ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Data Processing

Should an external audit be treated as a separate processing activity in the record of processing activities?

ANSWER

This should not be treated as a separate processing activity. The external auditor should nevertheless be entered in the controller's record of processing activities among data recipients — as a processor or separate controller — in those processing activities where they should be included. Therefore, if the external auditor has access to employee data, they should be entered among recipients in the employment processing activity; if they have access to client data, they should be entered among recipients in client-related processing activities. Note: a statutory auditor is also a recipient, but with the status of a separate controller: https://uodo.gov.pl/pl/225/1248.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Szkolenia

Praktyczny kurs IOD (32h) online

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
External audit — a separate processing activity? | ODO 24 | ODO 24