TFL Vsebine / Revija SIR*IUS

Protection of personal data in audit procedures

V tem članku poskušamo povzeti osnovne vidike varstva osebnih podatkov, predstaviti zahteve evropske in slovenske zakonodaje ter nekatere pasti varstva osebnih podatkov, na katere mora biti revizor pozoren tako z vidika zagotavljanja skladnosti v revizijskih postopkih pri svojem delu kakor tudi z vidika preverjanja in potrjevanja skladnosti strank. V prvem, nekoliko bolj teoretičnem delu članka so predstavljene osnove obdelave osebnih podatkov z opredelitvami in pravnimi podlagami, ki so najpogosteje nerazumljene pri zagotavljanju skladne obdelave osebnih podatkov. Najprej sta opredeljena in pojasnjena términa osebni podatki in obdelava. Nato pojasnimo načela v zvezi z obdelavo osebnih podatkov in pravne podlage za obdelavo. Sklenemo z evidenco dejavnosti obdelave, odnosi med upravljavci in obdelovalci ter prenosom v tretje države. V drugem delu so pojasnjene praktične implikacije in izzivi, ki jih pogosto zaznamo pri revizijah predvsem informacijskih sistemov. Ključna je razlika med psevdonimizacijo in anonimizacijo na področju brisanja, ki po naših izkušnjah predstavlja največkrat zaznano neskladnost. S pregledom pogodbenih obdelovalcev nato pristopimo še k drugemu področju, ki je po odločitvi Sodišča (EU) leta 2020 v zadevi C-311/18 postalo tvegano predvsem zaradi izvoza osebnih podatkov, to so oblačne storitve.

In this article, we try to summarize the basic aspects of personal data protection. Further, we try to present the requirements of European and Slovenian legislation and some pitfalls of personal data protection to which the auditor must pay attention both from the point of view of ensuring his own compliance in audit procedures, and from the point of view of checking and confirming the compliance of auditees. In the first, somewhat more theoretical part of the article, we first present the basics of personal data processing, which contain those definitions and legal bases that are most often the subject of misunderstanding, when ensuring consistent processing of personal data. First, we define and explain the terms personal data and processing. Then, we explain the principles regarding the processing of personal data and the legal basis for processing. We conclude with records of processing activities, relations between managers and processors, and transfer to third countries. In the second part, we explain the practical implications and challenges that we often see when auditing information systems. The key difference between pseudonymization and anonymization is in the field of erasure, which in our experience represents the most frequently perceived inconsistency. Through the review of contractual processors, we then approach another area, which after the decision of the Court of Justice (EU) in 2020 in case C- 311/18 became risky mainly due to the export of personal data in cloud services.