GDPR Implications for Audit Data Handling

Why auditors are data controllers, not processors

This is the classification question that determines everything else. Accountancy Europe’s 2023 position paper concluded that statutory auditors qualify as data controllers under GDPR Article 4(7). The reasoning: EU law requires statutory auditors to be independent from their clients. That independence means the auditor, not the client, determines the purposes and means of processing personal data. The client doesn’t tell the auditor which employee records to review, which bank confirmations to request, or which samples to select. The auditor decides. That decision-making authority makes the auditor the controller.

This is different from, say, a payroll service provider who processes data on the client’s instructions. That provider is a data processor under Article 4(8). The distinction matters because data controllers carry the full set of GDPR obligations: establishing a legal basis, implementing appropriate security measures, responding to data subject requests, conducting Data Protection Impact Assessments where required, notifying breaches, and maintaining a Record of Processing Activities (ROPA) under Article 30.

For non-statutory services (advisory work, agreed-upon procedures, tax compliance), the classification may differ. Accountancy Europe recommends a case-by-case analysis: does the firm determine the purposes and means of processing, or does the client? If the client instructs the firm on exactly what data to process and how, the firm may be a data processor for that engagement. But for statutory audit, the answer is clear.

The implication for your firm: you cannot rely on the client’s privacy notice to cover your processing. You need your own legal basis, your own privacy documentation, and your own data protection processes. If a data subject (an employee whose payroll data you reviewed, for example) sends an access request, that request comes to your firm, not to the client.

Legal basis: which GDPR Article 6 ground applies

GDPR Article 6(1) lists six legal bases for processing personal data. For statutory audit, two are relevant.

Article 6(1)(c): compliance with a legal obligation

In the Netherlands, the Wta (Wet toezicht accountantsorganisaties) and the BW (Burgerlijk Wetboek) Book 2, Title 9, require the statutory auditor to perform the audit and issue an opinion. ISA 500 requires the auditor to obtain sufficient appropriate audit evidence. That evidence includes personal data (employee names on payroll, director signatures, bank account details on confirmation letters). That legal obligation to perform the audit creates the legal basis for processing the personal data necessary to perform it.

Article 6(1)(f): legitimate interests

Where the processing goes beyond what is strictly required by statute (for example, running data analytics on the full population of sales transactions, including customer names, to identify anomalies), the legitimate interests basis may apply. Your legitimate interest as auditor is forming a correct audit opinion. Article 6(1)(f) requires balancing that interest against the data subjects’ rights. For most audit procedures, the balance favours the auditor because the data is processed for verification purposes, not for marketing or profiling, and the individuals’ reasonable expectations include that their employer’s financial statements will be audited.

Consent is almost never appropriate

Article 6(1)(a) (consent) is almost never appropriate for audit data processing. The auditor cannot condition the audit on individual employees consenting to have their data reviewed. Consent must be freely given (GDPR Article 7), and in an employer-employee relationship, consent is rarely considered free. Don’t use it.

For special category data under GDPR Article 9 (health data in sick leave records, trade union membership, ethnicity data in diversity reports), you need an additional legal basis. Article 9(2)(g) (processing necessary for reasons of substantial public interest) may apply where the statutory audit serves a public interest function. Article 9(2)(f) (processing necessary for the establishment or exercise of legal claims) provides an alternative where the audit evidence relates to a potential legal dispute. Document which basis you rely on for each category of special data.

What personal data audit teams actually process

Audit teams process more personal data than most team members realise. Mapping it is the first step to GDPR compliance.

Employee data from payroll testing includes names, employee numbers, salaries, bonus amounts, bank account numbers (for payment testing), national identification numbers (BSN in the Netherlands), dates of birth, and contract dates. If the client has a defined benefit pension scheme, the actuarial data file may include health status indicators.

Director and officer data from governance testing includes names, addresses, remuneration details, shareholdings, related party transaction details, and signatures on management representation letters. This data often appears in the financial statements themselves (IAS 24 disclosures) but the working paper copies are your firm’s separate processing.

Customer and supplier data from revenue and purchase testing includes names, addresses, invoice amounts, and bank details. If you send external confirmations under ISA 505, you process the counterparty’s name, address, account reference, and balance information.

Third-party personal data from external confirmations under ISA 505 is often overlooked. When you send a bank confirmation request, you include the client’s name, account numbers, and balance details. The bank’s response contains the same data. Both the request and the response are personal data processing by your firm.

