EN

|

DE
This is some text inside of a div block.

Data protection for tax advisors

The processing of tax data falls under the GDPR. With us you stay 100% compliant.

Avoid expensive fines and let the protection of your customers be our concern.

Completely GDPR compliant

no hidden costs

Reliable, verified contact person

Request advice now

Data protection for tax consultants

A tax advisor must protect the personal rights of natural persons comprehensively and at the same time the personal data to protect his clients from abuse. The tax advisor is obliged to provide his clients with comprehensive and correct advice and to protect his client from any damage. He advises his clients in such a way that they can independently protect their interests and rights and that wrong decisions are ruled out as far as possible. Nevertheless, the tax advisor must ensure that the personal rights of natural persons are protected and that personal data and information of the client are protected.

There is no obligation or possibility to cover this risk with professional liability insurance!

For this reason, the tax advisor must take appropriate measures to ensure data protection within the law firm. For the optimal implementation of the necessary steps, it is advisable to appoint a data protection officer. In many cases, a tax consultancy is also obliged to take this step. Firms that employ more than 9 people are therefore subject to the DGSVO Nomination of a Data Protection Officer fundamentally obliged if the specified number of people has access to data to be protected.

Request advice now

The duty of confidentiality and the GDPR

In principle, the tax advisor is subject to a professional confidentiality obligation and thus also the protection of all client data. These Confidentiality but does not include the requirements of the General Data Protection Regulation and the protection of personal data. This is where the GDPR and the BDSG (new) apply. Because of this, are for tax consultant additional steps required to use the Privacy Policy to be implemented in the day-to-day business of a law firm.

Request advice now

The implementation of data protection within the tax office

Within the law firm, a clear responsibility must first be defined and the subject of data protection must be handed over. However, the transfer of responsibility does not mean that the law firm owner is relieved of liability. It is only about the clear distribution of tasks to a coordinator and thus A.Contact partner for data protection.

This contact person must have specialist knowledge and generally take part in training courses. Conflicts of interest exclude the owner, members of the firm's management or IT managers from this field of activity. Of the Data protection officers can come from the internal environment can be ordered, but the above conditions speak in favor of an external solution.

A external data protection officer does not inhibit the actual day-to-day business and can be terminated within specified periods. Thus, the law firm can concentrate on the core business. The appointment of a data protection officer without appropriate specialist knowledge is no longer necessary, as the legal requirements cannot be met.

Talk to heyData as your data protection expert - we will take care of your concerns!

Request advice now

What measures does a tax firm need to take?

Processing activities

For typical processing activities of a tax office (client management, tax returns, etc.), a Directory of processing activities be guided.

Impact assessment

If personal data is processed in the law firm, a data protection impact assessment must be carried out. In this case, too, heyData would be happy to be your desired expert!

Technical and organizational measures (TOM)

These measures are imperative for many companies. Tax firms must z. B. always have a suitable security standard and thus keep an eye on your technology. Even if there is no order processing, must TOM presented to meet accountability.

Data protection training

A data protection concept cannot be implemented without an informed workforce. Employees need to understand the concept of data protection and recognize their own advantages. The topic of data protection should be lived in-house and therefore requires regular training.

Informationspflicht

The law firm must check the website, contracts with clients and all collection options that fall within the scope of personal data and add all the required GDPR information.

Order processing

If an external service provider receives personal data, it is obliged to provide one Data processing contract to enter into with the firm. Within tax advice, this includes: B. DATEV or cloud service provider.

Precautions must be taken, especially in IT, which you can best evaluate with the data protection officer:

Is the server in its own room?

Can the room for the server and the telephone system be locked?

Who is authorized to enter these rooms?

Who is in control of this protection zone?

What about access controls in the tax office?

You should discuss these with the data protection officer:

is there a tiered authorization system?

is the release of specific data organized?

can unauthorized persons gain access to sensitive data within the folder?

is there a user assignment?

are passwords used?

is a PC locked when it is inactive?

is unlocking only possible with a password?

are there clear user profiles?

are passwords changed in a fixed cycle?

Is IT security guaranteed in the tax office? Tax offices are not always technically up to date - that is why a close look with the data protection officer is urgently recommended!

are the operating systems up to date?

is a current firewall in use?

is reliable virus protection guaranteed?

 are there regular backups?

are there separate storage media?

is a secure storage of the storage media planned?

does the workforce have IT security training?

is data encrypted (also on USB sticks or external hard drives)?

