Top Articles

Employer obligations when employing a pregnant woman
31 Mar 2023
  1. Home
  2. Accounting Offices
  3. Personal data protection in an accounting office (part 6) - Do you know that an accounting office client may request a personal data processing agreement?

Personal data protection in an accounting office (part 6) - Do you know that an accounting office client may request a personal data processing agreement?

Accounting Offices

A client of an accounting office who is aware that he is the administrator of personal data, providing his documents (personal data files) every month to representatives of the entity keeping the books of accounts or staff, may request the office to provide a data entrustment agreement. It is important that, in principle, an accounting office should not operate at all without meeting the requirements of the Personal Data Protection Act - including signing a personal data processing agreement with the client.

Accounting office client as the administrator of personal data

The clients of the accounting office are companies, but it does not matter whether they are sole proprietorships or companies. Most of the companies are personal data administrators, collecting customer databases for marketing purposes or storing personal data of their employees. As data controllers, companies are obliged to protect the interests of data subjects, which results directly from the provisions of the Personal Data Protection Act.

"Art. 26. 1. The data controller processing the data should exercise due diligence to protect the interests of the data subjects, and in particular is obliged to ensure that the data are:

1) processed in accordance with the law,

2) collected for specified, lawful purposes and not subjected to further processing inconsistent with these purposes, (...)

3) factually correct and adequate in relation to the purposes for which they are processed,

4) stored in a form that allows the identification of persons to whom they relate, no longer than it is necessary to achieve the purpose of processing. "

When to entrust personal data and when to authorize their processing?

Processing of personal data - when is the contract?

The personal data processing contract is signed when the data controller entrusts (orders) the processing of data to another, external entity. An example of such entrustment is the relationship between the client and the accounting office.

Online Tips

Do you run a company and have questions?

Take advantage of the expert advice of the Entrepreneur's Guide

Online advice for businesses

Authorization to process personal data

It usually takes place in relation to persons who cooperate internally with a given entity being the data controller. The accounting office will therefore authorize, for example, to process the data:

  • employees,
  • persons cooperating on the basis of a mandate contract,
  • trainees,
  • apprentices.

Importantly, also when authorizing to process data, it is necessary that authorized persons actually have access to the data and process it for a specific purpose.

Art. 39

1.The data controller keeps a register of persons authorized to process them, which should include:

1) name and surname of the authorized person,

2) the date of granting and termination as well as the scope of authorization to process personal data,

3) identifier, if the data is processed in the IT system.

2. Persons authorized to process data are obliged to keep the personal data and the methods of securing it confidential.

Personal data entrustment agreement

The provisions of the Personal Data Protection Acts allow for entrusting the processing of personal data to another entity, e.g. an accounting office. However, they define certain principles of this entrustment.

Personal data processing agreement in writing

The regulations provide that you can entrust the processing of data to another entity, but it should be done in the form of a written contract. In the case of an accounting office, it would be necessary to create a separate contract for entrusting the processing of personal data or to add appropriate provisions to the contract for the provision of accounting or HR services.

Data processing only to the extent and purpose resulting from the contract

An indispensable element of the data processing agreement is to define the scope and purpose for which they may be processed. In order to define the scope, it is necessary to identify the datasets on which the activities will be carried out. The purpose, on the other hand, is related to the presentation of the intended use of the entrusted data. This element of the contract can be regarded as the most important one. The entity entrusted with the data will be able to use it only to the extent and for the purpose indicated in the contract.

We recommend

What is the debt exchange (debt exchange)?

The accounting office entrusted with data processing must be prepared for this

Operation in accordance with the Personal Data Protection Act requires the entity entrusted with the processing of personal data to meet certain requirements. Therefore, before starting data processing, the accounting office is obliged to take security measures to secure the data sets entrusted to it.

Personal data protection:

  • application of technical and organizational measures ensuring the protection of personal data being processed, taking into account the degree of threats and the category of data to be protected,
  • securing data against disclosure to unauthorized persons, removal by an unauthorized person, processing in violation of the Act, as well as change, loss, damage or destruction,
  • keeping documentation describing the method of data processing and the means used for this purpose,
  • appointing an information security administrator supervising compliance with security rules,
  • only authorized persons are allowed to process data,
  • ensuring control over what personal data, when and by whom were entered into the collection and to whom they are transferred,
  • keeping records of persons authorized to process them, which should include:

1) name and surname of the authorized person,

2) the date of granting and termination as well as the scope of authorization to process personal data,

3) identifier, if the data is processed in the IT system,

  • persons who have been authorized to process data are obliged to keep this personal data secret and the methods of securing it,

Online Tips

Do you run a company and have questions?

Take advantage of the expert advice of the Entrepreneur's Guide

Online advice for businesses

In addition, the entity entrusted with data processing must comply with the provisions that, by way of a regulation, the Minister responsible for public administration has determined for:

  • the manner and scope of documentation regarding the protection of personal data,
  • basic technical and organizational conditions that should be met by devices and IT systems used to process personal data.

Importantly, in terms of compliance with the provisions on the protection of personal data, the accounting office entrusted by the client for processing personal data is responsible as the data controller.

The data controller remains the controller

Despite the fact that the office is responsible like the data controller, the title of data controller still remains with the client.The data entrustment agreement does not transfer the status of the data controller to the entity entrusted with the processing of this data, but it causes the responsibility for the protection of this data to be borne by both the client (as an administrator) and the accounting office (as an authorized entity entrusted with data processing).

The accounting office entrusted with personal data is subject to control

Each entity processing personal data (regardless of whether it is aware of it or not) is subject to control carried out by the Inspector General for Personal Data. Its scope covers the compliance of data processing with the provisions on the protection of personal data.

Customers aware of their obligations as data controllers will strive to sign data processing entrustment agreements, as they are responsible for ensuring the protection of the files in which they are held. The accounting office should enable the signing of such contracts, which, however, involves the need to fulfill additional obligations that should be fulfilled anyway, as required by the Act on the Protection of Personal Data. Each accounting office processes personal data. Still a frequently heard statement: we do not process personal data Therefore, it cannot be a response to the client's request to sign a data processing agreement.

Category: Accounting Offices
Postponing the date of implementing JPK VAT with the declaration to July 1, 2020 for everyone! Previous Article

Postponing the date of implementing JPK VAT with the declaration to July 1, 2020 for everyone!
Optimization of ZUS contributions - or how to legally not pay social security contributions Next Article

Optimization of ZUS contributions - or how to legally not pay social security contributions

Recommended Editor'S Choice 2023

Fuel cards and VAT deduction
Service-Tax

Fuel cards and VAT deduction

2021
Company blog - another sales tool
Service Business

Company blog - another sales tool

2021
Liquidation assets of a capital company - handing over to partners
Service-Tax

Liquidation assets of a capital company - handing over to partners

2021
How to increase sales and traffic quality in your e-store?
Service Business

How to increase sales and traffic quality in your e-store?

2021
Start your day like a successful man!
Service Business

Start your day like a successful man!

2021
When the prosecutor enters the company - economic crimes
Service

When the prosecutor enters the company - economic crimes

2021

Recommended

Popular Posts

2023 © https://healinghealthteas.com Personal data protection in an accounting office (part 6) - Do you know that an accounting office client may request a personal data processing agreement?