Retention: ISA 230 versus GDPR data minimisation

The tension between these two frameworks is real. GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of data subjects for no longer than necessary for the purposes for which it is processed. ISA 230.A23 requires the auditor to retain audit documentation for a period sufficient to meet the needs of the firm and in accordance with legal or regulatory requirements. In the Netherlands, the Wta requires audit firms to retain engagement files for at least seven years from the date of the auditor’s report.

Those two obligations point in opposite directions. GDPR says “delete when no longer necessary.” Dutch law says “retain for at least seven years.”

The resolution is GDPR Article 17(3)(b), which provides an exemption from the right to erasure where processing is necessary for compliance with a legal obligation. The Wta’s seven-year retention requirement is that legal obligation. During the retention period, your firm has a legal basis (Article 6(1)(c)) for retaining the personal data in the audit file. After the retention period expires, the legal obligation ends, and GDPR’s data minimisation principle kicks in. The data should be deleted or anonymised.

Build this into your firm’s data retention policy. At year seven (or whenever the Wta-mandated retention period expires for the engagement), trigger a review: is there any other legal basis for retaining the data? If not, delete or anonymise the personal data in the file. If the firm retains files beyond the statutory minimum (some firms retain for ten years as a matter of policy), that extended retention needs its own legal basis (typically legitimate interests under Article 6(1)(f), documented and balanced).

Data subject rights during and after an audit

Data subjects (the individuals whose personal data appears in your audit files) have rights under GDPR Articles 15 to 22. The most relevant for audit firms are the right of access (Article 15), the right to rectification (Article 16), and the right to erasure (Article 17).

Right of access

An employee of the audited entity could request a copy of all personal data your firm holds about them. This would include their payroll data in your working papers, their name in the sampling documentation, and any notes about them in the audit file. You must respond within one month (GDPR Article 12(3)). But there are exemptions. Article 15(4) prohibits disclosure where the data includes trade secrets or intellectual property of others. More practically, providing access to audit working papers could compromise audit confidentiality and professional secrecy obligations under ISA 200.A16 and the Wta. The Dutch GDPR implementation law (UAVG, Article 41) provides an exemption from the right of access where providing the data would compromise the proper performance of the supervisory task. For statutory auditors, the argument is strong that providing access to individual working paper extracts could compromise the integrity of the audit file.

Document your firm’s position on this. When a data subject access request arrives (and it will, eventually), you need a policy that explains how you assess the request, what exemptions apply, and what you disclose if any.

Right to erasure

An individual requests that you delete their personal data from your audit file. During the Wta retention period, you refuse under Article 17(3)(b). After the retention period, you comply (unless another legal basis applies). Document this in your privacy notice so data subjects know the position in advance.

Right to rectification

If an individual identifies that their personal data in your file is inaccurate (wrong salary figure, incorrect employee number), you assess whether the inaccuracy affects the audit evidence. If the data was correctly copied from the client’s records, your file accurately reflects the source. The “inaccuracy” is in the client’s records, not in your processing. Document the distinction.

Cross-border transfers within audit networks

If your firm is part of an international network (BDO, Grant Thornton, Mazars, RSM, or a smaller cross-border association), audit data may transfer across borders. A Dutch engagement file reviewed by a partner in the UK (post-Brexit, an adequacy decision country), a component auditor in India (no EU adequacy decision), or a quality reviewer in the US (limited adequacy coverage under the EU-US Data Privacy Framework) all constitute international data transfers under GDPR Chapter V.

Each transfer needs a legal mechanism. Adequacy decisions (GDPR Article 45) cover transfers to countries the European Commission has determined provide adequate data protection. Standard Contractual Clauses (SCCs, GDPR Article 46(2)(c)) cover transfers to all other countries and are the most common mechanism for audit network transfers. Binding Corporate Rules (BCRs, GDPR Article 47) are available to some larger networks that have obtained BCR approval.

If your firm sends engagement files to a component auditor in a non-adequate country, verify that the network’s SCCs are in place and that they cover the specific data categories being transferred. The Schrems II decision (CJEU, July 2020) requires you to assess whether the receiving country’s legal framework provides essentially equivalent protection. For practical purposes, most mid-tier firms rely on their network’s central SCC framework and conduct a Transfer Impact Assessment (TIA) at the network level.

Worked example: Dijkstra Logistics B.V.

Client scenario: Dijkstra Logistics B.V. is a Dutch freight forwarding company with €38 million revenue and 180 employees. Your audit team selects a payroll sample of 25 employees for substantive testing (ISA 530). External balance confirmations go to two banks (ING, Rabobank) and four major customers. Retention: the Wta-mandated seven years. Your firm is part of an international network with a component audit performed by the network’s Polish member firm.

