Insert Featured Image Caption
In accordance with the viewpoint of the Personal Data Protection Office (PDPO) of 4 November 2019 audit firms and auditors providing audit services on their behalf have the status of Personal Data Administrators. Thus, the new obligations related to the GDPR have been imposed on them.
In response to the standpoint of PDPO, on 25 November 2019, the Polish Chamber of Statutory Auditors (PIBR) published on its website proposals for new contract templates for carrying out the statutory financial statements` audits including:
- an amended sample of an audit contract to be used for the new agreements,
- an addendum to the audit contracts already concluded, according to which the audit firm is not a data processor but a data controller,
- a form of termination upon mutual consent of previously concluded personal data processing agreements,
- an addendum to the ongoing multiannual audit contracts supplementing them with a provision, according to which statutory auditors and audit firms act as independent data controllers while auditing financial statements.
New proposals for contract templates have already been submitted to the Audit Oversight Commission, which after verification may make comments on them.
Categories of personal data in audit contracts
A very general approach of PIBR to the provisions concerning personal data in sample contracts seems to be quite interesting. Although the rules of law do not contain any requirements concerning the form of personal data transmission, it is undoubtedly worth considering a more precise indication of the categories of personal data processed by an audit firm or a statutory auditor preparing the audit reports. However, this matter may be addressed in future announcements.
In view of the position adopted by the PDPO, audit firms should clarify their role and responsibilities as data controllers taken in their companies.
The statutory auditors supervise the purposes and methods of personal data processing in the context of the service performance. They decide what personal data they need for the audit and how these data are processed. The regulations oblige auditors to be independent from their clients, they are not bound by the clients` instructions - they must act in accordance with the applicable law. Therefore, the auditor and the client do not specify jointly the purposes and methods of the data processing, they are defined only by the appropriate regulations.
Protecting personal data by auditors
Article 2b of the Act of 11 May 2017 on Statutory Auditors, Audit Firms and Public Oversight (i.e. Journal of Laws of 2009, item 1421, as amended) directly specifies the methods of protecting the data processed by audit firms and statutory auditors. What are the statutory obligations for auditors?
According to the above-mentioned Act, audit firms are obliged to:
- allow only authorised persons to process personal data,
- issue a written declaration of the persons authorized to keep the processed data in confidence,
- provide regular tests and improvements of the technical and organisational measures applied,
- ensure secure communication on telephone networks,
- ensure protection against unauthorized access to IT systems,
- ensure data integrity in IT systems,
- determine the safe personal data processing procedures,
- review personal data processed at least every 5 years from the date of their acquisition.
Obligation to keep the data in confidence
It is also worth mentioning that the obligation to maintain professional secrecy (specified in Articles 78 and 95) shall not cease when one demands to disclose any information obtained in connection with the performance of the statutory auditor's profession or the performance of statutory tasks by the entities referred to in those provisions.
Moreover, pursuant to Article 48 of the above-mentioned Act, when conducting an audit, an audit firm may, by way of a written agreement, assign a natural person, a legal person or an organisational entity not having legal personality but entered in the relevant list, the task of carrying out certain audit activities on its behalf and account.
Protection of personal data by auditors - documentation required
Audit firms are obliged to keep internal records concerning the personal data protection, as well as to implement the appropriate personal data protection provisions in their service contracts.
Recommended actions in the area of personal data protection for audit firms and statutory auditors:
- developing a privacy policy that will, inter alia, describe the technical and organisational measures implemented and the policies defining the retention of personal data and the procedure for dealing with the data after the retention period;
- regular testing and improvement of the implemented security measures;
- regular, but not less frequent than every 5 years, review of personal data;
- issuing a written permission to process personal data;
- issuing a written declaration of the persons authorized to keep the processed personal data in confidence;
- implementing appropriate provisions to the audit contracts concluded with their clients;
- implementing an information clause;
- implementing a procedure for exercising the rights of the persons whose data are processed;
- establishing a procedure for dealing with the personal data infringements;
- creating records of the processing activities and records of all categories of the processing activities;
- signing a personal data processing agreement in the case of outsourcing the services.