In response to the standpoint of PDPO, on 25 November 2019, the Polish Chamber of Statutory Auditors (PIBR) published on its website proposals for new contract templates for carrying out the statutory financial statements` audits including:
A very general approach of PIBR to the provisions concerning personal data in sample contracts seems to be quite interesting. Although the rules of law do not contain any requirements concerning the form of personal data transmission, it is undoubtedly worth considering a more precise indication of the categories of personal data processed by an audit firm or a statutory auditor preparing the audit reports. However, this matter may be addressed in future announcements.
In view of the position adopted by the PDPO, audit firms should clarify their role and responsibilities as data controllers taken in their companies.
The statutory auditors supervise the purposes and methods of personal data processing in the context of the service performance. They decide what personal data they need for the audit and how these data are processed. The regulations oblige auditors to be independent from their clients, they are not bound by the clients` instructions - they must act in accordance with the applicable law. Therefore, the auditor and the client do not specify jointly the purposes and methods of the data processing, they are defined only by the appropriate regulations.
Article 2b of the Act of 11 May 2017 on Statutory Auditors, Audit Firms and Public Oversight (i.e. Journal of Laws of 2009, item 1421, as amended) directly specifies the methods of protecting the data processed by audit firms and statutory auditors. What are the statutory obligations for auditors?
According to the above-mentioned Act, audit firms are obliged to:
It is also worth mentioning that the obligation to maintain professional secrecy (specified in Articles 78 and 95) shall not cease when one demands to disclose any information obtained in connection with the performance of the statutory auditor's profession or the performance of statutory tasks by the entities referred to in those provisions.
Moreover, pursuant to Article 48 of the above-mentioned Act, when conducting an audit, an audit firm may, by way of a written agreement, assign a natural person, a legal person or an organisational entity not having legal personality but entered in the relevant list, the task of carrying out certain audit activities on its behalf and account.
Audit firms are obliged to keep internal records concerning the personal data protection, as well as to implement the appropriate personal data protection provisions in their service contracts.
Protection of personal data
Contact our expert