ARTICLE 29 Data Protection Working Party

Similar documents
Adopted on 12 July 2010

Article 29 Working Party

Opinion 7/2010 on European Commission's Communication on the global approach to transfers of Passenger Name Record (PNR) data to third countries

Opinion 8/2009 on the protection of passenger data collected and processed by duty-free shops at airports and ports

ARTICLE 29 Data Protection Working Party

Adopted on 26 November 2014

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Council of the European Union Brussels, 20 June 2018 (OR. en)

EUROPEAN UNION. Brussels, 4 April 2014 (OR. en) 2011/0359 (COD) PE-CONS 5/14 DRS 2 CODEC 36

COMMISSION DELEGATED REGULATION (EU) /... of

(Legislative acts) DIRECTIVES

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

Public consultation. on a draft ECB Guide on options and discretions available in Union law

The UCITS Directive Consolidated to reflect UCITS V changes. (as at October 2014)

COMMISSION DELEGATED REGULATION (EU) /... of

COMMISSION DELEGATED REGULATION (EU) /... of

EUROPEAN UNION. Brussels, 16 March 2004 (OR. en) 2002/0240 (COD) PE-CONS 3607/04 DRS 1 CODEC 73 OC 34

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DIRECTIVE

C. ENABLING REGULATION AND GENERAL BLOCK EXEMPTION REGULATION

DIRECTIVE (EU) 2016/97 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 20 January 2016 on insurance distribution (recast) (OJ L 26, , p.

ECB Guide on options and discretions available in Union law. Consolidated version

April CEIOPS-DOC-02/06 Rev 1 Oct 2008

COMMISSION DELEGATED REGULATION (EU) No /.. of

COMMISSION DELEGATED REGULATION (EU) /... of

EBA final draft implementing technical standards

Brussels, 17 February 2014 ( )

***I POSITION OF THE EUROPEAN PARLIAMENT

COMMISSION DELEGATED REGULATION (EU) No /.. of

ARTICLE 29 Data Protection Working Party

15248/16 CDP/LM/vpl 1 DGG 3 B

The application of the Mutual Recognition Regulation to non-ce marked construction products

Official Journal of the European Union. (Non-legislative acts) REGULATIONS

Final Report. Draft Implementing Technical Standards

Delegations will find attached the text of the above-mentioned Regulation, as provisionally agreed with the European Parliament.

COMMISSION DELEGATED REGULATION (EU) /... of

COMMISSION DELEGATED REGULATION (EU) /... of

Final report Technical advice on third country regulatory equivalence under EMIR Hong Kong

Council of the European Union Brussels, 20 May 2016 (OR. en)

GOVERNMENT GAZETTE OF THE HELLENIC REPUBLIC ISSUE A No. 178

FINAL DRAFT RTS UNDER ARTICLE 45(6) OF DIRECTIVE (EU) 2015/849 JC /12/2017. Final Report

decision-making process in accordance with Article 7 of Regulation (EU) No 2015/751

ALTERNATIVE INVESTMENT FUND MANAGERS DIRECTIVE FREQUENTLY ASKED QUESTIONS

EUROPEAN PARLIAMENT C5-0534/2002. Common position. Session document 2000/0260(COD) 19/11/2002

I. The PNR agreements

VALUE ADDED TAX COMMITTEE (ARTICLE 398 OF DIRECTIVE 2006/112/EC) WORKING PAPER NO 934

COMMISSION DELEGATED REGULATION (EU) /... of

COMMISSION DELEGATED REGULATION (EU) /... of

2/6. 1 OJ L 158, , p OJ L 335, , p.1. 3 OJ L 331, , p

(Legislative acts) DIRECTIVES

ARTICLE 29 Data Protection Working Party

A8-0126/2. Amendment 2 Roberto Gualtieri on behalf of the Committee on Economic and Monetary Affairs

Draft amendment to Commission. Implementing Regulation (EU) 2015/2452 of 2 December 2015 laying. down implementing technical standards

