ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Documentation and Procedures

Should external audits be listed separately in the record of processing activities?

ANSWER

I would not treat this as a separate process. However, the external auditor should be entered in the record of processing activities in the column dedicated to data recipients – as a processor or separate controller, in all those processes where, given their involvement, they should be included.

Therefore, if the external auditor has access to employee data, they should be included as a data recipient in the employment process; if they have access to our customers' data, they should be included as a data recipient in customer-facing processes. Please note: a statutory auditor engaged by the organisation is also a data recipient, but in performing their activities within and on the basis of legislation they generally have the status of a separate controller.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Kalkulator wagi naruszeń

Sprawdź, które naruszenia wymagają zgłoszenia do PUODO

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
External audits in the record of processing activities | ODO 24 | ODO 24