Statutory auditors regularly process personal data obtained from their clients. They are therefore directly impacted by the General Data Protection Regulation (GDPR) that entered into force in May 2018.
This publication aims to clarify what role auditors play under GDPR, i.e. whether they act as data controllers or as data processors. This distinction matters as the responsibilities allocated to each role are different.
We conclude that in principle, statutory auditors qualify as data controllers. For non-statutory audit services, we encourage practitioners to analyse the processing of personal data on a case-by-case basis to determine whether they will be considered data controllers or data processors. Respective role and responsibilities should be stated in the engagement letter.