EN

|

DE
This is some text inside of a div block.

Data protection for tax advisors

The processing of tax data falls under the GDPR. With us you stay 100% compliant.

Avoid expensive fines and let the protection of your customers be our concern.

Completely GDPR compliant

no hidden costs

Reliable, verified contact person

Request advice now

Data protection for tax consultants

Ein Steuerberater muss die Persönlichkeitsrechte von natürlichen Personen umfassend schützen und gleichzeitig die personenbezogenen Daten seiner Mandantschaft vor Missbrauch bewahren. Der Steuerberater ist verpflichtet seinen Mandanten eine umfassende und korrekte Beratung zu liefern und seinen Auftraggeber vor jedweden Schaden zu schützen. Er berät seine Mandantschaft in einer Art und Weise, dass diese eigenverantwortlich seine Interessen und Rechte wahren kann und Fehlentscheidungen möglichst ausgeschlossen werden. Gleichwohl muss der Steuerberater dafür Sorge tragen, dass die Persönlichkeitsrechte von natürlichen Personen gewahrt werden und personenbezogene Daten und Informationen der Mandantschaft geschützt sind.

There is no obligation or possibility to cover this risk with professional liability insurance!

Aus diesem Grund muss der Steuerberater entsprechende Maßnahmen ergreifen, die den Datenschutz innerhalb der Kanzlei gewährleisten. Für die optimale Durchsetzung der notwendigen Schritte, ist es ratsam einen Datenschutzbeauftragten zu bestellen. In vielen Fällen ist eine Steuerberatungskanzlei auch zu diesem Schritt verpflichtet. Kanzleien, die mehr als 9 Personen beschäftigen, sind somit nach der DGSVO zur Nomination of a Data Protection Officer grundsätzlich verpflichtet, wenn die benannte Personenzahl Zugriff auf zu schützende Daten hat.

Request advice now

The duty of confidentiality and the GDPR

Grundsätzlich unterliegt der Steuerberater einer standesrechtlichen Verschwiegenheitspflicht und somit auch dem Schutz aller Mandantendaten. Diese Verschwiegenheitspflicht inkludiert aber nicht die Anforderungen der Datenschutz-Grundverordnung und den Schutz der personenbezogenen Daten. Hier greift die DSGVO und das BDSG (neu). Aus diesem Grund sind für tax consultant zusätzliche Schritte erforderlich, um den Privacy Policy im Tagesgeschäft einer Kanzlei umzusetzen.

Request advice now

The implementation of data protection within the tax office

Innerhalb der Kanzlei muss zunächst eine eindeutige Verantwortlichkeit definiert werden und das Thema Datenschutz übergeben werden. Die Übergabe der Verantwortlichkeit bedeutet aber nicht, dass der Kanzleiinhaber aus der Haftung genommen wird. Es geht nur um die klare Aufgabenverteilung an einen Koordinator und somit Ansprechpartner für den Bereich Datenschutz.

Dieser Ansprechpartner muss Fachkenntnisse vorweisen können und grundsätzlich an Fortbildungen teilnehmen. Interessenskonflikte schließen den Inhaber, Mitglieder der Kanzleileitung oder IT-Verantwortliche aus diesem Aufgabenfeld aus. Der Datenschutzbeauftragte kann aus dem internen Umfeld bestellt werden, aber obige Voraussetzungen sprechen eher für eine externe Lösung.

A external data protection officer hemmt nicht das eigentliche Tagesgeschäft und ist innerhalb festgelegter Fristen kündbar. Somit kann sich die Kanzlei auf das anfallende Kerngeschäft konzentrieren. Eine Benennung eines Datenschutzbeauftragten ohne entsprechende Fachkenntnisse ist hinfällig, da die gesetzlichen Vorgaben nicht erfüllt werden können.

Talk to heyData as your data protection expert - we will take care of your concerns!

Request advice now

What measures does a tax firm need to take?

Processing activities

Für typische Verarbeitungstätigkeiten einer Steuerkanzlei (Mandantenverwaltung, Steuererklärungen usw.) muss nach Artikel 30 DSGVO ein Directory of processing activities be guided.

Impact assessment

If personal data is processed in the law firm, a data protection impact assessment must be carried out. In this case, too, heyData would be happy to be your desired expert!

Technical and organizational measures (TOM)

Diese Maßnahmen sind für viele Unternehmen zwingend notwendig. Steuerkanzleien müssen z. B. immer einen geeigneten Sicherheitsstandard aufweisen und somit ihre Technik im Auge behalten. Auch wenn keine Auftragsverarbeitung vorliegt, müssen TOM dargestellt werden, um die Rechenschaftspflicht zu erfüllen.

Data protection training

A data protection concept cannot be implemented without an informed workforce. Employees need to understand the concept of data protection and recognize their own advantages. The topic of data protection should be lived in-house and therefore requires regular training.

Informationspflicht

The law firm must check the website, contracts with clients and all collection options that fall within the scope of personal data and add all the required GDPR information.

