleblower.
- The internal entity, in the performance of its duties under these regulations, shall act completely independently of the legal entity and other persons managing the workplace on behalf of the legal entity.
- The legal entity and any other person shall not have the right to influence the performance of duties by the entity authorized by the legal entity to receive internal reports, give instructions to the entity, or influence the way the entity works.
- The internal entity is obliged to perform the activities under these regulations in a conscientious and diligent manner.
- The GDPR information clause for persons making internal reports is attached as Appendix 1 to these regulations.
§8
The legal entity establishes the following method of reporting (internal communication channels):
– Submitting a report by the dedicated system provided with access via a link:
(System zgłoszeń wewnętrznych – SoftSystem Sp. z o.o. | SygnaApp);
– Submitting a written report by letter (mail or courier) to the company’s address with the note on the envelope “INTERNAL CHANNEL FOR REPORTING LAW VIOLATIONS”;
– A direct conversation with the internal entity authorized to receive reports, referred to in §7 item 1. An oral report shall be documented as a conversation record, reproducing the exact course of the conversation, drawn up by the internal entity and approved by the whistleblower.
§9
- The internal procedure for receiving reports includes the possibility of making anonymous reports.
- In the event of an anonymous report, the internal entity shall evaluate and decide whether to leave such a report without consideration or, due to the subject of the report, follow up in accordance with these regulations.
§10
The internal entity is obliged to confirm receipt of the report to the whistleblower within 7 days of its receipt unless the whistleblower fails to provide an address to which the confirmation should be sent.
§11
The whistleblower shall receive feedback within 3 months of the confirmation of receipt of the report or, in the event of failure to provide confirmation to the reporting person, 3 months following the expiry of 7 days from the date of making the internal report unless the whistleblower failed to provide a contact address to which feedback should be sent.
§12
- The internal entity authorized by the legal entity to receive internal reports maintains a register of internal reports, in accordance with the template specified in Annex No. 2 to these regulations.
- A register of internal reports contains:
1) case number;
2) the subject of the violation;
3) personal data of the whistleblower and the subject of the report, necessary to identify them;
4) contact address of the whistleblower;
5) the date of the internal registration;
6) information on follow-up actions taken;
7) the date of completion of the case.
- Data in the register of internal reports shall be retained for a period of 3 years following the end of the calendar year in which the follow-up actions were completed or after the completion of proceedings initiated by these actions.
Chapter V. Follow-up actions
§13
- An internal entity authorized by a legal entity to receive internal reports, after receiving the report, prepares a note in which they describe the violation of law indicated in the report and assign the next case number from the register of internal reports.
- The note is immediately forwarded to the legal entity, which may take action to appoint an external entity in the event of a lack of working persons competent to investigate the internal report.
- The external entity may be an external specialist authorized by the legal entity.
- The authorization of an external entity requires the conclusion of an agreement to entrust the handling of internal reports using technical and organizational solutions that ensure compliance of these activities with the Law.
- The agreement referred to in paragraph 4 specifies the detailed rights and obligations of the external entity related to the processing of personal data, as referred to in particular in Article 28 paragraph 3 of Regulation (EU) 2016/679 of the European Parliament and the Council.
- Both the internal entity and the external entity authorized to investigate the internal report act impartially and completely independently of the legal entity.
- Both the internal entity and the external entity have the right to access any data necessary to investigate the internal report, based on the authorization granted in this respect (Annex No. 3).
- A record containing conclusions from the work carried out to investigate an internal report should be drawn up within a timeframe that ensures that the whistleblower receives feedback in accordance with § 11 of these regulations.
- Record containing conclusions is forwarded to the legal entity in order for them to plan follow-up actions, if any have been planned. The internal entity authorized to receive internal reports, within the deadline referred to in § 11, shall provide feedback to the whistleblower.
- Feedback includes, in particular, information on whether or not a violation of law has been identified and what measures, if any, have been or will be applied in response to the identified violation of law.
- Based on the results of the explanatory proceedings, the legal entity takes appropriate follow-up actions.
- Only persons with written authorization from a legal entity for specific activities may be allowed to receive and verify reports, take follow-up actions and process personal data. Authorized persons are obliged to keep confidentiality.