Is special software used for the transmission of confidential data?

Despite increasing digitization, some clients do not agree to confidential, electronic data transmission. This should be stipulated in writing when the mandate is issued!

As you can see, many IT topics play a role in the area of ​​the GDPR, but despite all the digitization, paper documents are often still used. Here too, safe and correct storage must be ensured. The disposal of these documents in particular is often underestimated and overlooked as a security gap. We recommend certified disposal or a security level 3 shredder.

Request advice now

Data protection in the tax office - the solution: heyData

The subject of data protection in the area of ​​tax advice is diverse. heyData will be happy to assist you and support the law firm in all data protection issues. Talk to us about the subject of external data protection and arrange an information meeting with heyData today!

Request advice now

Why is data protection so relevant for tax advisors?

Also fFor tax advisors, data protection and the GDPR are essential. In order to meet the requirements relating to tax law, tax advisors are responsible for handling personal data carefully. Such data include:

  • Contact details (address, email address, telephone numbers)
  • Tax ID
  • Information given the income / expenses
  • Pay slips
  • Lifestyle information in connection with tax returns
  • Social security number
  • Bank account details

 

The tax office collects, stores and processes personal data on a large scale, while the communication between advisor and client takes place electronically. For this, it is particularly important that tax advisors maintain a duty of confidentiality, as well as extensive data protection. In principle, the following apply here:

  • Federal Data Protection Act (BDSG - new)
  • Professional law of tax consultants (StBerG, DVStB, BOStB)
  • Criminal Code (StGB) in particular Pa. 203 - Violation of private secrets
  • Tax Code (AO)
  • Principles for the proper management and storage of books, records and documents in electronic form as well as for data access (GoBD)

Decide on heyData and benefit from your personal and professional contact, who is the Data protection compliance at all levels and at the highest level.

FAQ

Do I need a data protection officer?
What are personal data?
How does heyData work?
How long is the contract term?
What is done in the data protection audit?
Do I need a data protection officer?

If you and your company meet one or more of the following criteria, then YES:
- Your company employs more than 20 people
- The employees regularly process automated data
- Special categories of personal data are processed in the company, such as ethnic origin, political opinion, religious conviction, health, the person's sex life
- Business-related personal data is transmitted, collected, processed or used and this represents a core activity of the company (this is the case with almost all companies that are related to personnel, e.g. software, recruiting, headhunting, consulting, etc.) 

What are personal data?

According to the GDPR, personal data is all information that relates to an identifiable or identified natural person. The persons concerned can be identified if they can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, a location or other features. In practice, this includes all data that can be assigned to a person in any way. Examples of this are telephone numbers, ID numbers, account details, license plates, customer numbers, e-mail addresses or postal addresses.

How does heyData work?

As soon as you have decided to work with heyData, after an initial needs analysis, we will carry out a data protection audit with your company in order to understand the processes of your company holistically - this process is digitally accompanied and supervised by the data protection advisor. We will then work with you to prepare the necessary documentation and, if necessary, adapt the website of your company according to our instructions, should there be a need for changes in order to achieve conformity. Depending on the package, we are then involved in a wide variety of processes in your company that require the expertise of a data protection officer to protect you in all matters; this usually extends to HR, marketing, product but also business development processes.

How long is the contract term?

The regular contract term is 24 months.

What is done in the data protection audit?

The data protection audit is intended to examine the processes of your company and to identify the essential points of data processing. You will then receive documentation of this so that the positions, the type of data processed and the persons responsible are also available as a diagram at any time.

Data protection for tax consultants

The tasks

The costs

What distinguishes him?

A tax consultant must comprehensively protect the personal rights of natural persons and at the same time protect the personal data of his clients from misuse. The tax advisor is obliged to provide his clients with comprehensive and correct advice and to protect his client from any damage. He advises his clients in such a way that they can independently protect their interests and rights and that wrong decisions are ruled out as far as possible. Nevertheless, the tax advisor must ensure that the personal rights of natural persons are protected and that personal data and information of the client are protected.


There is no obligation or possibility to cover this risk with professional liability insurance!


