Data Protection for Tax Advisors

As a tax advisor, you are obliged to protect your clients' data from misuse. This includes observing the professional duty of confidentiality as well as complying with the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG-new).

The duty of confidentiality and the GDPR

In principle, tax advisors are subject to a professional duty of confidentiality and therefore also to the protection of all client data. However, this duty of confidentiality does not include the requirements of the General Data Protection Regulation and the protection of personal data. For this reason, tax advisors must take additional measures to implement data protection in their day-to-day work.

Data protection in tax consulting firms

According to this regulation, tax advisors may only publish or pass on data that they have obtained in the course of their professional activities with the express consent of the client. However, other legal regulations are also relevant for this profession when it comes to personal data and data protection, such as the:

• General Data Protection Regulation (GDPR)
• Federal Data Protection Act (BDSG)
• Professional law for tax consultants (StBerG, DVStB, BOStB)
• Criminal Code (StGB): § Section 203, violation of private secrets

The answer to this question depends on the size of the tax firm. According to the General Data Protection Regulation (GDPR), tax advisors are obliged to appoint a data protection officer in the following cases:

• If more than 19 people in the law firm are permanently involved in the processing of personal data.
• If the firm's annual turnover is more than 10 million euros.

Tax advisors who do not meet these requirements are not obliged to appoint a data protection officer. However, they can voluntarily appoint a data protection officer to receive support in implementing the GDPR. Appointing a data protection officer offers tax advisors several benefits, such as ensuring compliance with data protection regulations, reducing the risk of data protection breaches, and strengthening client trust. The appointment of a data protection officer can therefore make sense, regardless of the size of the firm. A data protection officer can help tax advisors to comply with the GDPR and ensure the security of their client's personal data.

Data protection law regulates the handling of personal data. This also includes the data usually processed in the client relationship:

• Name
• Date of birth
• Postal address
• Tax number
• Lifestyle details in the context of tax returns
• Social security number
• Financial data (account data)
• Value added tax identification number
• Tax consultant ID number
• Professional title
• Contact details of representatives and contact persons

If you collect this or similar information from your clients and employees or receive this data from third parties as part of your tax consultancy activities, a sophisticated data protection concept is essential. In addition to comprehensive planning, this also includes specific measures and controls in the technical and organizational areas.

Duty to inform

Tax advisors must inform their clients about the processing of their personal data. This includes information about the purpose of the processing, the categories of personal data, the recipients of the data, and the rights of the clients. In addition, the law firm must review the website, contracts with clients, and all collection options that fall within the scope of personal data and add all required GDPR information.

Legal basis

The processing of personal data must have a legal basis. Legal bases for the processing of personal data in tax consulting are, for example, the consent of the client, the fulfillment of a contract, or the fulfillment of a legal obligation.

Training of Employees

Employee training is crucial to avoid data breaches. Ensure all employees are informed about the GDPR and have signed a non-disclosure agreement.

Register of Processing Activities (ROPA)

For typical processing activities of a tax firm (client management, tax returns, etc.), a record of processing activities (ROPA) must be kept in accordance with Article 30 of GDPR. This record should contain information on the purpose of processing, categories of personal data, and deletion periods.

Privacy Policy on the Website

A privacy policy on the website is a must. It informs your clients about data protection and their rights. Make sure it is clear and understandable.

Data processing agreement (DPA)

If you use service providers such as an IT technician, a web host, or a cloud provider, you should make data processing agreements under Art. 28 GDPR. These contracts regulate data processing and compliance with data protection regulations by the service providers. Within tax consulting, this includes DATEV or cloud service providers, for example.

Technical and organizational measures (TOM)

Tax firms must take appropriate technical and organizational measures to protect their clients' data. These measures are essential for many companies. These include encryption, data backup, and access controls. Even if there is no order processing, TOM must be presented to fulfill the accountability obligation.

heyData: your reliable partner for data protection

heyData offers a comprehensive SaaS solution and a team of experts who bring many years of experience to the needs of tax advisors. From digital training modules to a secure document vault, we offer a solution that won't disrupt your day-to-day work while ensuring full compliance.