Chapter VI. External reporting procedure
§14
- Whistleblower may make an external report without making a prior internal report.
- An external report is received by the Commissioner for Human Rights or another public body receiving external reports concerning breaches in the areas falling within the scope of that body’s activities, as well as – where appropriate – to the institutions, bodies or offices of the European Union.
§15
- Either the Commissioner for Human Rights or another public authority shall develop a procedure for receiving external reports and taking follow-up actions, which shall be posted on their website in the Public Information Bulletin in a separate, easily identifiable and accessible section in a manner understandable to the whistleblower.
- The Commissioner for Human Rights shall provide widespread access to information on the rights and legal remedies of whistleblowers, as well as persons assisting in making a report, persons associated with the whistleblower, and persons concerned by an external report against retaliatory actions, in particular by posting this information on their website in the Public Information Bulletin.
- The Commissioner for Human Rights and the public authority shall ensure that the procedure for receiving external reports and the procedure for external reports and the processing of personal data related to the receipt of reports:
1) prevent unauthorized persons from gaining access to the information covered by the report;
2) ensure protection of the confidentiality of the identity of the whistleblower and the person concerned by the report.
§16
- External reporting may be made orally and in paper or electronic form.
- Reporting in paper or electronic form may be made:
1) in paper form – to the correspondence address indicated by the Commissioner for Human Rights or the public authority receiving the report;
2) in electronic form – to the e-mail address or electronic mailbox address, or address for electronic deliveries indicated by the Commissioner for Human Rights or the public authority receiving the report, or via a dedicated online form or application indicated by the public authority as the appropriate application for making reports in electronic form.
- Oral reporting made via a recorded telephone line or other recorded voice communication system is documented with the whistleblower’s consent in the form of:
1) a recording of the conversation, enabling its retrieval, or
2) a complete and accurate transcript of the conversation.
- An oral report made via an unrecorded telephone line or other unrecorded voice communication system is documented in the form of a conversation record reproducing the exact course of the conversation.
§17
An external report may also be made to the relevant authorities and organizational units of Union such as the European Anti-Fraud Office (OLAF), the European Maritime Safety Agency (EMSA), the European Aviation Safety Agency (EASA), the European Securities and Markets Authority (ESMA) and the European Medicines Agency (EMA), which have external reporting channels and procedures for receiving reports, mainly ensuring the confidentiality of the identity of the reporting persons.
Chapter VII. Public disclosure
§18
- A whistleblower making a public disclosure is protected if they make:
- an internal report and then an external report, and the legal entity and then the public authority do not take any appropriate follow-up action or provide no feedback to the whistleblower within the deadline for providing feedback set in the internal procedure and then within the deadline for providing feedback set in the external procedure of the public authority, or
- an external report immediately, and the public authority does not take any appropriate follow-up action or provides no feedback to the whistleblower within the deadline for providing feedback set in its external procedure
– unless the whistleblower fails to provide a contact address to which such information should be forwarded.
- A whistleblower making a public disclosure is also subject to protection if they have reasonable grounds to believe that:
- the breach may constitute a direct or obvious threat to the public interest, in particular when there is a risk of irreversible damage, or
- making an external report will expose the whistleblower to retaliatory actions, or
- in case an external report is made, there is little likelihood of effective counteracting the breach of law due to the specific circumstances of the case, such as the possibility of concealing or destroying evidence, the existence of collusion between a public authority and the perpetrator of the breach, or the participation of a public authority in the breach.
Chapter VIII. Final provisions
§19
- Having familiarized themselves with the content of these regulations, employees confirm electronically that they have acknowledged it and that they comply with its content. Each newly hired employee shall be presented with these regulations to familiarize themselves with their content before starting their work duties.
- The method of informing employees about changes to the content of the regulations is the mailing of the updated regulations – taking into account the type of work, all employees have access to e-mail.
- A person applying for a job on the basis of an employment relationship or other legal relationship that is the basis for the provision of work or services, or the performance of functions, or the performance of service shall be provided by the legal entity with information on the internal reporting procedure together with the commencement of recruitment or negotiations preceding the conclusion of the contract.
§20
The Regulations shall enter into force 7 days following the date of informing employees.