Auditors´ information duty as data controllers

​In response to a query submitted by the ICAC (the Spanish accounting regulator), the AEPD (Spanish Data Protection Authority) has confirmed that auditors have a data controller status.

According to the AEPD, the exercise of the audit activity requires, by legal mandate, independence with respect to the audited entity and storage of the collected information. These two obligations are incompatible with the data processor condition, which must submit to the data controller’s instructions and, among other things, return or delete the data once the contractual service has been fulfilled.

Following a similar line of reasoning, but from another point of view, German data protection authorities, consider auditors data controllers, since they assume responsibility for the provision of a specialized professional service subject to professional secrecy and the duty of confidentiality.

Neither country, however, makes any reference to the auditors’ duty to provide information derived from the data controller status, in accordance with article 14 of the General Data Protection Regulation (GDPR). As is known, the GDPR obliges data controllers to provide information to data subjects regarding different aspects of data processing, e.g. purposes of processing, recipients of the data, storage period, etc. 

Auditors, in the performance of their activity, may have access to all types of personal data (names, surnames, e-mails, addresses, bank accounts, etc.) of a numerous categories of data subjects (employees, contact persons of customers, freelancers customers or suppliers, contact persons of suppliers, potential suppliers, collaborators, notaries, and many others), according to the type of audited company. The list of data subjects from whom the auditor is processing data, can be very long. So extensive, that compliance with the reporting obligation may be excessive.

Article 14.5 of the RGPD exempts from the obligation to inform in certain cases, given that the data is not provided by the data subject.

If we analyze the exceptions referred to in article 14.5 of the GDPR we find, among others, the following:

The provision involves a disproportionate effort

It could be applicable to the audit exercise, while the provision of information to each of the data subjects involved in the audit would become as disproportionate as it would be unsuccessful.

The Regulation has deleted the requirement contained in Directive 95/46/EC that Member States should provide suitable safeguards for the application of the derogation. Based on this, the preceding Spanish Organic Data Protection Law (LOPD) required that the Spanish Data Protection Authority or the equivalent autonomous body, determine in each case, that there is indeed impossibility or great difficulty of informing. If the Regulation and the new Spanish Organic Data Protection Law (LOPDGDD) have omitted the mention and the referred procedure, it can be interpreted that the Regulation leaves the data controller to assess, and where appropriate, prove, in each specific case, whether or not circumstances that allow the exemption exist, without the need for the Authority to allow it.

In this regard, however, the position of the Article 29 Data Protection Working Party (WP 29) must be taken into account, which opts for the restrictive application of this exception. Any data controller seeking to qualify for the exception has a the duty to weigh the effort involved in providing the information to the data subjects and the effects on them in case of not receiving it, and such an assessment must be documented, in accordance with the accountability principle. In addition, the WP 29 maintains the position that data controllers who do not process personal data for archiving purposes in the public interest, scientific or historical research purposes should not apply it systematically.

The collection or disclosure of personal data is expressly laid down by Union or Member State law to which the controller is subject

Conditioned upon the establishment of appropriate measures to protect the legitimate interests of the data subjects. In this regard, auditors and audit firms are subject under the Spanish Auditing Act to the obligation to obtain from the audited entities as much information as they need for the issuance of the audit report. The Law provides for the duty of custody and secrecy of information, such as appropriate measures aimed at the protection of the legitimate interests of data subjects.

Personal data must remain confidential subject to an obligation of professional secrecy

Article 31 of the Spanish Auditing Act establishes the obligation of secrecy of all information known in the exercise of their activity, and may not be used for purposes other than those of the auditing activity itself. Therefore, in view of their statutory duty of professional secrecy, if auditors were to provide data subjects with the information referred to in article 14 GPDR, the obligation of professional secrecy owed by them to the audited entities could be breached.

In this sense, the German state has made use of the ability to limit the obligations conferred by the article 23.1 of the GDPR and has expressly provided in article 29 of its Federal Data Protection Act (Bundesdatenschutzgesetz) that the obligation to inform the data subject shall not persist to the extent that compliance with it reveals information which, by its nature, in particular due to the superior legitimate interests of a third party, must be kept confidential. Thus, it is understood that the obligation to provide information to data subjects is not enforceable if it clashes with the auditor duty of confidentiality, in line with the provisions of the aforementioned exception in article 14.5 d).

The AEPD shall take a stand on the matter and clarify whether auditors’ obligation to inform is partially or entirely removed and, if so, on what basis. However, whether one exception or another applies, and whatever the scope of the exceptions are, auditors or audit firms should adopt appropriate measures to protect the rights, freedoms and legitimate interests of data subjects and to compensate for the lack of information. The compensatory measures will be determined according to the circumstances of the processing, and according to the WP 29 guidelines, they can be: the publication of the information on its website, proactively advertising the information in a newspaper, or on posters at its facilities.