Category: Compliance

Workplace bullying and harassment: procedures are no longer optional. New obligations for employers are coming

Anti-bullying procedures are no longer just a “nice to have.” The proposed amendments to the Labour Code make it clear: employers will be expected to act actively and continuously – not only react to complaints. For many organizations, this means rethinking their current approach.

Work is currently underway in Parliament on a draft amendment to the Labour Code and the Code of Civil Procedure, which aims to comprehensively reshape regulations on workplace bullying, discrimination, violations of dignity and other personal rights of employees, as well as equal treatment in employment. The draft was adopted by the Council of Ministers on 17 February 2026, and its first reading took place in Parliament on 25 March 2026.

If adopted in its current form, the changes will require employers to take a much broader view of this area than before.

What exactly is changing?

The draft introduces several key changes:

  • a simplified definition of workplace bullying – removing the requirement of long duration and focusing instead on persistent harassment,
  • an obligation to actively and continuously prevent undesirable workplace behaviours,
  • the employer’s right of recourse against the perpetrator (i.e. seeking reimbursement of compensation or damages paid).

These changes may require a thorough review of existing HR policies and procedures.

A procedure is not enough – what matters is action

The changes will affect both employers who already have procedures in place and those who have not yet formally addressed this area.

In many organizations, current solutions focus mainly on:

  • reporting channels
  • appointing investigation committees
  • conducting internal investigations

However, the draft goes much further.

👉 What will matter is not just the document itself, but how it works in practice.

The new approach emphasizes:

  • prevention,
  • detection of irregularities,
  • appropriate response,
  • corrective actions,
  • real support for affected individuals.

In other words, not only the procedure itself may need to be reviewed, but the entire HR compliance model.

New obligations for employers (including those who already have procedures)

The draft assumes that employers with at least 9 employees will be required to:

➡️ define rules, procedures and the frequency of actions
➡️ in relation to preventing:

  • violations of dignity and personal rights,
  • breaches of equal treatment,
  • discrimination,
  • workplace bullying

…and include them in a separate policy (unless already covered by a collective agreement or work regulations).

This leads to one conclusion: having a procedure will no longer be enough.

No procedure in place? This is the last call

The draft is even more significant for employers who:

  • have no procedure at all
  • or rely only on a general anti-bullying clause in internal regulations

These organizations should start preparing now by:

  • mapping risks,
  • setting up reporting channels,
  • defining investigation processes,
  • establishing documentation standards,
  • implementing protection for whistleblowers and witnesses,
  • planning training and internal communication.

👉 The draft clearly shows that practice will matter more than formal wording.

Smaller companies are not exempt

Importantly, the draft does not exempt smaller employers.

Companies employing fewer than 9 people are still required to:

  • prevent workplace bullying and other undesirable behaviours
  • communicate the adopted rules and procedures to employees

The difference lies mainly in the level of formalization, not in the obligation itself.

Burden of proof – a game changer

The draft also introduces an important procedural change.

In cases concerning a breach of equal treatment:

  • the employee will only need to make the violation plausible,
  • the employer will then need to prove that no violation occurred.

👉 In practice, this means one thing:
proper documentation of HR decisions and actions becomes critical.

Why this is a real risk (not just theory)

📊 As many as 93% of respondents declare they have experienced behaviours that may qualify as workplace bullying (Antal & Dobra Foundation research).

At the same time:

  • only 6% of complaints are found justified (data from the National Labour Inspectorate)

This does not mean the problem is rare — rather, it highlights how difficult it is to properly identify and prove such behaviours.

The draft addresses this, among other things, by requiring courts to assess not only bullying, but also potential violations of other personal rights of the employee.

This significantly broadens employers’ legal exposure.

This is not just a change in documentation

This is not just a “paper change.”

👉 It is a shift in how employment-related risk is managed.

Anti-bullying procedures are becoming one of the key organizational risk management tools.

For some, this will mean updating existing frameworks.
For others — the last moment to build them from scratch.

👉 The real question is no longer: “Do you have a procedure?”
But: “Does it actually work – and can you prove it?”

Do you feel that anti-bullying procedures in your organization technically “exist,” but you’re not entirely sure how they work in practice? This might be a good moment to take a closer look. If you’d like, we can go through it together and help you identify what’s worth improving.

GDPR compliance in e-commerce – when marketing tools become a legal risk

E-commerce businesses rely heavily on digital tools to understand users, optimise conversion rates and target advertising. Retargeting platforms, analytics solutions, advertising networks and anti-bot mechanisms have become a standard element of modern online commerce.

From a technological perspective, implementing such tools often appears straightforward. A marketing team deploys a tag, script or API connection, and the tool begins collecting data about user behaviour.

