Information on processing of personal data in audit engagements

Background

When personal data is processed, the controller has a duty to provide certain information to the data subjects. As a consequence of the audit engagement, any statutory supplementary engagements and audit advice that may be attributed to such engagements (jointly referred to as “the Audit Engagement”), personal data will be processed by the Audit Firm and its network firms, if any. For this reason, the following information is provided.

The Audit Firm’s processing of personal data

The Audit Firm needs to have access to certain personal data in order to be able to perform the Audit Engagement in accordance with applicable laws and regulations, generally accepted auditing standards and professional ethics for accountants in Sweden.

The Audit Firm will process personal data obtained from the audit client, its group companies (if applicable), or another entity, for example the Swedish Tax Agency or the Swedish Companies Registration Office or publicly available sources, in order to perform and document the Audit Engagement. Personal data will be processed in accordance with applicable law. Such processing is necessary in order to fulfil legal obligations to which the Audit Firm, or a statutory auditor within the firm, who has undertaken to perform the Audit Engagement is subject.

For these purposes, the Audit Firm will process information that may contain personal data, for example payroll files, board minutes and other documents related to the activities of the audit client and any group companies of the latter. The categories of personal data that may be processed include:

1. contact details such as name, address, telephone number and e-mail address,
2. data on employment and employee number, departmental affiliation, position and period of employment,
3. data concerning health and absence, for example medical certificates and data concerning sickness absence, leave of absence and parental leave,
4. trade-union affiliation,
5. personal identity number/coordination number,
6. data on financial circumstances such as bank account details, data on salary and other benefits, insurance details and registration number details for a company car,
7. data on insurance policies or pensions, or
8. other categories of personal data that may be required as a consequence of the review in accordance with generally accepted auditing standards and professional ethics for accountants.

The Audit Firm will also process certain personal data in order to perform independence checks, quality checks, checking of conflicts of interest, measures under the Act on Measures against Money Laundering and Terrorist Financing and risk management measures (such as insurance matters) and in order to carry out internal financial reporting. The Audit Firm also has certain duties under applicable law to provide information to authorities or another external party (for example a new auditor). The processing of personal data for the purposes indicated in this clause is necessary for the Audit Firm to fulfil a legal obligation. With regard to risk management measures, the processing is necessary for the Audit Firm’s legitimate interest in managing risks and any claims.

The Audit Firm may also process the contact details of employees of the audit client and its group companies (if applicable) in order to provide information on seminars and other events that the Audit Firm arranges in order to send newsletters and other marketing material. Processing for such purposes is necessary for the Audit Firm’s legitimate interest in being able to reach out to employees at clients who may be interested in events, marketing and news in areas that are relevant to the positions of these persons.

Transfer to third countries

Personal data may be processed by the Audit Firm’s network firms and other entities engaged by the Audit Firm for the purpose of carrying out the measures referred to above on behalf of the Audit Firm; they may be based either in or outside the EU/EEA. In the transfer of personal data for processing in a country outside the EU/EEA that does not guarantee an adequate level of protection, the Audit Firm is responsible for personal data being covered by appropriate safeguards [for example through standard data protection clauses adopted by the European Commission under Article 46 of the General Data Protection Regulation,[1]] and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Recipients of the information

The Audit Firm is obliged to ensure that the information processed as a result of the Audit Engagement does not become available to unauthorised persons, which means that personal data will be processed confidentially. Only those persons who are members of the audit team or who are consulted by the audit team will have access to the personal data.

The Audit Firm may disclose the personal data to network firms for purposes related to performance of the services and otherwise for those purposes stated in this document. The Audit Firm may also disclose personal data to another recipient if such an obligation exists under applicable laws and regulations, professional obligation or the decision of an authority (for example to a new auditor).

Security in processing of personal data

The procedures and reviews performed within the framework of the Audit Engagement are covered by a statutory duty of confidentiality, which means that personal data processed under the Audit Engagement and for other stated purposes is also covered by such confidentiality. The Audit Firm ensures that the personal data processed is protected by necessary technical and organisational security measures having regard to what is appropriate in relation to the nature and sensitivity of the personal data. The Audit Firm’s system and organisation are arranged such that unauthorised persons do not have access to the personal data processed as a consequence of the Audit Engagement.

Storage of personal data

Personal data will be processed during the time needed to perform the Audit Engagement, and the data will then be retained in order to document the Audit Engagement for at least ten years from the end of the financial year in which the review was concluded in accordance with applicable laws and regulations, generally accepted auditing standards and professional ethics for accountants in Sweden.

Rights of the data subject

Data subjects have the right in certain cases to request access to and rectification or erasure of their personal data and the right to request restriction or to object to processing. Data subjects also have the right to lodge a complaint with a supervisory authority concerning the processing. An audit means that the audit client’s information for a particular financial year is reviewed at certain times during this year and during a certain time thereafter, which means that updating/rectification of personal data will not be relevant in this type of engagement after the audit procedure has been performed. Furthermore, the information and data that the auditor sees within the framework of the Audit Engagement are covered by a statutory duty of confidentiality, which means that the Audit Firm normally must not disclose such information. In addition, the Audit Firm is obliged to document audit engagements performed and retain the documentation for at least ten years from the end of the financial year in which the review was concluded, which means that it is not permitted to amend/erase personal data included in such documentation beforehand. For the reasons mentioned, neither is it possible for the Audit Firm/auditor on request from a data subject to restrict or limit any processing of personal data that takes place as a consequence of the Audit Engagement. With regard to the Audit Firm’s processing of personal data for marketing purposes, however, data subjects have the right to request erasure, rectification and restriction and to object to the processing of their personal data for such purposes.

