Executive summary of the Opinion of the European Data Protection Supervisor on the Commission proposals for a directive amending Directive 2006/43/EC on statutory audit of annual accounts and consolidated accounts, and for a regulation on specific requirements regarding statutory audit of public-interest entities.
The EDPS welcomes the fact that he is consulted by the Commission and recommends that a reference to this Opinion is included in the preamble of the directive. A reference to the EDPS consultation has already been included in the preamble of the proposed regulation. The financial crisis has highlighted weaknesses in the statutory audit especially with regard to public-interest entities (PIE). To address these concerns, the Commission has published a proposal to amend Directive 2006/43/EC on statutory audits, which concerns the approval and registration of auditors and audit firms, the principles regarding professional ethics, professional secrecy, independence and reporting as well as the associated supervision rules. The Commission has also proposed a new regulation on statutory audit of public-interest entities laying down the conditions for carrying out such audits.
The EDPS notes that the Commission proposes that Directive 2006/43/EC shall apply to situations not covered by the proposed regulation. Therefore, it is important to introduce a clear separation between the two legal texts. This means that the current provisions in Directive 2006/43/EC that only relate to the performance of a statutory audit on the annual and consolidated financial statements of the public-interest entities are moved to and, as appropriate, amended in the proposed regulation.
The implementation and application of the legal framework for statutory audits may in certain cases affect the rights of individuals relating to the processing of their personal data. Directive 2006/43/EC in its current and amended form and the proposed regulation contain provisions that may have data protection implications for the individuals concerned.
The EDPS welcomes the attention specifically paid to data protection in the proposed regulation but identified some scope for further improvement and, accordingly, recommends the following:
· rephrasing Article 56 of the proposed regulation and inserting a provision in Directive 2006/43/EC emphasising the full applicability of existing data protection legislation and replacing the multiple references in different articles of the proposed regulation with one general provision referring to Directive 95/46/EC as well as Regulation (EC) No 45/2001. The EDPS suggests that the reference to Directive 95/46/EC be clarified by specifying that the provisions will apply in accordance with the national rules which implement Directive 95/46/EC;
· specifying the kind of personal information that can be processed under Directive 2006/43/EC and the proposed regulation, to define the purposes for which personal data can be processed by the competent authorities concerned and fix a precise, necessary and proportionate data retention period for the above processing;
· in view of the risks concerned regarding transfers of data to third countries, the EDPS recommends adding to Article 47 of Directive 2006/43/EC that in the absence of an adequate level of protection an assessment should take place on a case-by-case basis. He also recommends including a similar reference and the assessment on a case-by-case basis in the relevant provisions of the proposed regulation;
· replacing the minimum retention period of five years in Article 30 of the proposed regulation with a maximum retention period. The chosen period should be necessary and proportionate for the purpose for which data are processed;
· mentioning the purpose of the publication of sanctions in the articles concerned in Directive 2006/43/EC and in the proposed regulation and explaining the necessity and proportionality of the publication in the recitals of both Directive 2006/43/EC and the proposed regulation. He also recommends that publication should be decided on a case-by-case basis and that a possibility of publishing less information than currently required should be catered for;
· providing for adequate safeguards regarding mandatory publication of sanctions to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an adequate period of time;
· adding a provision in Article 66(1) of the proposed regulation saying that: ‘The identity of these persons should be guaranteed at all stages of the procedure, unless its disclosure is required by national law in the context of further investigation or subsequent judicial proceedings.’
Lastly, the EDPS’ analysis is directly relevant for the application of the existing legislation and for other pending and possible future proposals containing similar provisions, such as those discussed in the EDPS Opinions on the legislative package on the revision of the banking legislation, credit rating agencies, markets in financial instruments (MiFID/MiFIR) and market abuse. Therefore, the EDPS recommends reading this Opinion in close conjunction with his Opinions of 10 February 2012 on the abovementioned initiatives.