From a legal perspective, however, the reality is often far more complex.

Many of these technologies involve sophisticated data-processing ecosystems that extend beyond the website where they are deployed. What appears to be a simple marketing integration may in practice trigger extensive data sharing with global technology platforms, often involving multiple controllers, cross-border transfers and behavioural profiling.

This growing complexity explains why regulators across Europe have begun to focus more closely on how marketing technologies process personal data.

For e-commerce companies, this area is becoming one of the most sensitive aspects of GDPR compliance.

The hidden complexity of marketing technologies

In many projects we analyse, the implementation process follows a familiar pattern. An online retailer decides to deploy a tool recommended by a marketing agency or technology partner. The integration is quick and technically simple.

But the legal implications may be much more complicated.

A single marketing or analytics tool may involve:

  • multiple independent data controllers,
  • joint controllership arrangements,
  • behavioural tracking and profiling,
  • cross-border data transfers,
  • and the reuse of collected data within global advertising ecosystems.

These elements are not always visible to the businesses deploying the technology.

For example, retargeting platforms may not rely solely on cookies. In some configurations they also process additional identifiers such as hashed email addresses, phone numbers or CRM-based customer identifiers, which are used to match individuals with advertising accounts across multiple platforms.

From a GDPR perspective, such operations may constitute a separate form of personal data processing and therefore require an independent legal basis and additional transparency obligations.

Legal risks behind audience-matching technologies

A particularly sensitive area concerns audience-matching technologies, such as Google Customer Match or Meta Custom Audiences.

These tools allow companies to upload identifiers from their customer databases – typically hashed email addresses or phone numbers – to advertising platforms. The platform then compares these identifiers with its own user accounts and creates targeted advertising audiences.

From a marketing perspective, the mechanism is extremely effective.

From a GDPR perspective, however, it raises significant concerns.

The central issue is the legal basis for such processing.

Companies sometimes attempt to rely on legitimate interest for this type of targeted advertising. However, regulatory practice increasingly suggests that this approach may not be sufficient.

European data protection authorities have pointed out that individuals who provide their contact details to a company – for example during a purchase or account registration – do not reasonably expect that these identifiers will later be used to target them across external advertising ecosystems.

As a result, tools such as Google Customer Match or Meta Custom Audiences may require separate, explicit user consent for the use of customer contact data in advertising audience matching.

Without such consent, companies risk engaging in unlawful disclosure of personal data to third-party advertising platforms.

Regulators are increasingly scrutinising ad-tech practices

Recent regulatory enforcement illustrates that these risks are not merely theoretical.

In 2023, the French data protection authority (CNIL) imposed a €40 million fine on the advertising platform Criteo. Among other issues, the authority concluded that the company had failed to demonstrate a valid legal basis for processing personal data used within its advertising ecosystem. The regulator also identified shortcomings in transparency and the handling of data subject rights.

Similarly, European regulators have questioned the use of advertising audience-matching tools such as Facebook Custom Audiences. German authorities concluded that uploading customer contact data – even in hashed form – may require explicit user consent.

These cases demonstrate a broader regulatory trend: ad-tech ecosystems are increasingly treated as high-risk environments for personal data processing.

When behavioural tracking becomes personal data processing

Another important issue concerns the identifiability of individuals in digital environments.

Many marketing technologies rely on identifiers that do not directly reveal a person’s name or email address. These may include cookie IDs, advertising identifiers, device fingerprints or behavioural profiles.

However, under the GDPR this does not remove them from the category of personal data.

Recital 30 of the GDPR explicitly recognises that individuals may be associated with online identifiers provided by devices, applications, tools and protocols, including cookie identifiers and other tracking technologies. These identifiers may leave traces which, when combined with other information, can be used to create profiles and identify individuals.

In practical terms, this means that if a user views a product – for example a pair of running shoes – on one website and later sees the same product advertised across multiple websites, it demonstrates that the user has been tracked and recognised within an advertising ecosystem.

Even if the platform operator does not know the user’s name, the individual has been identified well enough to target advertising specifically to them.

This is precisely the type of processing that the GDPR was designed to regulate.

Compliance requires both legal and technical design

These examples illustrate a broader point: compliance with the GDPR in digital marketing environments cannot rely solely on contractual clauses or privacy policies.

It requires carefully designed technical and organisational processes.

Businesses deploying marketing technologies should ensure that:

  • users receive clear and detailed information about how their data is processed,
  • the purposes of processing are transparent,
  • the legal bases are correctly identified,
  • the roles of technology providers are properly assessed,
  • data retention periods are clearly communicated,
  • and international data transfers are appropriately disclosed.