Order processing

Erhält ein externer Dienstleister personenbezogene Daten, ist dieser verpflichtet einen Data processing contract mit der Kanzlei einzugehen. Innerhalb der Steuerberatung gehören hierzu z. B. DATEV oder Cloud-Dienstleister.

Precautions must be taken, especially in IT, which you can best evaluate with the data protection officer:

Is the server in its own room?

Can the room for the server and the telephone system be locked?

Who is authorized to enter these rooms?

Who is in control of this protection zone?

What about access controls in the tax office?

You should discuss these with the data protection officer:

is there a tiered authorization system?

is the release of specific data organized?

can unauthorized persons gain access to sensitive data within the folder?

is there a user assignment?

are passwords used?

is a PC locked when it is inactive?

is unlocking only possible with a password?

are there clear user profiles?

are passwords changed in a fixed cycle?

Is IT security guaranteed in the tax office? Tax offices are not always technically up to date - that is why a close look with the data protection officer is urgently recommended!

are the operating systems up to date?

is a current firewall in use?

is reliable virus protection guaranteed?

 are there regular backups?

are there separate storage media?

is a secure storage of the storage media planned?

does the workforce have IT security training?

is data encrypted (also on USB sticks or external hard drives)?

Is special software used for the transmission of confidential data?

Despite increasing digitization, some clients do not agree to confidential, electronic data transmission. This should be stipulated in writing when the mandate is issued!

As you can see, many IT topics play a role in the area of ​​the GDPR, but despite all the digitization, paper documents are often still used. Here too, safe and correct storage must be ensured. The disposal of these documents in particular is often underestimated and overlooked as a security gap. We recommend certified disposal or a security level 3 shredder.

Request advice now

Datenschutz in der Steuerkanzlei – die Lösung: heyData

The subject of data protection in the area of ​​tax advice is diverse. heyData will be happy to assist you and support the law firm in all data protection issues. Talk to us about the subject of external data protection and arrange an information meeting with heyData today!

Request advice now

Why is data protection so relevant for tax advisors?

Auch für Steuerberater sind Datenschutz und DSGVO essenziell. Um die Anforderungen rund um Steuerrecht zu erfüllen, sind die Steuerberater dafür verantwortlich persönliche Daten vorsichtig handzuhaben. Zu solchen Daten gehören:

  • Contact details (address, email address, telephone numbers)
  • Tax ID
  • Information given the income / expenses
  • Pay slips
  • Lifestyle information in connection with tax returns
  • Social security number
  • Bank account details

 

The tax office collects, stores and processes personal data on a large scale, while the communication between advisor and client takes place electronically. For this, it is particularly important that tax advisors maintain a duty of confidentiality, as well as extensive data protection. In principle, the following apply here:

  • Federal Data Protection Act (BDSG - new)
  • Professional law of tax consultants (StBerG, DVStB, BOStB)
  • Criminal Code (StGB) in particular Pa. 203 - Violation of private secrets
  • Tax Code (AO)
  • Principles for the proper management and storage of books, records and documents in electronic form as well as for data access (GoBD)

Decide on heyData and benefit from your personal and professional contact, who is the Data protection compliance at all levels and at the highest level.

FAQ

Do I need a data protection officer?
What are personal data?
How does heyData work?
How long is the contract term?
What is done in the data protection audit?
Do I need a data protection officer?

If you and your company meet one or more of the following criteria, then YES:
- Your company employs more than 20 people
- The employees regularly process automated data
- Special categories of personal data are processed in the company, such as ethnic origin, political opinion, religious conviction, health, the person's sex life
- Business-related personal data is transmitted, collected, processed or used and this represents a core activity of the company (this is the case with almost all companies that are related to personnel, e.g. software, recruiting, headhunting, consulting, etc.) 

What are personal data?

According to the GDPR, personal data is all information that relates to an identifiable or identified natural person. The persons concerned can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, a location or other features. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account details, license plates, customer numbers, e-mail addresses or postal addresses.

How does heyData work?

As soon as you have decided to work with heyData, after an initial needs analysis, we will carry out a data protection audit with your company in order to understand the processes of your company holistically - this process is digitally accompanied and supervised by the data protection advisor. We will then work with you to prepare the necessary documentation and, if necessary, adapt the website of your company according to our instructions, should there be a need for changes in order to achieve conformity. Depending on the package, we are then involved in a wide variety of processes in your company that require the expertise of a data protection officer to protect you in all matters; this usually extends to HR, marketing, product but also business development processes.

How long is the contract term?

The regular contract term is 24 months.

What is done in the data protection audit?

The data protection audit is intended to examine the processes of your company and to identify the essential points of data processing. You will then receive documentation of this so that the positions, the type of data processed and the persons responsible are also available as a diagram at any time.

Data protection for tax consultants

The tasks

The costs

What distinguishes him?

