Data protection regulations must be observed
from K. Schiefer
When preparing the annual financial statements, auditors inspect a large number of company documents. Data protection regulations must also be observed.
In principle, the auditor has a right of inspection in accordance with Section 320 (2) sentence 1 HGB. This standard states that the auditor can request all information and evidence from the legal representatives that is necessary for a thorough audit. However, almost all company documents contain personal data in accordance with Section 3 (1) BDSG, not only of the company's customers but also, in particular, of its employees.
Even if Section 320 (2) sentence 1 HGB gives the auditor a very comprehensive right of inspection according to the commentaries on commercial law (e.g. Baumbach/Hopt, HGB, Section 320), this must nevertheless be measured against the admissibility standards under data protection law.
The transfer of company documents to auditors is to be classified as a transfer under data protection law. This transfer could be permissible if all employees have consented to the transfer of the lists. As a rule, this will not be the case, so that a data protection permission standard must be relevant. Section 28 para. 1 sentence 1 no. 2 BDSG comes into consideration as such.
The company has a legitimate interest in the preparation of correct and legally compliant annual financial statements. Above all, the principle of necessity must be observed - in other words, there must be no milder means by which the annual financial statements can be prepared with the same success.
For example, certain information can also be verified using anonymized statistical data. However, it must also be taken into account here that the auditor must of course be able to check the statistical data. Companies should note that Section 320 (2) sentence 1 HGB is not a special law that takes precedence over the BDSG, as it does not explicitly regulate the processing of personal data. However, this is absolutely necessary for the subsidiarity of the BDSG. Companies should consult with their data protection officer to determine which information is required for which purposes. In particular, the exact purposes of the requested data must be obtained from the auditors.