The accountant and the GDPR
It is very important to determine when you, as a bookkeeper, accountant or tax advisor, are the Controller or the Processor in terms of processing personal data for a particular engagement.
The Controller determines the purpose and means of processing personal data in a particular business activity. Thus, the Controller determines what may be done with the personal data to be processed and also in what manner the processing is done.
As an accountant, you are sometimes the Processor and also the Controller which has implications regarding your responsibilities to data subjects and to the government, specifically the GBA.
The Accountant as a Processor of Personal Data.
It is incorrect to automatically label the accountant as the processor because the accountant cannot and will not always determine the purpose and means of processing clients’ personal data.
In payroll accounting such as calculation of wages, pension plan and in the declaration of wages, the accountant is the processor of the personal data it receives from the controller. Here, the controller is the one who determines the purpose and means of processing the personal data of personnel within his or her organization.
Similarly, when entering figures and reporting VAT, the bookkeeper is the processor of the personal data that he continues to process on behalf of the controller. It is therefore clearly defined here who is the controller and who is the processor, in the processing agreement.
The tax accountant as a processor.
If the accountant provides tax advice, then as an advisor, the accountant determines the purpose and means of carrying out this processing. It is because the accountant is acting as a tax advisor that he or she is the data controller for this processing. It is the accountant himself or herself who will process the personal data of citizens in the report in his or her own way to achieve the desired result.
As a data controller, the accountant may also provide management advice in the area of financial planning, asset planning or on an organizational economic advice.
As a trustee for private clients, the accountant also acts as the data controller because the accountant then determines the purpose and means of processing personal data within this organization.
Should accountants appoint a DPO?
Accountants process sensitive data on a large scale. Although the reading of identity cards is not considered sensitive personal data for the GDPR, the accountant must take into account the proportionality principle required within the rules of the GDPR.
In case of fraud on the part of its clients, it is natural for the accountant to take note of Art. 10 within the privacy laws but processing of personal data in criminal activities is prohibited. The processing of these data can only be done by the government, police forces or under strict government supervision.
An accounting firm processes sensitive data on a large scale such as the processing of financial data and medical data in the case of informal care, for example. To avoid a conflict of interest, the accountant will work with an independent and external Data Protection Officer or DPO for short. The DPO will map all processing through a GDPR audit and ensure, through a DPIA or data protection impact assessment, that the rights and freedoms of citizens whose personal data is processed within the accountancy are safeguarded.
As an accountant, am I also a joint controller?
A bookkeeper or accountant can therefore be both the processor, the data controller and in some cases the joint controller when processing personal data with clients.
The bookkeeper sometimes works with a legal advisor or attorney to jointly issue opinions. In certain engagements, an accountant will also need to work with a corporate auditor so that both parties will be the data controller for some of the processing of personal data.
In this case, a processing agreement will be drawn up as “joint controllers” because the cooperating parties will determine the purpose and means under a joint agreement.