In other words, compliance must be built into both the technical implementation and the documentation surrounding it.

The GDPR was created to protect the privacy of individuals – including their privacy in digital environments, where personal data is often generated not through traditional identifiers but through behavioural signals and online tracking technologies.

Supporting e-commerce companies in navigating ad-tech compliance

At JLSW Janaszczyk Lis & Wspólnicy, we regularly support e-commerce companies in analysing the legal implications of digital marketing and analytics tools used within their online ecosystems.

Our work often includes:

  • assessing the roles of technology providers (controller, processor or joint controller),
  • analysing contractual frameworks with global technology platforms,
  • evaluating consent mechanisms and transparency requirements,
  • reviewing international data-transfer structures,
  • and designing risk-mitigation strategies for complex ad-tech environments.

Our goal is not to discourage businesses from using modern marketing technologies. These tools are essential for e-commerce.

Instead, our focus is to ensure that companies can implement them in a way that is both technologically effective and legally sustainable.

Criteo, Cookies and Customer Data – What an Online Store Should Check Before Implementation

Online stores increasingly rely on advanced marketing and analytics tools. Retargeting, ad personalization, and automated offer matching have become standard in e-commerce. The challenge is that implementing these solutions is not only a technical or marketing decision. Very often, it also involves the processing of personal data.

And this is where an important legal question arises: what actually happens to user data when such a tool is implemented?

Before You Implement a Marketing Tool – Check How It Works

In practice, the situation often looks like this: an online store decides to implement a marketing solution recommended by an agency or a technology partner. The implementation usually involves adding a tag or script to the website.

From a marketing perspective, this is a quick and effective way to boost sales. From a data protection perspective, however, it is only the beginning of the analysis.

It is important to determine, among other things:

  • what data is collected by the tool,

  • who acts as the data controller,

  • whether the data is shared with other entities,

  • whether data is transferred outside the European Economic Area,

  • and what the appropriate legal basis for processing is.

Without this analysis, it is easy to assume that if a user has consented to cookies, everything is compliant. In practice, however, that is often only one element of a much more complex picture.

Example: How Criteo Retargeting Works

A good example is the popular retargeting tool Criteo.

In the basic model, part of the user data is collected through Criteo cookies, which allow the identification of users across the web and enable advertising to be tailored to their previous activity.

However, analysis of the documentation and the way the tool operates shows that in some configurations additional user data may also be transferred.

This may include, for example:

  • hashed email addresses,

  • hashed phone numbers,

  • user identifiers from the online store’s CRM system.

Such data can be shared with advertising systems in order to match users and enable even more precise ad targeting.

And this is where the real legal analysis begins.

Cookie Consent Is Not Always Enough

Many organizations assume that if a user has consented to marketing cookies in a cookie banner, all retargeting activities can rely on that consent.

However, cookie consent is derived from rules concerning storing and accessing information on a user’s device, regulated in Poland by the Electronic Communications Law. These rules implement Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC).

In other words, this consent primarily concerns the use of cookies as a technology.

If, however, a marketing tool also involves additional transfers of personal data beyond what is collected via cookies, such as:

  • hashed email addresses,

  • phone numbers,

  • CRM identifiers,

this may constitute a separate personal data processing operation, which requires an independent legal basis under the GDPR.

What Do Data Protection Authorities Say?

In recent years, European data protection authorities have increasingly scrutinized user-matching mechanisms used in advertising systems.

Criteo itself provides a good example. In 2023, the French data protection authority (CNIL) imposed a €40 million fine on the company. According to the authority, Criteo was unable to demonstrate that it had a valid legal basis for processing user data used in its advertising system, including data collected through retargeting mechanisms. CNIL also identified issues related to the exercise of data subject rights and insufficient transparency regarding data processing. The case shows that this type of technology is already under close regulatory scrutiny, which means its implementation should be preceded by a thorough legal and technical assessment.

Another widely discussed case concerns Facebook Custom Audiences. The German data protection authority concluded that uploading customer lists containing email addresses or phone numbers to Facebook – even in hashed form – requires prior user consent.

Importantly, an administrative court upheld this position, noting that hashing does not eliminate the personal data nature of the information, because the platform can still match it to specific users.

The mechanism behind such tools is relatively straightforward: an advertiser uploads a list of customers (for example, email addresses or phone numbers), and the advertising platform matches them with its users to create a targeted advertising audience.

In practice, this means that personal data from an online store’s customer database is shared with an advertising system.

What Are the Risks for E-Commerce?

Failing to conduct a proper legal analysis before implementing a marketing tool can lead to several serious risks.