 

[1] Comment: These are available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.

Information on processing of personal data in filing systems for acceptance and handling of clients and engagements

Background

When personal data is processed, the controller has a duty to supply certain information to the data subjects. As a consequence of the engagement, personal data will be processed by the Audit Firm/Contractor and by its network firms, if any. For this reason, the following information is provided.

The Audit Firm’s/Contractor’s processing of personal data

The Audit Firm/Contractor will process personal data in accordance with applicable law. The personal data that will be processed is obtained from the client, its group companies (if applicable) or other entity, for example the Swedish Tax Agency, the Swedish Companies Registration Office or publicly available sources and relates to authorised representatives and other persons whose personal data is needed to deal with the client relationship and beneficial owner. The personal data is processed prior to the acceptance of clients and/or engagements and as a consequence of the performance of the engagement in order to undertake [checks of independence,], quality checks, checking of conflicts of interest, measures under the Act (2017:630) on Measures Against Money Laundering and Terrorist Financing (“the Anti-Money Laundering Act”) and in order to document measures taken. Such processing is necessary in order to fulfil the legal obligations of the Audit Firm, or a statutory auditor within the firm/the Contractor] [who/which] has undertaken to perform the engagement [and is necessary for the Contractor’s legitimate interest in fulfilling professional duties]. The Audit Firm/Contractor may also process personal data for other risk management measures (such as insurance matters) and in order to carry out internal financial reporting. This processing is necessary for the Audit Firm’s/Contractor’s legitimate interest in managing risks and any claims.

The categories of personal data that may be processed for the above-mentioned purposes include contact details such as name, address, personal identity number/coordination number, telephone number, e-mail address and details of departmental affiliation and position. In connection with registration of the client the Audit Firm/Contractor may also process copies of identity documents for those persons who represent the client within the framework of the customer due diligence measures taken under the Anti-Money Laundering Act.

The Audit Firm/Contractor may also process personal data such as name, departmental affiliation, position and e-mail addresses in order to provide information on seminars and other events that the Audit Firm/Contractor arranges and in order to send newsletters and other marketing material. Processing for such purposes is necessary for the Audit Firm’s/Contractor’s legitimate interest in being able to reach out to employees at clients who may be interested in events, marketing and news in areas that are relevant to the positions of these persons.

Transfer to third countries

Personal data may be processed by the Audit Firm’s/Contractor’s]network firms and other entities engaged by the Audit Firm/Contractor for the purpose of carrying out the measures referred to above on behalf of the Audit Firm/Contractor; they may be based either in or outside the EU/EEA. In the transfer of personal data for processing in a country outside the EU/EEA that does not guarantee an adequate level of protection, the Audit Firm/Contractor is responsible for personal data being covered by appropriate safeguards [for example through standard data protection clauses adopted by the European Commission under Article 46 of the General Data Protection Regulation[1],] and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Recipients of the information

The Audit Firm/Contractor is obliged to ensure that the information processed as a consequence of the engagement does not become available to unauthorised persons, which means that personal data will be processed confidentially.

The Audit Firm/Contractor may disclose personal data to network firms or another entity engaged by the Audit Firm/Contractor for the purpose of checking and maintaining the impartiality and independence of the Audit Firm/Contractor, carrying out quality checks and taking other risk management measures, as well as sending invitations to events and other marketing material. The Audit Firm/Contractor may also disclose personal data to insurance companies or legal advisers in connection with a judicial procedure to the extent required to enable the Audit Firm/Contractor to look after its legal interests or to another recipient if such an obligation exists under applicable laws and regulations, professional obligation or decision of an authority.

Security in processing of personal data

The Audit Firm/Contractor is responsible under applicable law for the personal data that is processed being protected by necessary technical and organisational security measures, having regard to what is appropriate in relation to the nature and sensitivity of the personal data. The Audit Firm’s/Contractor’s system and organisation are arranged so that unauthorised persons do not have access to the personal data processed as a consequence of the engagement.

Storage of personal data

The personal data will not be processed for a longer time than is necessary for the purposes for which the personal data is processed.

Rights of the data subject

Data subjects have the right in certain cases to request receipt of information concerning whether personal data relating to the data subject is processed, and if so to obtain access to the personal data in the form of what is known as an extract from a filing system. Data subjects furthermore often have the right to obtain the rectification of inaccurate personal data concerning them. Furthermore, data subjects may have the right to erasure of their personal data and the right to request restriction of the processing of personal data concerning the data subject or to object to such processing. Data subjects also have the right to lodge a complaint with a supervisory authority concerning the processing.

With regard to personal data processed in connection with the acceptance of clients and engagements and as a consequence of the engagement, the Audit Firm/Contractor is obliged to retain documentation in this respect for at least ten years. This means that it is not permitted to erase personal data included in such documentation beforehand, and sometimes neither is it permitted to rectify the data. For the reasons mentioned, it is not possible for [the Audit Firm/Contractor] in such cases on request from a data subject to restrict or limit the processing of personal data. With regard to the Audit Firm’s/Contractor’s processing of personal data for marketing purposes, however, data subjects have the right to request erasure, rectification and restriction and to object to the processing of their personal data for such purposes.

 

[1] Comment: These are available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.