Accounting Offices

Personal data protection in the accounting office (part 4) - On which data sets does the accounting office operate?

Running an accounting office is one of those activities, the specificity of which is based on working with confidential, personal and often sensitive data. The accounting office takes over from business entities the obligations related to accounting, human resources and contacts with the Tax Office and the Social Insurance Institution. Additionally, clients are provided with advisory services in the field of assistance in completing loan applications, for EU and local government subsidies, or writing business plans. At every stage of their work, accountants and human resources come into contact with personal data.

Why is the identification of personal data sets so important?

The accounting office as a data processor is obliged to adequately secure the personal data of its clients, in accordance with the requirements set out in the GDPR.

Pursuant to Recital 75 of the EU Data Protection Regulation:

In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which comply in particular with the principle of data protection by design and with the principle of data protection by default.

The GDPR therefore issues a very general framework, therefore in Poland it is still considered a good practice:

development and implementation of the Security Policy, IT System Management Instruction, Key Policy;
issuing employees a personal authorization to process personal data of office clients;
keeping records of persons authorized to process personal data;
ensuring appropriate technical and organizational measures guaranteeing the security of entrusted personal data;
limitation of unauthorized access to the processed personal data.

The entity entrusting the processing of data to the accounting office (client) remains the Personal Data Administrator.

Customer data sets entrusted to the accounting office for processing

Most often, we distinguish the following collections:

Data set of client's contractors:

invoices,
bills,
contracts,
other sales / purchase documents.

Data collection of employees and contractors of the client:

employees' personal data,
personal data of contractors and contractors,
ZUS insurance documentation.

Data collection in the form of client's accounting documents:

diary,
books,
Financial Statements,
CSO reports,
tax declarations,
VAT registers,
additional accounting records.

Collection of data of clients of the accounting office

For example, these are:

contracts,
invoices,
authorizations.

Protection of personal data of employees and contractors of the accounting office

For example:

PESEL,
first name (names) and surname,
family name,
date and place of birth,
sex,
permanent address,
ID card (series and number, issued by, date of issue),
father's name, mother's name,
marital and family status,
disability level,
citizenship,
education,
work experience, work history,
the amount of remuneration,
bailiff seizure,
absences from work, health information

Outgoing and incoming correspondence register

For example:

date of receipt / shipment,
tracking number,
recipient of the sender,
address,
signature of the receiver / sender.

Register of inputs and outputs

For example:

date and time of entry / exit,
first name and last name,
position,
signature.

Marketing collection - potential customers

For example:

first name and last name,
e-mail address,
town,
form of business activity,
industry,
annual turnover,
age.

Identified data sets containing personal data can be referred to the programs in which they are processed, bearing in mind in particular the creation of individual access - users, not one admin, to whose login and password all office employees have access.