7411/14 IL/SS/sr 1 DGG 1B

COMMISSION OF THE EUROPEAN COMMUNITIES

EUROPEAN UNION. Brussels, 23 July 2014 (OR. en) 2012/0168 (COD) LEX 1569 PE-CONS 75/1/14 REV 1 EF 84 ECOFIN 270 CODEC 808

Feedback statement July 2016

TEXTS ADOPTED. Long-term shareholder engagement and corporate governance statement ***I

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DIRECTIVE

COMMISSION DELEGATED REGULATION (EU) /... of

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

A GUIDE TO ESTABLISHING AN ALTERNATIVE INVESTMENT FUND MANAGER IN MALTA

COMMISSION DELEGATED REGULATION (EU) /... of XXX

COMMISSION DELEGATED REGULATION (EU) /... of

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Having regard to the Treaty establishing the European Community, and in particular Article 47(2) thereof,

NOTE OF DG ENERGY & TRANSPORT ON DIRECTIVES 2003/54/EC AND 2003/55/EC ON THE INTERNAL MARKET IN ELECTRICITY AND NATURAL GAS THE UNBUNDLING REGIME

10472/18 JC/NC/jk ECOMP.2.B. Council of the European Union Brussels, 14 September 2018 (OR. en) 10472/18. Interinstitutional File: 2017/0248 (CNS)

Proposal for a COUNCIL DIRECTIVE

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

COMMISSION OF THE EUROPEAN COMMUNITIES COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT

PE-CONS 37/17 DGG 1B EUROPEAN UNION. Brussels, 20 September 2017 (OR. en) 2016/0221 (COD) PE-CONS 37/17 EF 144 ECOFIN 595 CODEC 1159

13885/16 HG/NT/vm DGG 2B

COMMISSION DELEGATED REGULATION (EU) /... of amending Delegated Regulation (EU) No 231/2013 as regards safe-keeping duties of depositaries

the amended text inserted by the CRA III Directive 2013/14/EU, which came into force on 20 June 2013;

COMMISSION DELEGATED REGULATION (EU) /... of

Official Journal of the European Union L 341. Legislation. Non-legislative acts. Volume December English edition. Contents REGULATIONS

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

COMMISSION DELEGATED REGULATION (EU) No /.. of

COMMISSION DELEGATED REGULATION (EU) /... of

EUROPEA U IO. Brussels, 12 June 2009 (OR. en) 2007/0198 (COD) PE-CO S 3651/09 E ER 173 CODEC 704

14593/14 JVS/JP/kp DGG 1C

B REGULATION (EC) No 1060/2009 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 16 September 2009 on credit rating agencies

COMMISSION DELEGATED REGULATION (EU) /... of

L 145/30 Official Journal of the European Union

COMMISSION DELEGATED REGULATION (EU) No /.. of

COMMISSION DELEGATED REGULATION (EU) /... of

COMMISSION IMPLEMENTING DECISION (EU) / of XXX

III COURT OF AUDITORS

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a COUNCIL DIRECTIVE

EUROPEAN COMMISSION DIRECTORATE-GENERAL TAXATION AND CUSTOMS UNION Indirect Taxation and Tax administration Value Added Tax GFV N O 066

9228/18 SBC/sr 1 DGG 1A

Automatic inter-state exchange of data: Safeguarding data protection and fundamental rights

Proposal for a COUNCIL DIRECTIVE. amending Directive (EU) 2016/1164 as regards hybrid mismatches with third countries. {SWD(2016) 345 final}

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING PAPER

COMMISSION DELEGATED REGULATION (EU) No /.. of

(Text with EEA relevance)

Having regard to the Treaty establishing the European Community, and in particular Article 47(2), first and third sentences, and Article 95 thereof,

COMMISSION DELEGATED REGULATION (EU) /... of

Council of the European Union Brussels, 2 December 2016 (OR. en)

European GNSS Supervisory Authority

Transcription:

ARTICLE 29 Data Protection Working Party 02294/07/EN WP 143 8 th Directive on Statutory Audits Opinion 10/2007 by the Article 29 Working Party Adopted on 23 November 2007 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Civil Justice, Rights and Citizenship) of the European Commission, Directorate General Justice, Freedom and Security, B-1049 Brussels, Belgium, Office No LX-46 01/43. Website: http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm

I. Introduction On 15 February 2007, the Article 29 Working Party examined a working document presented by DG Internal Market on transfers to third country public regulators of audit working papers containing personal data. The working paper explains the EU legal regulatory framework set up by Directive 2006/43/EC 1 on statutory audits of annual accounts and consolidated accounts (the 8 th Directive). The 8 th Directive provides for the conditions to carry out the statutory auditing activity and sets out an independent public oversight for statutory auditors by Member States. The 8 th Directive also contains specific provisions relating to the cooperation between public oversight bodies from Member States and competent authorities of third countries. Such cooperation should include the exchange, with third country authorities, of the auditor's working papers and other documents held by European audit firms. The Working Party is pleased to comment on the regulatory framework applying to such information exchange on the basis of the working document referred to above and of the comments received by Member States in this connection. II. The legal framework for exchanges of information between EU public oversight bodies and third country authorities Article 47 of the 8 th Directive sets out two regimes for the transmission of information and data to a third country public oversight authority: a "general regime" for the international transfers between competent authorities (Art. 47(1) to (3)) and a "special regime" ((Art. 47(4) and (5)). Article 47(4) foresees that in exceptional cases, and by way of derogation from the "general regime laid down in Article 47(1), Member States may allow statutory auditors and audit firms to transfer audit working papers and other documents directly to the competent authorities of a non-eu jurisdiction. Article 47 (1) states that Member States may allow the transfer of audit working papers or other documents of audit firms from a Member State public oversight body to the third country's competent authorities, provided that certain conditions are satisfied. Article 47 1(b) sets out the conditions required for such exchange of information to take place. The main conditions are: The audit working papers to be exchanged relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; The transfer takes place via competent authorities of the EEA Member State to the competent authorities of that third country there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned: the working arrangements have to ensure that justification is 1 OJ L 157, 9.6.2006, p. 57 2

provided by the competent authorities of the purpose of the request for having access to audit working papers and other documents, the working arrangements could probably take the form of memoranda of understanding between a national oversight authority and the competent authorities of the third country setting out the conditions and forms of cooperation; the persons employed by the authorities of the third country that receive the information are subject to obligations of professional secrecy; the competent authorities of the third country may use audit working papers and documents only for the exercise of their functions of public oversight, quality assurance and investigations; the transfer is in accordance with Chapter IV of the Data Protection Directive (international transfers of personal data); and the competent authorities of the third country concerned meet requirements of an adequacy test based on a 'comitology' decision. This adequacy test is different from the adequacy assessment of the level of protection afforded to personal data in that third country. The conditions mentioned above are cumulative. If they are not met, in particular if a working arrangement has not been concluded, no co-operation by means of regular exchange of documents in the case of inspections shall be possible. III. Analysis in a data protection perspective Considerations on the scenarios applying to the exchanges of information with third-country supervisory authorities The DG MARKT paper presents two different possible scenarios for the exchange of information between an EU public oversight authority and a third country public competent authority, apart from the exceptional cases mentioned in Article 47(4) of the Directive: - a short term solution limited to formal investigations in the case of corporate scandals, - a medium term solution, which should be available in 2008/2009, within the framework of bilateral arrangements between a third country and the Member States. As for the medium-term solution, based on the information made available by DG MARKT, the approach envisaged would consist of working to ensure that the third countries, and especially the US, will adopt the rule of recognition of the EU oversight system. Public oversight bodies would in principle rely on the work of the corresponding public oversight in the other jurisdiction (home country supervision). 1. Short-term solution limited to formal investigations in the case of corporate scandals A short term solution would be limited to formal specific investigations in the case of a corporate scandal, and in the absence of a bilateral agreement or memorandum of understanding between an EU independent oversight and a third country competent authority. If the third country in question is not adequate under the terms of Directive 95/46, the Member State s domestic law transposing the provisions contained in Article 26(1)(d) thereof can provide a legal basis for the transfer to take place. 3