The most common ones include:

Data Transfers Without a Legal Basis

If a store shares, for example, hashed email addresses or phone numbers of its customers with an advertising system without an appropriate legal basis, this may be considered an unlawful disclosure of personal data under the GDPR.

Lack of Transparency for Users

Users should be informed not only about cookies but also about the possibility that their data may be used in advertising systems for profiling or targeted advertising.

Transfers of Data Outside the EEA

With global advertising platforms, there is often also the issue of data transfers to third countries.

What About GDPR Fines?

The GDPR provides for significant sanctions for violations of data protection rules.

For serious infringements, administrative fines can reach up to €20 million or 4% of a company’s annual global turnover, whichever is higher.

Supervisory authorities are increasingly focusing on digital marketing and advertising technologies, as these areas involve some of the most complex data flows.

Summary

Modern marketing tools can significantly increase the effectiveness of sales in e-commerce. At the same time, their implementation almost always involves the processing of personal data.

Instead of assuming that “the cookie banner solves the problem,” it is worth verifying:

  • what data is actually being processed,

  • whether identifiers from the store’s systems (such as email, phone number, or CRM ID) are being shared,

  • who is responsible for the processing,

  • whether data transfers outside the EEA take place,

  • and whether an additional legal basis for processing is required.

A proper analysis can help avoid many potential problems while also ensuring that documentation and user communication remain clear and compliant.

👉 If you are planning to implement a marketing tool or want to verify whether the solutions used in your online store comply with the GDPR, feel free to contact us. We will be happy to analyze how these tools operate and help you implement them safely.

🔐 NIS2 becomes reality in Poland

🔐 NIS2 becomes reality in Poland

The President has signed the amendment to the National Cybersecurity System Act implementing the NIS2 Directive into Polish law. The new regulations significantly expand cybersecurity obligations for many organisations – as well as the responsibilities of management boards.

What does this mean in practice? Among other things, organisations may be required to:

• implement appropriate cybersecurity risk-management measures
• establish and maintain an information security management system
• organise incident handling and report serious incidents
• ensure adequate governance and oversight at the management level

The new regime also introduces significant administrative fines – up to EUR 10 million or 2% of global turnover, and in specific cases even up to PLN 100 million. The regulations also provide for the possibility of personal liability of management board members.

📅 Key dates:
2 April 2026 – the Act enters into force
2 May 2026 – publication of the list of key and important entities
2 April 2027 – deadline to implement the statutory obligations
2 April 2028 – first audit for key entities

Will your organisation fall within the scope of the new regulations?
What legal obligations will this create for your company and its management?

Contact us – We would be happy to help identify whether the new regulations apply to your organisation and clarify the legal obligations resulting from the new cybersecurity framework.

reCAPTCHA or Risk? Free Protection, Real Accountability.

Google reCAPTCHA is one of the most commonly used tools for protecting online forms against spam and bots. It’s quick to deploy, technically efficient — and very often implemented by default, without much legal reflection.

For a long time, however, the free version of reCAPTCHA raised serious GDPR concerns: no data processing agreement, an unclear scope of data collection, and extensive behavioural analysis taking place in the background.

As of 2 April, the legal model is changing.

Does that mean the compliance issue disappears?
Not quite.

1. The previous model: a service paid for with data

Under the free model, website owners did not pay with money.
They paid with user data.

reCAPTCHA processes, among other things:

  • IP addresses,

  • browser and device identifiers,

  • behavioural interaction data,

  • cookies and related tracking information.

Until recently, the free version was not covered by the Google Cloud Data Processing Addendum (DPA). Google acted as an independent controller rather than a processor within the meaning of Article 28 GDPR.

In practice, this meant:

  • no formal data processing agreement,

  • data potentially processed for Google’s own purposes,

  • limited ability for the website owner to meaningfully control the scope of processing.

It was, in effect, a “free” service operating within a data-driven model.

2. From 2 April: Google as a processor

Google has announced that, from 2 April, the free version of reCAPTCHA will be covered by the Cloud Data Processing Addendum.

This is a significant development.

Under the updated framework, Google is expected to act as a processor on behalf of its customers. At a general level, the DPA contains the elements required under Article 28 GDPR.

From a formal perspective, this is clearly a step in the right direction:

  • the controller–processor relationship is contractually structured,

  • a data processing agreement is in place,

  • the legal framework becomes more predictable.

For European customers, the contracting entity will be Google Cloud EMEA Limited (Ireland), meaning the processor is an EU-based Google entity.

But a DPA alone does not automatically guarantee full compliance.

3. Transparency and data minimisation: still critical questions

The DPA defines the scope of data very broadly as:

“Data relating to individuals provided to Google via the Services, by (or at the direction of) Customer or by its End Users.”

