The accountant and the GDPR
It is of great importance to determine when you, as a bookkeeper, accountant or tax advisor, are the Controller or Processor in the field of the processing of personal data for a particular assignment.
The Controller determines the purpose and means for the processing of personal data in a particular business activity. The Controller therefore determines what may be done with the personal data to be processed and also how the processing takes place.
As a bookkeeper you are sometimes the processor and also the controller, which has consequences regarding your responsibilities towards data subjects and towards the government, in particular the DPA .
The accountant as Processor of personal data.
It is incorrect to automatically label the accountant as the controller because the accountant cannot and will not always determine the purpose and means for the processing of customer personal data.
When payroll as calculating wages, pension and declaring wages accountant processor of the personal information he gets from the controller . Here, the controller is the one who determines the purpose and means of processing the personal data of personnel within his or her organization.
When entering figures and when submitting VAT returns, the accountant is also the processor of the personal data that he further processes on behalf of the controller. It is therefore clearly determined here who is responsible and who is the processor in the processing agreement.
The tax advisor as controller.
If the accountant provides advice in the field of taxes, he or she, as an adviser, determines the purpose and means of carrying out this processing. It is because the accountant acts as a tax advisor that he or she acts as a controller for this processing. It is the accountant himself who will process the personal data of citizens in the report in his or her own way to achieve the desired result.
As a controller, the auditor may also provide management advice in the areas of financial planning, asset planning or economic advice on an organization.
As administrator for private clients, the accountant also acts as the controller because the accountant then determines the purpose and means for the processing of personal data within this organization.
Do bookkeepers have to appoint a DPO?
Accountants process sensitive data on a large scale. Although the reading in of identity cards for the GDPR is not regarded as sensitive personal data, the accountant must take into account the proportionality principle that is required within the rules of the GDPR.
In the event of fraud at its clients, it is self-evident that the accountant takes cognizance of art. 10 within the privacy legislation, but processing of personal data in criminal activities is prohibited. The processing of this data can only be done by the government, police services or under strict supervision of the government.
An accounting firm processes sensitive data on a large scale, such as the processing of financial data and medical data in the case of, for example, informal care. To avoid a conflict of interest, the accountant will work with an independent and external Data Protection Officer or DPO for short. The DPO will map all processing operations through a GDPR audit and ensure, through a DPIA or data protection impact assessment , that the rights and freedoms of the citizens whose personal data are processed within the accountancy.
As a bookkeeper, am I also jointly responsible?
A bookkeeper or accountant can therefore be the processor, the controller and in some cases also the joint controller when processing personal data at customers.
The bookkeeper sometimes works together with a legal adviser or lawyer to provide advice. For certain assignments, an accountant will also have to work together with a company auditor, so that both parties will be responsible for part of the processing of personal data.
In this case, a processing agreement will be drawn up as “ joint controllers ” because the collaborating parties will determine the purpose and means under a joint agreement.
For more information you can contact a DPO here .
