Internal and External Audit: When Is It Appropriate to Grant Authorisation to Auditors, and When Is a Data Processing Agreement Required?

ANSWER

Internal audit, understood as one conducted by employees of the audited organisation: in such a case, if the audit-related activities require access to personal data, the Controller grants authorisations to process personal data to the personnel entrusted with conducting the internal audit.

External audit commissioned by the organisation but conducted by an independent, external entity: in such a case, if the commissioned activities involve access to personal data, it will be necessary to conclude a data processing agreement in accordance with Article 28 GDPR, unless the audit is conducted by entities acting on the basis of generally applicable statutory provisions and by virtue of those provisions (e.g. examination of a company's financial statements by a statutory auditor). In such a case, a data processing agreement is not required, as such an entity is regarded as a separate data controller.