However, the Working Party recalls that Article 26(1)(d) is part of the derogations provided for in the Directive for the regime of international transfers of personal data; accordingly, it should be limited to exceptional cases as a solution of last resort and be interpreted restrictively 2. In order to apply Article 26(1)(d) and accordingly the domestic provisions transposing it, the following preconditions must be both fulfilled: i. There must be a substantial public interest in communicating such personal data as are contained in working papers/documents. In this regard, the Working Party has already emphasized that the substantial public interest must be vested either in the Member State at issue or in the European Community. Only important and substantial public interests identified as such by the national legislation applicable to data controllers established in the EU are valid in this connection. Any other interpretation would make it easy for a foreign authority to circumvent the requirement for adequate protection in the recipient country laid down in Directive 95/46 3. It is the responsibility of the national oversight authority (competent for the audit) performing the transfer to decide on whether there is a substantial public interest, using a case-bycase approach in the light of the relevant domestic legislation and taking into account, where appropriate, an opinion by the national DP authority. In particular, by having regard to market connections, the substantial public interest requirement could also be considered to be met if agreements are in place between the auditing authorities (i.e. between the European and the third country s ones) on the basis of domestic legislation. ii. Additionally, only such personal data as are necessary to achieve the substantial public interest purpose specified above may be transferred. Again, this assessment is left to the authority ordering the working papers/documents to be transferred, by having regard to the requests made by the third country authority. This would mean that the personal data to be transferred should be limited to those strictly necessary and relevant for the purposes of the ad hoc investigation. In this regard, for instance, personal data relating to staff/employees may not be transferred in their entirety. Special care should be taken with regard to sensitive and judicial data. As a consequence, the personal data being transferred may not be used by the third country 2 3 This stance was consistently taken by the WP in respect of all the cases mentioned under Article 26(1) of the Directive. See, in this connection, WP 29, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, 24 July 1998, WP 12, p. 24: These exemptions, which are tightly drawn, for the most part concern cases where risks to the data subject are relatively small or where other interests (public interests or those of the data subject himself) override the data subject s right to privacy. As exemptions from a general principle, they must be interpreted restrictively. That view was re-affirmed subsequently in the Working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995 (WP 114); under point 1.2, it was reiterated that the interpretation of Article 26(1) must necessarily be strict. See working document on a common interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995. Doc WP 114, point 2.4 according to which the drafters of the Directive clearly did envisage that only important public interests identified as such by the national legislation applicable to data controllers established in the EU are valid in this connection. Any other interpretation would make it easy for a foreign authority to circumvent the requirement for adequate protection in the recipient country laid down in Directive 95/46 ; Opinion 6/2002 on transmission of passenger manifest information and other data from airlines to the United States, Doc WP 66, point 2.5. See also, regarding construction of the provision on existence of a legal obligation as per Article 7(c) of the Directive, Opinion 1/2006 on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime, Doc. WP 117, point IV 1(i). 4

recipient authority for different purposes, nor may they be communicated further for such different purposes. Where the competent authority (for statutory audits) does not hold the view that the substantial public interest requirement arising out of Article 26(1)(d) of the Directive is fulfilled in the light of domestic law, it might nevertheless be possible to proceed with the transfer in accordance with Article 26(2). The competent authorities (for statutory audits) might avail themselves of the adequate safeguards afforded by standard contractual clauses stipulated with regard to this type of data transfer which would require no case-by-case analysis of the data transfers at issue. Although standard contractual clauses are mostly used for data transfers in the business sector, they would appear to be sufficiently flexible to enable application also in this area. There is little doubt that using standard contractual clauses does not rule out the need for the national competent authority to check in the light of domestic legislation whether the preconditions to allow the disclosure of data to the third party competent authority are fulfilled. As repeatedly pointed out by the Article 29 Working Party, the adoption of standard contractual clauses should in no case become the means for dodging domestic provisions that regulate the communication of the data processed by the competent authority. 4 2. Medium-term arrangements for regulator inspections The medium term arrangements for the exchange of inspection reports within the framework of bilateral agreements concluded between a Member State and a non-adequate third country would provide for the communication of personal data of auditors (and mainly their names and the names of professionals who play a significant role in the audit firm s management and quality control), and only for the purposes of public oversight, quality assurance and investigations functions by the country authorities. Article 47 (1) of the Directive lays down the conditions that such working arrangements shall meet; in particular, the transfer of personal data must be in accordance with provisions on international transfers of Directive 95/46/EC 5. Under the above conditions, there would not appear to be specific obstacles in the light of Article 26(1)(d) of the Directive to the extent the transfer of the data at issue is found to be necessary. 4 5 This was stated clearly in Opinion 1/2001 on the Draft Commission Decision on Standard Contractual Clauses for the transfer of Personal Data to third countries under Article 26(4) of Directive 95/46, 26 January 2001, Doc. WP 38, point 2; with regard to transborder data flows, the Working Party held the following view: The lawfulness of such processing operation remains entirely subject to the conditions of the national legislation implementing the provisions of the Directive 95/46/EC. Should a transfer by means of the standard contractual clauses approved by the Commission not fulfil the conditions set up in the national law as regards these aspects, the intended transfer to third countries could not take place. In particular, if a disclosure of data to a third party recipient inside a Member State of the controller would not be lawful, the mere circumstance that the recipient may be situated in a third country does not change this legal evaluation. See also Directive 2006/43/EC, recital 29. 5