Step 1: Map the personal data

Payroll sample: 25 employee records containing names, BSN numbers, gross salaries, net payments, bank account numbers. Director data: two managing directors’ names, remuneration, shareholdings, and signatures on the management representation letter. External confirmations: two bank confirmations (account holder names, account numbers, balances), four customer confirmations (contact person names, addresses, outstanding balances). Component audit: the Polish firm receives a group audit instruction containing the Dutch entity’s director names, materiality figures, key risk areas, and summary financial data.

Step 2: Confirm the engagement letter includes data protection language

The engagement letter includes a clause stating that the audit firm is an independent data controller under GDPR, that personal data will be processed for the purpose of performing the statutory audit, that the legal basis is Article 6(1)(c), that the data will be retained for seven years from the date of the auditor’s report, and that the firm’s privacy notice (available on the firm’s website) provides further detail on data subject rights.

Step 3: Manage the cross-border transfer

The group audit instruction sent to the Polish member firm contains personal data (director names, possibly employee sample data if shared for component procedures). Poland is an EU member state, so the transfer does not require SCCs or an adequacy decision. GDPR applies directly.

Step 4: Plan for retention and deletion

The auditor’s report is dated 15 April 2026. The Wta retention period expires 15 April 2033. On that date (or within a reasonable period afterward), the firm’s file retention process triggers a review. If no legal hold or other basis for extended retention exists, the engagement file (including all personal data) is destroyed. The destruction is logged.

Practical checklist

1. Update your engagement letter template. Confirm that your firm’s engagement letter template includes a data protection clause identifying the firm as an independent data controller, stating the legal basis for processing (Article 6(1)(c) for statutory audit), the retention period, and a reference to the firm’s privacy notice (GDPR Article 13).
2. Maintain an audit-specific ROPA. Maintain a ROPA (GDPR Article 30) that covers audit engagement data specifically, not only HR and marketing data. The ROPA should list the categories of personal data processed per engagement type, the legal basis, the retention period, and the categories of recipients (including network firms and regulators).
3. Identify special category data. For each engagement, identify whether special category data (GDPR Article 9) is processed. If sick leave records, health data, or trade union membership data appears in the audit file, document the specific Article 9(2) basis relied on.
4. Set retention expiry dates. Set the Wta seven-year retention expiry date in your archive system at engagement completion. When the date arrives, delete or destroy the file unless another legal basis for extended retention exists. Log the destruction.
5. Verify cross-border transfer mechanisms. If your firm transfers engagement data to a component auditor or network firm outside the EU/EEA, verify that SCCs (or an adequacy decision or BCRs) cover the transfer before sending the data. Document the transfer mechanism in the ROPA.
6. Establish a data subject access request procedure. Establish a procedure for responding to data subject access requests that specifically addresses audit working papers, including which exemptions apply (professional secrecy, UAVG Article 41) and who in the firm is authorised to respond.

Common mistakes

• Not having a data protection clause in the engagement letter. The Accountancy Europe position paper flagged this as the most common gap across European audit firms. If the engagement letter doesn’t address data protection, the client’s employees have no notice that the audit firm is processing their personal data as an independent controller. That’s an Article 13 transparency violation.
• Confusing “data controller” with “data processor” for statutory audit. Some firms include data processing agreements (DPAs) in their engagement letters, treating themselves as the client’s data processor. For statutory audit, this is incorrect. The firm is a controller. A DPA implies the client instructs the firm on how to process data. The entire point of auditor independence is that the client does not give those instructions. Using the wrong agreement creates legal confusion about the firm’s GDPR role.
• Retaining engagement files indefinitely without a legal basis. GDPR requires a defined retention period. “We keep everything forever because storage is cheap” is not a legal basis. After the Wta’s seven-year minimum expires, continued retention requires a documented justification. The Dutch Autoriteit Persoonsgegevens (AP) has fined organisations for retaining personal data beyond the period justified by their stated purpose.

Related content

Frequently asked questions

Further reading and source references

• GDPR (Regulation (EU) 2016/679): Articles 4(7), 5, 6, 9, 13, 15–17, 30, 32, 45–47 on data controller obligations, legal bases, data subject rights, and international transfers.
• Accountancy Europe Position Paper, 2023: classification of statutory auditors as data controllers under GDPR.
• ISA 230, Audit Documentation: paragraph A23 on retention requirements.
• Wta (Wet toezicht accountantsorganisaties): seven-year retention requirement for audit engagement files in the Netherlands.
• UAVG (Uitvoeringswet AVG): Dutch GDPR implementation law, including Article 41 on exemptions from the right of access.
• Schrems II (CJEU C-311/18, July 2020): requirements for assessing adequacy of data protection in receiving countries for international transfers.