D: Auditor's Right of Access and Data Protection
Category: NachrichtenBy: K. Schiefer - 2B Advice GmbH - the privacy benchmark
When annual financial statements are produced, the auditors examine a large number of business records. In so doing, they must comply with statutory data protection requirements.
Fundamentally, the auditor has a right of access under section 320, paragraph 2, sentence 1, of the German Commercial Code (HGB). This means that the auditor of the financial statements can ask the company's legal representatives for all the explanations and proof necessary to allow him/her to perform a thorough audit.
However, almost all business records contain personal information, as defined in section 3, paragraph 1, of the German Data Protection Act (BDSG), relating not only to customers of the business but also and especially to employees. Although section 320, paragraph 2, sentence 1, of the HGB grants the auditor what studies of commercial law (e.g. Baumbach/Hopt, HGB, section 320) describe as a very extensive right of access, this must nevertheless be measured against what is normally permissible under data protection legislation.
The handover of business records to an auditor must be categorized as data transmission in terms of data protection legislation.
This transmission might be permissible if all employees consented to the lists being passed on to the auditor. As a rule, this will not be the case, so a permissive rule must come into play in the data protection legislation. A likely candidate is section 28, paragraph 1, sentence 1, item 2, of the BDSG. The business has a justifiable interest in producing a correct and legally compliant set of annual financial statements.
The principle of necessity must be considered in this case — so there must be no less drastic means available by which the financial statements can be produced with equal success. For certain information, proof could be based on anonymized statistical data. Nonetheless, here too we must bear in mind that it has to be possible for the auditor to review the statistical data independently.
Businesses should be aware that section 320, paragraph 2, sentence 1, of the HGB is not a special law taking precedence over the BDSG, since it does not explicitly govern the processing of personal information. However, this is absolutely essential to the subsidiarity of the BDSG. Businesses should confer with their data protection officers as to which information is necessary for which purposes. In addition, the auditors should be asked, above all, to state the exact purposes of the information they have requested.
(1283 times viewed)