Personal data protection in an accounting office (part 2) - The essence of personal data protection, i.e. GDPR in an accounting office
Due to the provisions of the GDPR (EU data protection regulation), it is more and more popular in Poland what personal data protection is. The society's awareness of the rights that every natural person or company is entitled to is growing. Compatriots, as clients, want to be treated professionally with the utmost diligence. It is not about exclusive service, but about taking care of the most important issues entrusted to companies accepting the order for a given service - values belonging to the client or people directly related to him.
What does the client entrust to the accounting office?
A person who wants to use the services of an accounting office entrusts representatives of such a company with invoices (both for sales and purchases), employee documents, contracts, bank statements or other confirmations of transactions. Thus, the client entrusts the employees of the accounting office with:
valuable data regarding information on the size of transactions made by the client;
data of contractors, both suppliers and recipients;
data of employees (including sensitive data, such as sick leave) if the service is extended to include human resources.
The use by the accounting office of foreign documents on which personal data is contained is an activity known as the processing of personal data. This means that each accounting office is subject to the GDPR and national regulations on the protection of personal data.
Accounting office and legal access to data
The accounting office should take care to be able to lawfully process (this concept includes the collection itself) personal data entrusted to it, in particular by clients - but also by the employees themselves. When accepting data sets, the accounting office should ensure that it has the status of data processing authorizations. If the entity accepting files from other administrators does not meet the requirements of the provisions on the protection of personal data, it is an action inconsistent with applicable law.
Obligations of the client providing personal data to the accounting office
Since all documents submitted to the accounting office are the property and relate to the client's company, the client is the so-called the administrator of personal data. It does not matter that he handed over (entrusted) the custody of the documents to the accounting office. The customer still remains the data controller and is obliged, in accordance with the law, to maintain their proper protection.
Art. 4 point 7 GDPR
Administrator (as defined by the administrator of personal data) - means a natural or legal person, public authority, unit or other entity that independently or jointly with others sets the purposes and methods of personal data processing; If the purposes and means of such processing are specified in Union law or the law of a Member State, the controller may also be designated under Union law or the law of a Member State, or specific criteria for his appointment may be laid down. In connection with the above, the data controller has tasks specified in the provisions on the protection of personal data. It is in the interest of the client as the data administrator to sign an agreement with the accounting office regarding their entrustment. Such an agreement ensures that the transferred data (for which the administrator is still responsible - the office client) will be processed by the entity providing the accounting service with due diligence and in accordance with the provisions on the protection of personal data. In this way, the data is also prevented from using the data by the entity entrusted with it for purposes other than the one in which they were entrusted to the accounting office.
Responsibilities of the accounting office receiving personal data
The entity to which personal data is entrusted also has additional obligations, despite the fact that the data administrator is the client of the office. The office has, above all, specific tasks in the field of securing the received data, both in technical and formal matters.
Article 24 (1) of the GDPR
Taking into account the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedoms of natural persons with different probability and severity of risk, the controller implements appropriate technical and organizational measures to ensure that the processing is carried out in accordance with this Regulation and to be able to demonstrate it. These measures are reviewed and updated as necessary. Due to the fact that accounting offices are subject to the provisions on the protection of personal data (including the GDPR), it is necessary to implement the procedures specified in the act.
In addition, the office, when signing the entrustment agreement with the client, undertakes to use the data entrusted to it only to the extent specified in the contract.
Start a free 30-day trial period with no strings attached!
Ensuring proper protection of personal data as an added value
Currently, there are many accounting offices on the market. In the long term, the winners will be those offices which, apart from the basic scope of services, will offer "something" more, the so-called added value. And here, compared to others, the office can distinguish itself with the knowledge and application of the law on the protection of personal data. Public awareness of issues related to the processing of personal data and their protection is growing. Companies that have implemented care for the protection of personal data in their operating systems will look for an accounting office operating in accordance with the provisions of the GDPR. Here, in addition to legal requirements, the implementation of measures to protect the entrusted personal data is a great vehicle for the office that allows it to stand out on the market.
The accounting office should therefore act in accordance with applicable law, therefore it is obliged to comply with the provisions set out in the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). This is associated with an increase in formal obligations, which are still quite a few, but in return, an accounting office with knowledge and implemented procedures that allow to protect the data received from clients, gains a greater reputation in terms of the quality of services provided, which can stand out from the competition . In addition, by complying with the regulations, the office limits the negative consequences (both financial and prohibiting the processing of data, and thus the provision of services) related to the possible control of the Personal Data Protection Office (Personal Data Protection Office).