Marta Wiśniewska

Attorney at law (Poland)
Senior Associate
Phone: +48 22 244 00 22

An official standpoint of the Polish Personal Data Protection Office (PDPO) on the status of auditors was published on the office’s website on 7 November 2019.

Until then, the status of auditors (i.e. audit firms) had not been entirely clear. Therefore, entities hiring such firms to e.g. have their financial statements audited, had a lot of doubts on whether or not to conclude a personal data processing agreement with such firms. They were also unsure how to identify the scope of the data provided for processing or what the rules of procedure after contract termination were (e.g. after the financial statements were audited).

Despite the practical doubts and concerns about the purpose, most audit firms and their clients concluded personal data processing agreements regularly (annually or even more frequently, depending on the engagement).

Stanowisko UODO

As PDPO was receiving numerous enquiries, including from the Polish Chamber of Statutory Auditors, the authority has issued an official decision as to whether auditors are data controllers in the context of their services.

The PDPO says, above all, that to determine the status of the entity (e.g. whether the entity was the controller or the processor in the processing operations) it is key to determine whether the entity achieves its own purposes in its own manner or whether it processes the data on behalf of the data controller to serve the latter’s purpose. It is emphasises that in the performance of their tasks audit firms and auditors are not bound by client’s instructions and must comply with the applicable law. So the PDPO’s opinion suggests that due to the nature of the relation between audit firms / auditors and their clients, they fulfil the roles of independent data controllers.

Contract with audit firms

The approach of the PDPO is very important in practice.

The fact that an audit firm is not a processor but an independent controller in the audit engagement means in practice that:

  • an additional personal data processing agreement does not have to be concluded with an audit firm (it will be inappropriate to conclude such an agreement),
  • it will no longer be necessary to verify, before concluding a contract for audit, whether the audit firm complies with the GDPR requirements, e.g. by means of supplier questionnaires often used by businesses.

However, this does not mean that the issue of personal data processing will not be important when formulating contracts with audit firms.

An engagement agreement concluded with an audit firm must now include relevant clauses regulating the status of the parties in terms of personal data processing and potential liability in this regard. It is also advisable to regulate the rules of exchanging the personal data between the parties.

You should also check which of the recently concluded contracts need to be amended – this applies, above all, to contracts which are currently underway.

If you are interested in our support in GDPR issues, please contact Rödl & Partner experts in Cracow, Gdansk, Gliwice, Poznan, Warsaw or Wroclaw.

Marta Wiśniewska