For this reason, the tax advisor must take appropriate measures to ensure data protection within the law firm. For the optimal implementation of the necessary steps, it is advisable to appoint a data protection officer. In many cases, a tax consultancy is also obliged to take this step. Firms that employ more than 9 people are therefore obliged under the DGSVO to appoint a data protection officer if the named number of people has access to data to be protected.

In principle, the tax advisor is subject to a professional confidentiality obligation and thus also the protection of all client data. However, this duty of confidentiality does not include the requirements of the General Data Protection Regulation and the protection of personal data. This is where the GDPR and the BDSG (new) apply. For this reason, additional steps are required for tax advisors to implement data protection in the day-to-day business of a law firm.

Within the law firm, a clear responsibility must first be defined and the subject of data protection must be handed over. However, the transfer of responsibility does not mean that the law firm owner is relieved of liability. It is only about the clear distribution of tasks to a coordinator and thus contact person for the area of ​​data protection.


This contact person must be able to demonstrate specialist knowledge and generally take part in training courses. Conflicts of interest exclude the owner, members of the firm's management or IT managers from this field of activity. The data protection officer can be appointed from the internal environment, but the above conditions speak in favor of an external solution. An external data protection officer does not hinder the actual day-to-day business and can be terminated within a specified period. This means that the law firm can concentrate on the core business that arises. The appointment of a data protection officer without appropriate specialist knowledge is no longer necessary, as the legal requirements cannot be met.


Talk to heyData as your data protection expert - we will take care of your concerns!



- processing activities


For typical processing activities of a tax office (client administration, tax returns, etc.), a list of processing activities must be kept in accordance with Article 30 GDPR.


- Impact assessment


If personal data is processed in the law firm, a data protection impact assessment must be carried out. In this case, too, heyData would be happy to be your desired expert!


- Technical and organizational measures (TOM)


These measures are imperative for many companies. Tax firms must z. B. always have a suitable security standard and thus keep an eye on your technology. Even if there is no order processing, TOMs need to be presented in order to be accountable.


- Data protection training


A data protection concept cannot be implemented without an informed workforce. Employees need to understand the concept of data protection and recognize their own advantages. The topic of data protection should be lived in-house and therefore requires regular training.


- Duty to provide information


The law firm must check the website, contracts with clients and all collection options that fall within the scope of personal data and add all the required GDPR information.


-Order processing


If an external service provider receives personal data, they are obliged to enter into an order processing contract with the law firm. Within tax advice, this includes: B. DATEV or cloud service provider.



heyData is your service provider when it comes to implementing a holistic data protection concept. Please do not hesitate to contact us!


A tax office without a PC or internet is unthinkable these days. Document management systems (DAM) are playing an increasingly important role and everyone in the industry is talking about cloud computing. The authorities sometimes only accept documents and declarations in electronic form, and electronic mail is often used as a means of communication. These application scenarios are all subject to a data protection concept that must be implemented.



- Is the server in its own room?

- Can the room for the server and the telephone system be locked?

- Who is authorized to enter these rooms?

- Who is in control of this protection zone?


What about access controls in the tax office? You should discuss these with the data protection officer:


- is there a tiered authorization system?

- Is the release of specific data organized?

- Can unauthorized persons gain access to sensitive data within the folder?

- is there a user assignment?

- are passwords used?

- is a PC locked when it is inactive?

- Is it only possible to unlock with a password?

- are there clear user profiles?

- are passwords changed in a fixed cycle?


Is IT security guaranteed in the tax office? Tax offices are not always technically up to date - that is why a close look with the data protection officer is urgently recommended!


- are the operating systems up to date?

- is a current firewall in use?

- is reliable virus protection guaranteed?

- are there regular backups?

- are there separate storage media?

- is a secure storage of the storage media planned?

- does the workforce have IT security training?

- is data encrypted (also on USB sticks or external hard drives)?

- Is special software used for the transmission of confidential data?


Despite increasing digitization, some clients do not agree to confidential, electronic data transmission. This should be stipulated in writing when the mandate is issued!


As you can see, many IT topics play a role in the area of ​​the GDPR, but despite all the digitization, paper documents are often still used. Here too, safe and correct storage must be ensured. The disposal of these documents in particular is often underestimated and overlooked as a security gap. We recommend certified disposal or a security level 3 shredder.



The subject of data protection in the area of ​​tax advice is diverse. heyData will be happy to assist you and support the law firm in all data protection issues. Talk to us about the subject of external data protection and arrange an information meeting with heyData today!