Clarification of the Data State Inspectorate on the Status of the Sworn Auditors and “No deal Brexit” Aspect

​On January 29^th, 2019 the Data State Inspectorate (DSI) released a clarification on whether sworn auditor processing personal data, while providing audit services to the client, shall be recognised as data controller or data processor for the General Data Protection Regulation (GDPR) purposes.

In its elaboration DSI firmly acknowledges that previously issued options of the Article 29 Data Protection Working Party, including Opinion 1/2010 on the concepts of controller and processor (Opinion 1/2010), remain to serve as guidelines for the legal assessment of the personal data processing operations under the GDPR.

In particular, DSI refers to the example 21 of the Opinion 1/2010 on barristers to describe specific cases, when a traditional role and/or professional experience of the service provider plays a paramount role for its qualification as a controller. Application of the aforementioned criterion by analogy allows DSI to conclude that the sworn auditors processing personal data, while providing audit services to the client under the corresponding service agreement, shall be qualified as data controllers. DSI acknowledges that a sworn auditor shall be recognised as a data controller only when acting in the course of the professional service as an individual merchant or a self-employed person. If a sworn auditor however is providing services to the client on behalf of the commercial company as an employee, DSI unequivocally qualifies such employer as a controller, which determines purposes and means of processing of the personal data in accordance with the Law on Audit Services and related bylaws. Although clarifying status of the sworn auditors and commercial companies of the sworn auditors processing personal data in the course of the professional service, DSI refrains from elaborating in the context of the audit services on the transfer of the personal data to the third countries, i.e. outside the European Union (EU) and European Economic Area (EEA).

In the light of the fact that no agreement has been reached so far between the EU and UK on “Brexit”, a potential deadlock may result in UK becoming a third country within the meaning of GDPR as of March 30th, 2019. It is hard to underestimate the impact of “No deal Brexit” on all aspects of the internal market, including personal data processing activities involving UK residents or undertakings. Therefore, it is highly advisable for the local businesses to review and adjust their internal procedures and practices regulating personal data transmission to and from the UK based cooperation partners in order to ensure compliance with the relevant EU and national legislation.