Legal certainty for public accountants (hereinafter referred to as “PA”) and sworn auditors (hereinafter referred to as “SA”) when using external services
The new Article 50a in conjunction with Article 55b (2) (9) of the WPO (German Public Accountant Act) now entitles the PA/SA to outsource essential audit activities to external service providers.
A Note on the Concept of “External Service Provider”
A distinction is to be made between professional assistants and those acting in preparation for the profession and the “other involved persons” (external service providers). Though they participate in the professional activities pursued by the person bound to professional secrecy through being in some way involved in and contributing to those activities, they do not form part of that person’s domain.
Such service providers fall under Art. 203 (3) (2) half sentence 1 of the StGB (Strafgesetzbuch – German Penal Code). This specifically refers to the “service providers” pursuant to Art. 50a (1) of the WPO. As their collaboration is typically based on a service or works contract, service providers are covered by the derived right to refuse to testify pursuant to Art. 53a (1) (1) (1) of the StPO (Strafprozessordnung – German Code of Criminal Procedure).
Article 203 (3) (2) half sentence 2 of the StGB also covers the service provider’s employees and subcontractors. These persons within the meaning of Art. 50a (3) (2) (3) of the WPO, i.e. subcontractors, also typically operate based on a contractual relationship and are therefore covered by the derived right to refuse to testify pursuant to Art. 53a (1) (1) (1) of the StPO.
PA/SA are entitled to appoint service providers to assist with their activities as outlined above. This also applies to staff-provided services, both in the case of administrative activities (e.g. call centre services or clerical work) and professional services towards order fulfilment (e.g. client environment analyses, data analyses).
No Client Consent Required for Standardised, Specialised/Technical Audit Activities
Where services are rendered for an individual client, access to case-related client data by the service provider is subject to prior client consent (Art. 50a (5) of the WPO). Notwithstanding this, services related to general aspects of office organisation do not require client consent (cf. Section 4.2.6. of IDW Life 01.2019 and the WPK Practice Statement „Involvement of Third Parties in The Exercise of The Profession [Arts 50, 50a of the WPO]“ as at July 26th, 2018).
Here are a few examples of services that do not “require particular individual-case treatment” and that can generally be rendered by Shared Service Centres as well:
- Outsourcing of fee invoicing
- Obtaining of balance confirmations for a large number of clients
- Creation/reviewing of standard presentations
- Printing shop
Sources: IDW recommendations on appointing service providers as at April 10th, 2019/ IDW Life 01.2019, p. 13
Non-disclosure and Data Confidentiality
What happens to your clients’ data?
Your clients’ data will be used solely for the generation of our deliverables. They will be exchanged as a password-protected zipped file via scalestaar’s private cloud, backed up, saved, and retained for a maximum of two years.
How is confidentiality guaranteed?
As your service provider pursuant to Art. 50a of the WPO, we are committed to protecting the trust established between you and your clients. First off, you will receive a confidentiality statement together with passwords to protect your client’s sensitive data
Who gets to access the information?
Only persons sworn to secrecy may access your data. All access events are constantly monitored via technical and organisational measures.
Which data protection requirements under the GDPR must be observed?
Definition of Terms
Confidential information refers to your or your clients’ information which is disclosed to us and which is sensitive or advantageous from an economic, judicial, fiscal or technical standpoint. Confidential information may be information which is recognisably designated as confidential or as proprietary or whose confidentiality is self-evident. This term covers any and all records, deeds, notes, documents, digital recordings etc. as well as verbal communications. Furthermore, the existence of a contract concluded between you and ourselves as well as a non-disclosure agreement are considered confidential information.
Publicly known information is information which was verifiably known to us before its disclosure or, as the case may be, which became public knowledge through no fault of ours during the term of such contract and/or agreement.
We undertake to treat confidential information obtained from you as confidential. Specifically, this means that neither we nor our employees may disclose such information to third parties or otherwise use it for purposes other than those stipulated by our contract. Utilisation or sharing of this information for any other purpose will strictly require your prior written consent. Confidential information obtained from you will be used for contract fulfilment only. The rights to data obtained from you remain with you unless otherwise stipulated by contract.
We undertake to handle confidential information obtained from you at least as carefully as we do our own concerns, as well as to comply with all relevant legal and contractual stipulations when processing such confidential information. This includes consideration of the state of the art, appropriate technical security measures (Art. 32 GDPR), and obligating employees to comply with data secrecy (Art. 28  [b] GDPR).
Sharing with Third Parties/Subcontractors
The provided information or parts thereof may only be shared with external consultants who have been obliged to confidentiality or with agents required to fulfil the relevant contract who have been informed of the confidentiality of the information given and have been obliged accordingly. We expressly declare that we shall answer for any and all infringements on part of such agents.
We may only employ subcontractors for the purposes of conducting the commissioned activities. Our obligations arising under this agreement will be imposed on them accordingly.
Controlling and Deletion Rights
Within 14 days upon your written request, we shall return to you all confident information and additional documents created on the basis of such information we have on hand or verifiably prove to you that the information and records have been destroyed. This does not apply if we are bound by law or due to administrative or judge’s ruling to retain such information. In the latter case, we may further retain the confidential information solely for the purposes of fulfilling such obligations.
You are entitled to monitor compliance with this agreement or to have it monitored.
Contract Data Processing
Where the requirement of contract data processing calls for a contract that goes beyond the terms of this statement, such a contract will be concluded with you.
Life of The Agreement
The non-disclosure agreement is operative as from the day of its signing and its life is identical to that of the contract. The confidentiality obligation will remain binding after termination of the contract.