Personal data protection in an accounting office (part 1) - What is personal data protection?

Accounting Offices

The protection of personal data has been a topic that has been taken up by various institutions for a long time, but only now is this issue raised to an ever higher level. The awareness of the society is growing, which more and more often seems to notice the need to protect their own and entrusted data. The more so as for imprudence in this matter, high penalties will be payable, and the Inspector General for Personal Data Protection (GIODO) seems to be examining entities existing on the market more and more thoroughly.

Personal data protection in the accounting office

Accounting offices, as part of their activities, being more or less aware of it, process personal data, therefore they should conclude an agreement with their clients on entrusting personal data. The regulations in this area have been in force since 1997 and are still in force in accordance with the GDPR. Still, some accounting offices are not aware of their obligations in this regard, and therefore they are not fulfilled.

Accounting office owners should remember that in a situation where there is a suspicion of a data crime, the Office for Personal Data Protection (formerly GIODO) will provide information to the prosecutor's office. Then, severe penalties (up to EUR 10 million) should be expected. The President of the Office for Personal Data Protection (formerly: Inspector General for Personal Data Protection) may also notify law enforcement authorities of a crime, attaching evidence documenting the suspicion of a crime. Law enforcement authorities may impose imprisonment for the illegal processing of personal data. These are, of course, very extreme situations, but they show that it is worthwhile for the owners of accounting offices to ensure the implementation of detailed procedures, both in the field of documentation and in the field of data security. To start, we suggest that you familiarize yourself with a few basic concepts.

What is personal data?

The provisions on the protection of personal data quite generally define what is meant by personal data. According to its Art. 4 of the EU Regulation on the Protection of Personal Data (GDPR), personal data is any information relating to an identified or identifiable natural person.

Importantly, an identifiable person is a person whose identity can be identified directly or indirectly, in particular by reference to an identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental, economic factors, the cultural or social identity of a natural person.

It is not clear from the above-mentioned regulations what specific information personal data will constitute. Sometimes individual information, such as PESEL number, should be considered personal data. However, not always, because single data with too much generality or encryption will not constitute personal data. At the same time, this information may already constitute personal data when it is combined with other additional information, which, as a consequence, will allow it to be referred to a specific person without major difficulties.

The legislator has not specified a closed catalog of information considered as personal data. Therefore, in many cases it is necessary to make an individual assessment as to whether a given information is personal or not.

Start a free 30-day trial period with no strings attached!

What are personal data files?

The definition of the personal data filing system is regulated in Art. 4 point 6 of the GDPR. According to its content, a set of personal data is any structured set of personal data, i.e. any structured set of personal data available according to specific criteria, regardless of whether this set is centralized, decentralized or functionally or geographically dispersed.


The set of personal data also includes applications submitted by future employees for recruitment purposes.

What is the processing of personal data?

It is also important to clarify the concept of personal data processing. As provided for in the regulations, it is understood as any operations performed on personal data, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise sharing, matching or combining , limiting, removing or destroying, especially those carried out in information systems. Therefore, the processing of personal data includes not only their use, but also the collection and storage itself. It should also be borne in mind that the processing of personal data is allowed only in the circumstances indicated by the provisions (Article 6 (1)). The entity undertaking the processing of personal data must present a specific and economically justified purpose, which in the case of offices is clear - the purpose is to be able to provide a service to the client.

What is personal data protection?

Personal data protection consists in the implementation by the entity that holds the data (both individual information constituting personal data, as well as entire sets of personal data) of effective implementation of the principles of their protection by minimizing data, and implementing the necessary safeguards, i.e. the use of technical and organizational measures to protect the data being processed. personal.