Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy.

Confidentiality and professional secrecy rules relating to statutory auditors or audit firms shall not impede enforcement of the provisions of this Directive or of Regulation (EU) No 537/2014.

Where a statutory auditor or an audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity and the most recent audit of that entity.

A statutory auditor or audit firm who has ceased to be engaged in a particular audit assignment and a former statutory auditor or audit firm shall remain subject to the provisions of paragraphs 1 and 2 with respect to that audit assignment.

Where a statutory auditor or an audit firm carries out a statutory audit of an undertaking which is part of a group whose parent undertaking is situated in a third country, the confidentiality and professional secrecy rules referred to in paragraph 1 of this Article shall not impede the transfer by the statutory auditor or the audit firm of relevant documentation concerning the audit work performed to the group auditor situated in a third country if such documentation is necessary for the performance of the audit of consolidated financial statements of the parent undertaking.

A statutory auditor or an audit firm that carries out the statutory audit of an undertaking which has issued securities in a third country, or which forms part of a group issuing statutory consolidated financial statements in a third country, may only transfer the audit working papers or other documents relating to the audit of that entity that he, she or it holds to the competent authorities in the relevant third countries under the conditions set out in Article 47.

The transfer of information to the group auditor situated in a third country shall comply with Chapter IV of Directive 95/46/EC and the applicable national rules on personal data protection.