Back to EUR-Lex homepage

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search
You are here

Document 52012XX1106(01)

Executive summary of the Opinion of the European Data Protection Supervisor on the Commission proposals for a directive amending Directive 2006/43/EC on statutory audit of annual accounts and consolidated accounts, and for a regulation on specific requirements regarding statutory audit of public-interest entities

OJ C 336, 6.11.2012, p. 4–6 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

6.11.2012   

EN

Official Journal of the European Union

C 336/4

Executive summary of the Opinion of the European Data Protection Supervisor on the Commission proposals for a directive amending Directive 2006/43/EC on statutory audit of annual accounts and consolidated accounts, and for a regulation on specific requirements regarding statutory audit of public-interest entities

(The full text of this Opinion can be found in English, French and German on the EDPS website: http://www.edps.europa.eu)

2012/C 336/04

Introduction

Consultation of the EDPS

1.

On 30 November 2011, the Commission adopted a proposal concerning amendments to Directive 2006/43/EC on statutory audits (1). The amendments to Directive 2006/43/EC concern the approval and registration of auditors and audit firms, the principles regarding professional ethics, professional secrecy, independence and reporting as well as the associated supervision rules. On the same date, the Commission adopted a proposal for a regulation on statutory audit of public-interest entities (2), which lays down the conditions for carrying out such audits (hereinafter ‘the proposed regulation’). These proposals were sent to the EDPS for consultation on 6 December 2011.

2.

The EDPS welcomes the fact that he is consulted by the Commission and recommends that a reference to this Opinion is included in the preamble of the directive. A reference to the EDPS consultation has already been included in the preamble of the proposed regulation.

3.

In this Opinion, the EDPS addresses issues relating to Directive 2006/43/EC which go beyond what is covered by the proposed amendments. He emphasises the potential data protection implications of the Directive itself (3). The analysis presented in this Opinion is directly relevant for the application of the existing legislation and for other pending and possible future proposals containing similar provisions, such as those discussed in the EDPS Opinions on the legislative package on the revision of the banking legislation, credit rating agencies, markets in financial instruments (MiFID/MiFIR) and market abuse (4). Therefore, the EDPS recommends reading this Opinion in close conjunction with his Opinions of 10 February 2012 on the abovementioned initiatives.

Objectives and scope of the proposal

4.

The Commission considers audit firms as contributing players to the financial crisis, and seeks to address the role auditors played in the crisis — or indeed the role they should have played. The Commission also states that robust audit is key to re-establishing trust and market confidence.

5.

The Commission mentions that it is also important to stress that auditors are entrusted by law to conduct statutory audits of the financial statements of companies which enjoy limited liability and/or are authorised to provide services in the financial sector. This entrustment responds to the fulfilment of a societal role in offering an opinion on the truth and fairness of the financial statements of those companies.

6.

Finally, according to the Commission, the financial crisis has highlighted weaknesses in the statutory audit especially with regard to public-interest entities (PIE). These are entities which are of significant public interest because of their business, their size, their number of employees or their corporate status, or because they have a wide range of stakeholders.

7.

In order to address these concerns, the Commission has published a proposal to amend Directive 2006/43/EC on statutory audits, which concerns the approval and registration of auditors and audit firms, the principles regarding professional ethics, professional secrecy, independence and reporting as well as the associated supervision rules. The Commission has also proposed a new regulation on statutory audit of public-interest entities laying down the conditions for carrying out such audits.

8.

The Commission proposes that Directive 2006/43/EC shall apply to situations not covered by the proposed regulation. Therefore, it is important to introduce a clear separation between the two legal texts. This means that the current provisions in Directive 2006/43/EC that only relate to the performance of a statutory audit on the annual and consolidated financial statements of the public-interest entities are moved to and, as appropriate, amended in the proposed regulation.

Aim of the EDPS Opinion

9.

The implementation and application of the legal framework for statutory audits may in certain cases affect the rights of individuals relating to the processing of their personal data. Directive 2006/43/EC in its current and amended form and the proposed regulation contain provisions which may have data protection implications for the individuals concerned.

Conclusions

46.

The EDPS welcomes the attention specifically paid to data protection in the proposed regulation but identified some scope for further improvement.

47.

The EDPS makes the following recommendations:

rephrasing Article 56 of the proposed regulation and inserting a provision in Directive 2006/43/EC emphasising the full applicability of existing data protection legislation and replacing the multiple references in different articles of the proposed regulation with one general provision referring to Directive 95/46/EC as well as Regulation (EC) No 45/2001. The EDPS suggests that the reference to Directive 95/46/EC be clarified by specifying that the provisions will apply in accordance with the national rules which implement Directive 95/46/EC,

specifying the kind of personal information that can be processed under Directive 2006/43/EC and the proposed regulation, to define the purposes for which personal data can be processed by the competent authorities concerned and fix a precise, necessary and proportionate data retention period for the above processing,

in view of the risks concerned regarding transfers of data to third countries, the EDPS recommends adding to Article 47 of Directive 2006/43/EC that in the absence of an adequate level of protection an assessment should take place on a case-by-case basis. He also recommends including a similar reference and the assessment on a case-by-case basis in the relevant provisions of the proposed regulation,

replacing the minimum retention period of five years in Article 30 of the proposed regulation with a maximum retention period. The chosen period should be necessary and proportionate for the purpose for which data are processed,

mentioning the purpose of the publication of sanctions in the articles concerned in Directive 2006/43/EC and in the proposed regulation and explaining the necessity and proportionality of the publication in the recitals of both Directive 2006/43/EC and the proposed regulation. He also recommends that publication should be decided on a case-by-case basis and that a possibility to publish less information than currently required should be catered for,

providing for adequate safeguards regarding mandatory publication of sanctions to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an adequate period of time,

adding a provision in Article 66(1) of the proposed regulation saying that: ‘The identity of these persons should be guaranteed at all stages of the procedure, unless its disclosure is required by national law in the context of further investigation or subsequent judicial proceedings.’,

removing the wording ‘the principles laid down’ from Article 66(1)(c) of the proposed regulation.

Done at Brussels, 13 April 2012.

Giovanni BUTTARELLI

Assistant European Data Protection Supervisor

(1)  COM(2011) 778.

(2)  COM(2011) 779.

(3)  The EDPS was not consulted by the Commission on the proposal for a Directive 2006/43/EC on statutory audits; the Directive itself was adopted on 17 May 2006.

(4)  EDPS Opinions of 10 February 2012, available at: http://www.edps.europa.eu

Top