According to the Directive, reports can be made by people working in the private or public sector who have obtained information about violations in a work-related context, including:

a) individuals with the status of an employee under Article 45(1) TFEU, including civil servants,

b) individuals with the status of self-employed as defined in Article 49 TFEU,

c) shareholders or partners, as well as persons on the administrative, managing, or supervisory board of a company, including non-executive members, and volunteers and interns, regardless of whether they receive remuneration,

d) individuals working under the supervision and direction of contractors, subcontractors, and suppliers,

e) individuals whose employment relationship is yet to be established, in cases where the information about the violations was obtained during the recruitment process or other pre-contractual negotiations.

According to the current Directive, reports may concern:

1) public procurement,

2) services, products, and financial markets, and prevention of money laundering and terrorist financing,

3) product safety and compliance with requirements,

4) transport safety,

5) environmental protection,

6) radiological protection and nuclear safety

7) food and feed safety, animal health and welfare,

8) public health,

9) consumer protection,

10) privacy and personal data protection, and network and information system security,

11) breaches affecting the financial interests of the Union, as referred to in Article 325 TFEU and detailed in relevant EU measures,

12) breaches relating to the internal market, as referred to in Article 26(2) TFEU, including breaches of EU competition rules and state aid, as well as breaches relating to the internal market in terms of activities constituting a breach of corporate tax regulations or practices aimed at obtaining a tax advantage contrary to the purpose or intent of the applicable corporate tax regulations.

Conditions for protecting persons making a report

Persons making a report qualify for protection under the Directive, provided that:

a) they had reasonable grounds to believe that the information on violations being reported is true at the time of making the report and that such information falls within the scope of this directive, and

b) they made an internal report in accordance with Article 7 or an external report in accordance with Article 10 or made a public disclosure in accordance with Article 15 of the Directive.

Information on the processing of personal data of the Whistleblower

In accordance with Articles 13 and 14 of the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (...) ("General Regulation", hereinafter GDPR), Norlys S.A. informs that:

  1. The Administrator of your personal data is Norlys S.A. with its registered office in Nowy Sącz, at Zawiszy Czarnego 7, 33-300 Nowy Sącz, Poland; Tax ID: PL 734 00 19 367.
  2. Your personal data will be processed for purposes related to reported legal violations, based on: Article 6(1)(e) GDPR, that is, the performance of a task carried out in the public interest, which is the analysis of the submitted violation report and taking subsequent actions by the UJ following the provisions of the Directive of the European Parliament and the Council (EU) 2019/1937 of 3 October 2019 on the protection of persons who report breaches of Union law.
  3. The data administrator obtained your personal data: directly from you, at the time of reporting the violation referred to in point 3 above; from a person who reported the violation referred to in point 3 above in the report. The scope of your personal data may include: name and surname, position, place of work, contact details, and other data necessary to consider the report of the violation and provided by the person reporting the violation.
  4. Your personal data will be stored no longer than is necessary and proportional to ensure compliance with the requirements established in the Directive mentioned above or other requirements established in EU or national law.
  5. The Administrator ensures the confidentiality of your personal data in connection with the received report. Your personal data will be processed in accordance with the principles set out in Article 5 of the GDPR, in particular in accordance with the principle of data minimization, i.e., they will be processed to the minimum extent necessary to achieve the purpose of their processing, which is to consider the report and take subsequent actions. Your data will be processed only by authorized persons considering the report and obliged to maintain its confidentiality. Your data may be disclosed only to entities authorized to do so under the law, and to entities to which the administrator has entrusted the processing of personal data.
  6. You have the right to request access to your personal data, as well as their rectification (correction). You also have the right to request the deletion or limitation of processing, as well as to object to processing, although this right applies only if further processing is not necessary for the Administrator to comply with a legal obligation and there are no other overriding legal grounds for processing.
  7. You have the right to lodge a complaint about the Administrator's processing to the President of the Personal Data Protection Office (
  8. Your personal data will not be disclosed to a third country or international organization.
  9. Your personal data will not be subjected to profiling or automated decision-making.
  10. Providing data is voluntary.

Application form

Name and surname (optional)
Contact data (optional)
Application description