However, the Article 29 Working Party would like to stress that a more precise reply on this point requires more specific information about the conditions of the agreement that would be concluded with the third country and the conditions of the adequacy test. Possible guidelines for such adequacy test are appended to this opinion in order to ensure appropriate safeguards from the perspective of the protection of personal data. IV. Conclusion The Article 29 Working Party holds the view that Article 26(1)(d) of Directive 95/46/EC can provide a legal basis for the transfer to third country public regulators of audit working papers containing personal data under the standard regime envisaged by Directive 2006/43 (Article 47(1) to (3)). However, the Article 29 Working Party recalls that Article 26(1)(d) derogates from the general regime of the data protection Directive applying to cross-border data flows; as such, it should be interpreted restrictively by having regard to the substantial public interest served by the transfer (as vested either in the individual Member State or in the EU) and by ensuring that only relevant and necessary personal data are transferred for the sake of such substantial public interest. Among the conditions to be fulfilled in view of the transfer, passing the adequacy test mentioned in Article 47(3) of Directive 2006/43 plays a key role. The Article 29 Working Party reserves the right to provide more specific views in this regard as soon as more detailed information on the specifics of such test becomes available, and reiterates its willingness to co-operate with all the relevant stakeholders in order to ensure that the adequacy test takes due account of data protection principles. As regards the special regime envisaged in Article 47(4) of Directive 2006/43, as a regime that would be used in exceptional cases and by way of derogation from the "general regime", whereby the papers and documents are transferred directly by auditors and audit firms to the third country competent authorities, the Article 29 Working Party calls on the Commission to seek its contribution in connection with the activity the Commission is empowered to carry out under Article 47(5) of this Directive, in view of specifying the exceptional cases of transfer, so as to ensure a more uniform application of those provisions. Done at Brussels, on 23 rd November 2007 For the Working Party The Chairman Peter SCHAAR 6

Annex Possible Guidelines to be complied with in order to ensure data protection adequacy in working arrangements to be concluded following the procedure laid down in Article 47(1)c of Directive 2006/43/EC. (a) A non-exhaustive list of documents that can be transferred could be drawn up in 'comitology' measures. The list could cover, for instance: audit working papers; papers related to review of a group auditor under Article 27, other documents coming from auditors (engagement letter, correspondence with regulator, ), inspection reports/outcome issued by audit regulators or other regulators. (b) Documents that are not considered, by the competent public oversight authority of a Member State, necessary to an investigation or inspection may not be transferred. Transfers of documents should not be systematic and should be done only in duly justified cases upon individual request. (c) The non-eu jurisdiction authorities should not be allowed to make transmitted documents public directly or indirectly. In addition, it should, in principle, not be possible to use such documents for different purposes or by different authorities, such as tax authorities or courts. (d) Specific conditions should be laid down as regards the maximum retention period of the documents transferred, to ensure that documents are not kept longer than necessary to fulfil the task for which the documents were requested (in any event, for no longer than the time limit provided for in national law for the performance of supervisory tasks). 7

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback