The accountant and the GDPR
The Accountant and the GDPR: It is very important to determine when you, as a bookkeeper, accountant or tax advisor, are the Controller or the Processor in terms of processing personal data for a particular engagement.
The Controller determines the purpose and means of processing personal data in a given business activity. Thus, the Controller determines what may be done with the personal data to be processed and also in what manner the processing is done.
As an accountant, you are sometimes the processor and also a data controller which has implications regarding your responsibilities to data subjects and to the government, specifically the GBA.
The Accountant as Processor of Personal Data.
It is incorrect to automatically label the accountant as the data controller because the accountant cannot and will not always determine the purpose and means of processing customers’ personal data.
In payroll accounting such as calculation of wages, pension plan and in the declaration of wages, the accountant is the processor of the personal data he receives from the controller. Here, the data controller is the one who determines the purpose and means of processing personnel personal data within his or her organization.
Similarly, when entering figures and filing VAT, the bookkeeper is the processor of personal data that he further processes on behalf of the controller. Therefore, it is clearly defined here who is the controller and who is the processor, in the processing agreement.
The tax advisor as a data controller.
If the accountant provides tax advice, then the accountant, as advisor, determines the purpose and means to carry out this processing. It is because the accountant is acting as a tax advisor that he or she is the controller for this processing. It is the accountant himself who will process the personal data of citizens in the report in his or her own way to achieve the desired result.
As a controller, the accountant may also provide management advice in the area of financial planning, asset planning or on an organizational economic advice.
As an administrator for private clients, the accountant also acts as the data controller because the accountant then determines the purpose and means of processing personal data within this organization.
Should accountants appoint a DPO?
Accountants process sensitive data on a large scale. Although ID card reading is not considered sensitive personal data for GDPR purposes, the accountant must take into account the proportionality principle required within GDPR rules.
In cases of fraud on the part of its clients, it is natural for the accountant to take note of Art. 10 within the privacy laws but processing of personal data in criminal activities is prohibited. The processing of this data can only be done by the government, police departments or under strict government supervision.
An accounting firm processes sensitive data on a large scale such as processing financial data and medical data in the case of informal care, for example. To avoid a conflict of interest, the auditor will work with an independent and external Data Protection Officer or DPO for short. The DPO will map all processing through a GDPR audit and ensure, through a DPIA or data protection impact assessment, that the rights and freedoms of citizens whose personal data are processed within the accountancy are safeguarded.
As an accountant, am I also jointly responsible?
Thus, a bookkeeper or accountant can be both the processor, the controller and in some cases the joint controller when processing personal data with clients.
The accountant sometimes works with a legal advisor or attorney to provide advice together. Certain assignments will also require an accountant to cooperate with a company auditor so that both parties will be data controllers for some of the processing of personal data.
In this case, a processing agreement will be drafted as “joint controllers” because the cooperating parties will determine the purpose and means under a joint agreement.
For more info, contact a DPO here.