Tax advisory firms, administrative agencies and law practices share a characteristic that places them in a singular category within the GDPR framework: in most of their work they do not process their own data, but personal data belonging to their clients' sphere. An administrative agency handling social security registrations and deregistrations, a labour advisory firm preparing payroll for a company's employees, or a practice managing a contentious-administrative case are all operating, within the meaning of Article 4(8) of Regulation (EU) 2016/679, as processors: entities that process personal data on behalf of the controller — the client — and under its instructions. This legal position generates specific obligations that go far beyond mere professional confidentiality.
The central instrument of the processor regime is the processing agreement required by Article 28 of the GDPR. This agreement must set out the subject matter, duration, nature and purpose of the processing, the type of data and categories of data subjects, as well as a catalogue of specific obligations: processing data only on the basis of the controller's documented instructions; ensuring the confidentiality of all authorised personnel; implementing appropriate security measures in accordance with Article 32; not engaging sub-processors without the controller's prior authorisation; assisting the controller in fulfilling data subjects' rights and managing security breaches; returning or erasing data at the end of the engagement; and providing all information necessary to demonstrate compliance to the AEPD. The Agency has published a specific guide on the controller-processor relationship detailing the minimum content and validity criteria for these clauses.
Alongside their role as processors towards clients, accountancy firms and law practices also act as controllers with regard to their own data: practice employees, recruitment candidates, billing and internal accounting data, CCTV in the premises, or commercial communications. This dual role — processor towards clients and controller of their own processing activities — multiplies the scope of the required compliance and requires maintaining the Records of Activities in two distinct dimensions: as controller (Article 30(1) GDPR) and as processor (Article 30(2) GDPR). Both dimensions require different content and must be updated whenever a new client is added, a type of service is modified, or the data flow with external providers changes.
The accountancy and law practice sector frequently handles data that poses a high risk to data subjects: health data in the processing of sick leave and disability claims; data relating to criminal or administrative offences in criminal law practices; financial and asset data of great impact in insolvency proceedings or debt restructurings; data concerning minors in family law cases. Professional secrecy — enshrined for lawyers in Article 542(3) of the Organic Law on the Judiciary (Ley Orgánica del Poder Judicial) and in the General Statute of the Spanish Bar (Estatuto General de la Abogacía Española), and equivalently in the deontological rules for administrative managers and economists — supplements the GDPR obligations without replacing them. A practice cannot rely on the duty of confidentiality to evade the obligation to inform data subjects pursuant to Articles 13 and 14 of the GDPR, to respond to their rights requests within one month, or to notify the AEPD of security breaches under the conditions of Article 33 of the Regulation.
The sanctions regime of Article 83 of the GDPR, implemented in Spain through the LOPDGDD (LO 3/2018, Organic Law on Personal Data Protection and guarantee of digital rights), does not set different bands by company size or sector. Infringements affecting the basic principles of processing, data subjects' rights or the conditions of consent may result in fines of up to €20 million or 4% of total annual worldwide turnover, whichever is higher. Breaches of processor obligations — including the absence of a processing agreement or inadequate security measures — may reach up to €10 million or 2% of worldwide turnover. For most accountancy firms and law practices, which are SMEs or micro-enterprises, the proportional impact of a fine can be devastating; and the reputational harm of a public AEPD decision is even harder to repair in a sector where client trust is the primary asset.
At Summum Consultoria we guide accountancy firms, administrative agencies and law practices through their GDPR compliance with a practical approach, tailored to the real operations of the sector and respectful of the AEPD's supervisory role. We carry out the initial diagnosis of all processing activities, draft the Records of Activities in their dual dimension, prepare the processing agreements adapted to each type of service — tax, labour, accounting, legal —, implement privacy notices for clients and employees, define technical and organisational security measures proportionate to the risk, and train the team on their day-to-day obligations. Our objective is for the practice to be able to demonstrate to the AEPD, at any time and without improvisation, that it manages its clients' data with the diligence and documentation that the law requires.