Privacy statement for the Finnish Register of Auditors
Finnish Patent and Registration Office (PRH)
Mailing address: Finnish Patent and Registration Office, FI-00091 PRH, Finland
Street address: Sörnäisten rantatie 13 C, Helsinki, Finland
Tel. +358 29 509 5000
Representative of controller
Ms Hanna Kattainen
Tel. +358 29 509 5859
Data protection officer
Tel. +358 50 413 6500
Purpose of and legal basis for processing personal data
Under chapter 6, section 9 of the Finnish Auditing Act (1141/2015), the Auditor Oversight Unit keeps a register of auditors from which anyone can obtain information about auditors and details related to them. The Register of Auditors is also used to supervise auditors’ activities and restore approvals.
The processing is necessary to comply with the controller’s legal obligation.
Personal data and categories of data subjects in the register
The Register of Auditors contains entries with the information required in chapter 6, section 9 of the Auditing Act (1141/2015), identifying natural persons and firms approved as auditors and audit firms respectively. The Statutory Audit Directive (2006/43/EC) also sets obligations about the data content of the register.
The following details identifying auditors are recorded:
- name and personal identity code (date of birth if no personal identity code is available);
- date of registration, and the auditor’s identification number;
- mailing address, email address (if any), and phone number;
- information on whether the auditor works for an audit firm;
- approval as an HT, KHT, JHT and CPFA/JHTT auditor, date of approval, and date of expiry of the approval;
- date on which the approval was cancelled by application, and date on which the approval was restored;
- remark, warning, withdrawal of approval and date of withdrawal, fixed-term prohibition of activities, penalty payment and notice of a conditional fine issued to the auditor, and any declarations of inadequate audit report;
- information if the auditor has been entered in the register of auditors of another state, registration number, and oversight authority of the state in question.
The following details identifying audit firms and CPFA/JHTT corporations are recorded:
- company name and Finnish Business ID;
- date of registration, and the audit firm’s identification number;
- mailing address, email address (if any), and phone number;
- approval as an audit firm, date of approval, and date of expiry of the approval;
- date on which the approval was cancelled by application, and date of restoration;
- remark, warning, withdrawal of approval and date of withdrawal, fixed-term prohibition of activities, penalty payment and notice of a conditional fine issued to the firm, and any declarations of inadequate audit report;
- mailing addresses to premises located in Finland;
- contact person’s name and mailing address;
- auditors working for the audit firm and their identification numbers;
- if the audit firm belongs to a network of audit firms: name of the network and information where the details of the network firms are available for the public;
- name, personal identity code (date of birth or Finnish Business ID if no personal identity code is available), and mailing address of the owners of the audit firm;
- name, personal identity code (date of birth if no personal identity code is available), and mailing address of the members of the board of directors, or corresponding governing body, as well as of the managing director and their deputy;
- information if the audit firm has been entered in the register of auditors of another state, registration number, and oversight authority of the state in question.
In addition, we save certain details of auditors and audit firms that are useful for the purposes of service and oversight but that are not recorded in the Register of Auditors. These details include, for example: invoicing address of the auditor; number of training hours, audit engagements and hours of work reported by the auditor in the notification of oversight information; quality control results; language and manner of communication; and PIE engagements and quality control results of the audit firm.
Sources of information
The details recorded in the register include:
- details given by auditors and audit firms on registration forms, forms for notification of changes, and oversight information forms;
- details updated by the PRH’s Auditor Oversight Unit; and
- details obtained from other authorities under the Finnish Auditing Act (1141/2015) and the Statutory Audit Directive (2006/43/EC).
- The details are also supplemented based on decisions made by the Finnish Audit Board.
Disclosure of personal data to third parties
Anyone is entitled to obtain extracts and copies from the Register of Auditors against payment. However, the last four digits of an auditor’s personal identity code are only disclosed if the person asking for the information has the right to process the personal identity code.
Transfer of personal data to countries outside the EU or the EEA or to international organisations
Details from the Register of Auditors can be transferred to authorities in countries outside the EU or the EEA in accordance with chapter 9, section 3, subsection 2 of the Finnish Auditing Act. Currently, the details can be transferred to the auditing oversight authorities in Switzerland (FAOA) and the USA (PCAOB) based on agreements made with them.
Storage periods of personal data
The storage periods of the registered personal data are based on legislation which specifies the storage periods.
Profiling and automated decision-making
The registered data are not used for profiling, and no automated decision-making is performed on the data.
Right of access to personal data
The data subject has the right to check what personal data about them have been entered into the register, or to find out that there are no such register entries. The data subject can ask the controller for access to their personal data. Read our instructions on how to request access to data.
Right to rectification of data
The data subject has the right to demand that the controller rectify without undue delay any inaccurate or incorrect personal data concerning them. Read our instructions on rectification of data.
Right to restriction of processing
The data subject has the right to demand that the controller restrict the processing of data, if the data subject contests the accuracy of the personal data. The idea is to restrict the processing for a period during which the controller can verify the accuracy of the personal data.
Right to lodge complaint with supervisory authority
The data subject has the right to lodge a complaint with the supervisory authority (the Data Protection Ombudsman).