It does not specify concrete categories of personal data.

Based on publicly available information, the processing appears to involve primarily technical and behavioural signals used to distinguish humans from bots, largely processed on a temporary basis.

However:

  • the categories of data are not exhaustively described,

  • the retention period may extend up to 180 days,

  • and each controller must verify how reCAPTCHA is actually implemented in their specific setup.

The core issue is not necessarily that the data is excessive.
The issue is whether the controller can demonstrate that it is proportionate and limited to what is strictly necessary.

Under the GDPR, accountability requires more than trust. It requires evidence.

4. Legal basis: legitimate interest or consent?

Preventing spam and abuse can, in principle, qualify as a legitimate interest under Article 6(1)(f) GDPR.

Following the introduction of the DPA, relying on legitimate interest may be more defensible than before. That said, controllers still need to:

  • carry out and document a proper balancing test,

  • assess proportionality,

  • verify the actual scope of data processed in practice.

There is also the ePrivacy dimension.

If reCAPTCHA relies on non-essential cookies or similar technologies, prior consent may be required under applicable ePrivacy and national cookie rules — unless the tool can genuinely be considered strictly necessary for a service explicitly requested by the user.

And here the tension becomes practical.

A user wants to submit a form.
They do not explicitly request that their behavioural data be analysed by a third party.

If consent is treated as the safest legal basis and reCAPTCHA is only loaded after opt-in:

  • no consent means no protection,

  • the form remains vulnerable,

  • and a bot is unlikely to click “Accept”.

This illustrates that the choice of legal basis is not merely a theoretical compliance debate. It directly affects how your website operates.

5. New DPA. Familiar compliance questions.

As of 2 April, the formal legal position of the free version is clearly stronger than before.

From a contractual standpoint, this is an important improvement. The controller–processor relationship is now structured, and the framework aligns more closely with Article 28 GDPR standards.

But compliance is not achieved by contract alone.

Controllers must still:

  • determine the actual scope of personal data processed in their specific implementation,

  • properly define and document the chosen legal basis,

  • ensure consistency between privacy notices and real data flows,

  • update records of processing activities,

  • assess any international data transfers and applicable safeguards.

Google is undoubtedly moving closer to European data protection expectations.

However, the responsibility for demonstrating GDPR compliance remains with the controller.

What about your website?

Your privacy policy is not just a formality.

It is visible not only to users — but also to competitors, dissatisfied customers, business partners, and, if necessary, supervisory authorities.

A privacy notice should reflect what truly happens behind the scenes.

Are you confident that:

  • all tools used on your website are properly disclosed?

  • the roles of third parties are accurately defined?

  • your legal basis has been genuinely assessed rather than assumed?

  • your documentation would withstand regulatory scrutiny?

We help our clients ensure that what they declare publicly accurately reflects the data processing taking place internally.

If you would like to understand whether your reCAPTCHA setup is simply a security feature — or a potential compliance exposure — let’s talk.

Ongoing risk management in relation to the compliance system as an essential element of an effective breach prevention strategy

In the current regulatory environment, organisations must continually adapt their practices to changing regulations and laws. In this context, the ongoing risk management becomes a key tool to help organisations maintain a high level of compliance and minimise the risk of breaches. In addition, compliance risk management also allows for the assessment and identification of possible new risks and the adjustment of breach prevention strategies to meet the organisation’s current needs.

Specifically, as a part of the ongoing risk management process, the following measures are of paramount importance:

  • review of changes in regulations and laws relating to the organisation’s activities;
  • identification of new risks, i.e. identifying new areas where a potential risk of compliance violations may occur;
  • update of the compliance strategy based on the conducted analysis, i.e. adjusting the existing breach prevention strategies and procedures to better address the new risks;
  • update of employee training and awareness so that employees are made aware of current risks and fully understand the compliance procedures.

Below are also some reasons why ongoing compliance risk management is so important for organisations. First and foremost, we need to keep in mind:

  • Changing legislation. Organisations need to regularly assess whether their compliance practices are aligned with current legislation to avoid potential legal breaches;
  • Changes in the external environment. The business environment is constantly changing. New market trends, economy shifts and other external factors can affect the risks an organisation may encounter. Ongoing risk management, on the other hand, allows these changes to be addressed;
  • Internal changes within the organisation. The goal of any organisation is to grow, which manifests itself through, among other things, the launch of new products, services, processes or technologies. Any of the above changes may create new risks in the organisation or change the existing ones. Ongoing risk management in this case will identify new risks and allow to understand how the occurring changes affect the organisation and how the risk incidence can be reduced;
  • Monitoring of the effectiveness of control activities. Ongoing risk management also allows the organisation to assess whether its current control activities are effective in mitigating the occurring risks;
  • Adjustment of business strategy. As an organisation grows, it becomes necessary to adapt its business strategy to changing market conditions. Ongoing risk management helps to understand risks associated with new courses of business and whether they are acceptable;
  • Reputation management Ongoing risk management helps prevent the possibility of reputation loss or damage. Breaches of regulations or ethical standards can result in significant damage to an organisation’s reputation. Ongoing risk management helps avoid situations in which the organisation would be exposed to a public image crisis;
  • Requirements of investors and business partners. Recently, it has become increasingly common for investors, business partners and suppliers working with an organisation to require evidence that the organisation is monitoring any involved risks on an ongoing basis and taking appropriate steps to minimise them.

To conclude, ongoing risk management is an integral part of an effective compliance and non-compliance risk management system. It helps the organisation make the right business decisions, as well as remain competitive, maintain its reputation, avoid potential crises and adapt to a rapidly changing market environment.

 

Compliance system – part X – the most common mistakes made in the implementation and functioning of the compliance system in organisations

More and more compliance systems are being implemented in organisations. The reasons for this are, among others, frequent changes in the law, bringing members of the organisation’s management board to account, financial losses resulting from corruption and abuse. Moreover, implementation of an effective compliance system is often required by business partners, who make it a condition for further negotiations or conclusion of a contract. However, one should bear in mind that the compliance system must be adapted to the organisation’s needs and properly implemented. Moreover, the proper functioning of the system in the organisation should also be ensured, i.e. through updating and improving it and taking actions aimed at ensuring its effectiveness. An ineffective compliance system will not deliver the expected results and will not protect the organisation from the negative consequences of non-compliance.

The following are the most common errors in the implementation and functioning of compliance systems in organisations:

Poorly conducted risk assessments and defective implementation of internal policies and procedures – these problems arise when organisations try to carry out risk assessments on their own, without the help of a professional who can indicate the threats and implement effective and tailored security mechanisms. Lack of a proper risk assessment is reflected in the lack of adequate verification of the areas exposed to risks and the effectiveness of the implemented policies and procedures, and as a result, in irregularities, financial losses, reputational damage and liability.

No updates of the compliance system – internal policies and procedures functioning within an organisation also require regular updates, in particular in terms of compliance with the law, which nowadays is changing dynamically. Lack of ongoing updates of the compliance system means that the policies and procedures functioning within the organisation are not adapted to its current needs. This is also due to a failure to appoint a person responsible for supervising the compliance system and its ongoing updates.

Lack of a clear definition of the roles and responsibilities and assigning responsibilities to people who do not have the appropriate competences – a common mistake made by organisations is the fact that they entrust several functions to one person. The compliance system requires proper commitment, which means that the compliance officer should focus as much as possible on his or her responsibilities to avoid exposing the organisation to adverse effects.

Lack of regular reporting and notification of errors – ongoing reporting to the management bodies of the results of the compliance system in the organisation is another problem. Lack of proper monitoring and reporting measures translates into the lack of ability to quickly identify irregularities and implement corrective actions and inhibits the process of improving the compliance system in the organisation.

Lack of training – lack of training is reflected in the lack of knowledge of policies and procedures among employees and lack of skills to apply them in practice, e.g. failure to report errors. Moreover, the lack of regular training is not conducive to the creation of the ethical culture that promotes appropriate behaviour in a given organisation.

Lack of communication and support from the management body – organisations often point to the lack of commitment from the management body, which should clearly communicate support for the compliance system and promote the values and behaviours that are desired in the organisation.

Lack of appropriate tools to support the compliance system – organisations should implement tools to report and visualise the compliance status, which facilitate making effective decisions and demonstrating due diligence.

We invite you to read our other articles on the subject of compliance:

Compliance – part IX – procedures

Compliance – part VIII – procedures

Compliance – part VIII – Trainings – one of the ways to ensure the effectiveness of the compliance system

System compliance – VI – Risk assessment

Compliance – part IV – Compliance officer

Compliance – part III – Who is affected by the compliance system and how it is implemented.

Compliance – part II – compliance system

Compliance – part I – introduction

Compliance – part IX – procedures

The compliance system ensures an organisation’s compliance with legal regulations, industry standards and ethical principles in the risk areas.

An effective compliance system requires creating appropriate tools, such as policies, procedures and codes. On the other hand, the kind of compliance system documentation to be implemented in an organisation is determined primarily by the scope of the business activity and the type of risks involved.

This documentation should provide, in particular, information on the patterns of operation in an organisation, the roles and tasks of individual persons and the rules of conduct, e.g. in the event of specific irregularities.

Standard compliance procedures include:

Code of Ethics. This is the basic document of the compliance system, which indicates the crucial ethical principles and standards applicable in the company, both in the internal and external relations. In addition, it contains the values that guide the organisation in its operations.

Code of Conduct. The code of conduct contains specific procedures and behaviours that should be observed or restricted within the organisation. It is addressed, in particular, to all members of the organisation, but sometimes the circle is extended to include external entities.

Anti-corruption procedure. The procedure is designed to minimise the risk of abuse in the organisation. Effective compliance with this procedure prevents the risk of criminal liability for a person in a managerial position because of taking a private financial or personal advantage, abusing his or her powers or failing to fulfil his or her obligations. In addition, the implementation of an anti-corruption policy is an expression of lack of tolerance for corrupt behaviour and a confirmation that the organisation operates in accordance with ethical principles, which in turn strengthens its credibility with customers, investors and business partners.

Infringement reporting procedure. The procedure lays down the rules and guidelines for reporting potential irregularities and handling of such reports.

AML procedures. AML procedures relate to the obligations arising from the Act on Counteracting Money Laundering and Terrorist Financing, and their implementation is required by entities that are recognised as obliged institutions in the above-mentioned regulations. Their purpose is to prevent the flow and use of money from illegal sources.

Corporate governance procedures. This is a set of fundamental principles, practices and processes to manage and control an organisation. These principles are intended to strengthen the organisation’s management systems, in particular the areas related to risk management, compliance and internal audit function.

Personal data protection procedures (GDPR). In case of some organisations, it is advisable that the compliance system also covers the processing of personal data, in the form of implementation of the GDPR privacy protection principles and organisational measures, because non-compliance with these principles may expose the organisation to the risk of severe administrative penalties.

Labour law procedures. Labour law procedures play a key role in the employment sphere, as they are an important source of information for employees on the principles in force in the organisation that they are obliged to follow. In addition, in many cases the procedures help protect against potential administrative, civil or criminal liability. The labour law-related policies include, among others, anti-mobbing policy and non-discrimination and equal treatment policy.

Environmental procedures. Environmental protection is an important and broad field in which every entrepreneur should ensure compliance. The environmental law is a number of legal acts, i.e. laws and regulations, that the entrepreneurs should observe. Any violations in this respect, such as a failure to comply with reporting obligations or a lack of proper permits, can have far-reaching negative consequences for the organisation. The procedures are intended to ensure compliance of the organisation’s activities with the environmental laws and requirements, as well as the current “green” trends in the industry.

The list above is for reference only and does not include all the procedures and policies that comprise the compliance system. The documentation is always based on the needs of a given organisation, taking into account the regulations governing the type of business concerned. Not all of these procedures will be necessary in all cases.  The scope of the procedures may be narrower or broader, depending on the individual needs.

Depending on the type of business of a given organisation, the following procedures and policies can also be implemented: procedure for counteracting unfair competition, code of conduct when concluding contracts, tax and accounting procedures, procedure for verification of contractors and using the car fleet.

We invite you to read our other articles on the subject of compliance:

Compliance – part VIII – procedures

The compliance system ensures that the organisation operates in compliance with legal regulations, industry rules and rules of ethics in areas susceptible to risk.

An effective compliance system requires creating appropriate tools, in particular policies, procedures and codes. The documentation to be implemented in the organisation as part of the compliance system is primarily determined by the scope of the organisation’s operations and type of risks present.

The documentation referred to above should in particular provide information about operating procedures within the organisation, roles and tasks of individual persons and rules of conduct, e.g. in the event of specific irregularities.

Standard procedures of the compliance system include:

  1. Code of Ethics. The code is the base document of the compliance system, stipulating the most important rules and ethical standards applicable within the organisation, both in internal and external relations. It also specifies the values followed by a given organisation as part of its operations.
  2. Code of Conduct. A document formulating specific practices and behaviours which should be followed or limited within the organisation. Such codes are addressed in particular to all members of a given organisation, but in some cases they may also apply to entities outside the organisation.
  • Anti-corruption procedure. The purpose of the procedure is to reduce the risk of any abuse within the organisation to a minimum. Its effective implementation prevents situations where the organisation becomes criminally liable if a person in executive position abuses their rights or fails to comply with their duties as a result of accepting a financial or personal benefit. Furthermore, implementing an anti-corruption procedure is proof of the organisation’s zero-tolerance policy in respect of corruption and confirms that the organisation follows ethical rules, as a result improving the organisation’s credibility with customers, investors or business partners.
  • Abuse reporting procedure. The procedure specifies rules and guidelines concerning the reporting of potential irregularities and investigating such reports.
  • AML procedures. AML procedures are related to obligations resulting from the act on preventing money laundering and funding terrorism, and entities considered to be obligated institutions under the terms of the act are required to implement its provisions. The purpose of implementing the provisions of the act is to prevent the flow and use of funds originating from illegal sources.
  • Corporate governance procedures. They are a set of primary rules, practices and processes used to manage the organisation and control its operations. The aim of the rules are to reinforce the management systems of the organisation, in particular in matters related to risk management, compliance and internal audit.
  • Procedures concerning the protection of personal data (GDPR). In certain organisations, it is recommended that the compliance system also include the processing of personal data through implementing rules governing the protection of privacy and organisational measures as per GDPR, as failing to comply with personal data protection rules may run the risk that the organisation may receive severe administrative penalties.
  • Procedures related to labour law. Procedures related to labour law play a key role in the area of employment, as they constitute an important source of information for employees on rules applicable within the organisation that they must follow. Furthermore, in many cases such procedures allow the organisation to avoid potential administrative, civil and criminal liability. Procedures related to labour law include anti-harassment policy and non-discrimination and equal opportunity policy.
  • Procedures related to environmental protection. Environmental protection is an important and broad area where all businesses should ensure compliance. Environmental protection law includes a number of acts of law, i.e. bills and regulations, that businesses must comply with. Breaching environmental regulations, for example by failing to comply with reporting obligations or failing to obtain required permits, may have far-reaching, negative consequences for the organisation. The procedures are meant to ensure that the organisation’s actions comply with provisions and requirements of environmental law, as well as current “green” trends prevalent in a given industry.

The above is purely illustrative and is not an exhaustive list of all procedures and policies forming part of the compliance system. Such documentation is always drafted based on the needs of a given organisation and accounting for laws that regulate a given type of business activity. Implementing all of the above procedures will not be required in every case. The scope of implemented procedures may be narrower or broader, depending on individual needs.

Depending on the nature of operations of a given organisation, other procedures and policies that can be implemented include: preventing unfair competition, proper procedures when entering into contracts, tax policies, policies related to proper bookkeeping, business partner verification and use of company vehicles. 

Please read our other articles on compliance:

Compliance – part VIII – Trainings – one of the ways to ensure the effectiveness of the compliance system

System compliance – VI – Risk assessment

Compliance – part IV – Compliance officer

Compliance – part III – Who is affected by the compliance system and how it is implemented.

Compliance – part II – compliance system

Compliance – part I – introduction

System compliance – VI – Risk assessment

In order for the compliance system to be effective and provide adequate protection, all the steps necessary for its implementation must be carried out, i.e.: a comprehensive audit, an assessment of risk areas, the introduction of detailed procedures covering key risk areas, supervision and control of compliance with the procedures, as well as staff training, as discussed in the previous article: “Compliance – part II – compliance system”. 

This article focuses on risk assessment. Assessment of risk present in an organisation depends on the organisation’s individual needs and circumstances Conducting risk assessment is necessary to develop best possible preventive measures and risk monitoring procedures.

Undoubtedly, the process of introducing of a compliance system must also be well planned. This means that a risk assessment is a key element of this process, as it is intended to prepare the basis for further steps of the compliance system implementation. At this stage a plan is created that defines what actions need to be taken in order to minimise the risk or its consequences, should they occur.

How to properly carry out a risk assessment? Risk assessment takes several steps. The first step is to identify risks. At this stage, the regulations and standards applicable to the organisation and the areas at risk of irregularities in the organisation are identified.  That provides us with information about the risks present in the organisation and their potential impacts. The next step is to assess the impact of the risks present on the organisation. The more risk-prone areas (in the organisation) are identified at this stage, the easier it is to establish tools that will prevent any future damage. The analysis includes in particular: legal, image-related, business, environmental and operational risks.

Based on the identification and assessment of the risks present in the organisation, an action plan is developed, which includes, in particular, the following elements: development of methodologies and procedures for effective risk management, selection of an appropriate tool to support the risk management process and to ensure an appropriate response to risk, ongoing monitoring of the risk management solutions applicable in the organisation for their effectiveness and adequacy to market practices, construction of risk reporting and monitoring mechanisms, educational activities. Effective implementation of the prepared plan is of key importance here, as the effectiveness of the entire compliance system will largely depend on this.

Please read our other articles on compliance:

 

Compliance – part IV – Compliance officer

Compliance – part III – Who is affected by the compliance system and how it is implemented.

Compliance – part II – compliance system

Compliance – part I – introduction