A tax consultant must comprehensively protect the personal rights of natural persons and at the same time protect the personal data of his clients from misuse. The tax advisor is obliged to provide his clients with comprehensive and correct advice and to protect his client from any damage. He advises his clients in such a way that they can independently protect their interests and rights and that wrong decisions are ruled out as far as possible. Nevertheless, the tax advisor must ensure that the personal rights of natural persons are protected and that personal data and information of the client are protected.


There is no obligation or possibility to cover this risk with professional liability insurance!


For this reason, the tax advisor must take appropriate measures to ensure data protection within the law firm. For the optimal implementation of the necessary steps, it is advisable to appoint a data protection officer. In many cases, a tax consultancy is also obliged to take this step. Firms that employ more than 9 people are therefore obliged under the DGSVO to appoint a data protection officer if the named number of people has access to data to be protected.

In principle, the tax advisor is subject to a professional confidentiality obligation and thus also the protection of all client data. However, this duty of confidentiality does not include the requirements of the General Data Protection Regulation and the protection of personal data. This is where the GDPR and the BDSG (new) apply. For this reason, additional steps are required for tax advisors to implement data protection in the day-to-day business of a law firm.

Within the law firm, a clear responsibility must first be defined and the subject of data protection must be handed over. However, the transfer of responsibility does not mean that the law firm owner is relieved of liability. It is only about the clear distribution of tasks to a coordinator and thus contact person for the area of ​​data protection.


This contact person must be able to demonstrate specialist knowledge and generally take part in training courses. Conflicts of interest exclude the owner, members of the firm's management or IT managers from this field of activity. The data protection officer can be appointed from the internal environment, but the above conditions speak in favor of an external solution. An external data protection officer does not hinder the actual day-to-day business and can be terminated within a specified period. This means that the law firm can concentrate on the core business that arises. The appointment of a data protection officer without appropriate specialist knowledge is no longer necessary, as the legal requirements cannot be met.


Talk to heyData as your data protection expert - we will take care of your concerns!



- processing activities


For typical processing activities of a tax office (client administration, tax returns, etc.), a list of processing activities must be kept in accordance with Article 30 GDPR.


- Impact assessment


If personal data is processed in the law firm, a data protection impact assessment must be carried out. In this case, too, heyData would be happy to be your desired expert!


- Technical and organizational measures (TOM)


These measures are imperative for many companies. Tax firms must z. B. always have a suitable security standard and thus keep an eye on your technology. Even if there is no order processing, TOMs need to be presented in order to be accountable.


- Data protection training


A data protection concept cannot be implemented without an informed workforce. Employees need to understand the concept of data protection and recognize their own advantages. The topic of data protection should be lived in-house and therefore requires regular training.


- Duty to provide information


The law firm must check the website, contracts with clients and all collection options that fall within the scope of personal data and add all the required GDPR information.


-Order processing


If an external service provider receives personal data, they are obliged to enter into an order processing contract with the law firm. Within tax advice, this includes: B. DATEV or cloud service provider.



heyData is your service provider when it comes to implementing a holistic data protection concept. Please do not hesitate to contact us!


A tax office without a PC or internet is unthinkable these days. Document management systems (DAM) are playing an increasingly important role and everyone in the industry is talking about cloud computing. The authorities sometimes only accept documents and declarations in electronic form, and electronic mail is often used as a means of communication. These application scenarios are all subject to a data protection concept that must be implemented.



- Is the server in its own room?

- Can the room for the server and the telephone system be locked?

- Who is authorized to enter these rooms?

- Who is in control of this protection zone?


What about access controls in the tax office? You should discuss these with the data protection officer:


- is there a tiered authorization system?

- Is the release of specific data organized?

- Can unauthorized persons gain access to sensitive data within the folder?

- is there a user assignment?

- are passwords used?

- is a PC locked when it is inactive?

- Is it only possible to unlock with a password?

- are there clear user profiles?

- are passwords changed in a fixed cycle?


Is IT security guaranteed in the tax office? Tax offices are not always technically up to date - that is why a close look with the data protection officer is urgently recommended!


- are the operating systems up to date?

- is a current firewall in use?

- is reliable virus protection guaranteed?

- are there regular backups?

- are there separate storage media?

- is a secure storage of the storage media planned?

- does the workforce have IT security training?

- is data encrypted (also on USB sticks or external hard drives)?

- Is special software used for the transmission of confidential data?


Despite increasing digitization, some clients do not agree to confidential, electronic data transmission. This should be stipulated in writing when the mandate is issued!


As you can see, many IT topics play a role in the area of ​​the GDPR, but despite all the digitization, paper documents are often still used. Here too, safe and correct storage must be ensured. The disposal of these documents in particular is often underestimated and overlooked as a security gap. We recommend certified disposal or a security level 3 shredder.



The subject of data protection in the area of ​​tax advice is diverse. heyData will be happy to assist you and support the law firm in all data protection issues. Talk to us about the subject of external data protection and arrange an information meeting with heyData today!