Sector profesional

GDPR for accountancy firms, administrative agencies and law practices

Accountancy firms, administrative agencies and law practices handle personal data of third parties every day — employees, taxpayers, parties to proceedings — in their role as processors under Article 28 of the GDPR (General Data Protection Regulation, EU Regulation 2016/679). The combination of professional secrecy, high volumes of sensitive data and contractual obligations towards each client makes this sector one of the most exposed to scrutiny by the AEPD (Agencia Española de Protección de Datos, the Spanish Data Protection Authority). At Summum Consultoria we guide you through full compliance: processing agreements, records of activities in their dual dimension, security measures proportionate to the risk and staff training, without replacing the supervisory role of the regulator.

Applicable lawGDPR (EU) 2016/679 · LOPDGDD (LO 3/2018)
Key legal figureProcessor (art. 28 GDPR)
Supervisory authorityAEPD — Agencia Española de Protección de Datos

Tax advisory firms, administrative agencies and law practices share a characteristic that places them in a singular category within the GDPR framework: in most of their work they do not process their own data, but personal data belonging to their clients' sphere. An administrative agency handling social security registrations and deregistrations, a labour advisory firm preparing payroll for a company's employees, or a practice managing a contentious-administrative case are all operating, within the meaning of Article 4(8) of Regulation (EU) 2016/679, as processors: entities that process personal data on behalf of the controller — the client — and under its instructions. This legal position generates specific obligations that go far beyond mere professional confidentiality.

The central instrument of the processor regime is the processing agreement required by Article 28 of the GDPR. This agreement must set out the subject matter, duration, nature and purpose of the processing, the type of data and categories of data subjects, as well as a catalogue of specific obligations: processing data only on the basis of the controller's documented instructions; ensuring the confidentiality of all authorised personnel; implementing appropriate security measures in accordance with Article 32; not engaging sub-processors without the controller's prior authorisation; assisting the controller in fulfilling data subjects' rights and managing security breaches; returning or erasing data at the end of the engagement; and providing all information necessary to demonstrate compliance to the AEPD. The Agency has published a specific guide on the controller-processor relationship detailing the minimum content and validity criteria for these clauses.

Alongside their role as processors towards clients, accountancy firms and law practices also act as controllers with regard to their own data: practice employees, recruitment candidates, billing and internal accounting data, CCTV in the premises, or commercial communications. This dual role — processor towards clients and controller of their own processing activities — multiplies the scope of the required compliance and requires maintaining the Records of Activities in two distinct dimensions: as controller (Article 30(1) GDPR) and as processor (Article 30(2) GDPR). Both dimensions require different content and must be updated whenever a new client is added, a type of service is modified, or the data flow with external providers changes.

The accountancy and law practice sector frequently handles data that poses a high risk to data subjects: health data in the processing of sick leave and disability claims; data relating to criminal or administrative offences in criminal law practices; financial and asset data of great impact in insolvency proceedings or debt restructurings; data concerning minors in family law cases. Professional secrecy — enshrined for lawyers in Article 542(3) of the Organic Law on the Judiciary (Ley Orgánica del Poder Judicial) and in the General Statute of the Spanish Bar (Estatuto General de la Abogacía Española), and equivalently in the deontological rules for administrative managers and economists — supplements the GDPR obligations without replacing them. A practice cannot rely on the duty of confidentiality to evade the obligation to inform data subjects pursuant to Articles 13 and 14 of the GDPR, to respond to their rights requests within one month, or to notify the AEPD of security breaches under the conditions of Article 33 of the Regulation.

The sanctions regime of Article 83 of the GDPR, implemented in Spain through the LOPDGDD (LO 3/2018, Organic Law on Personal Data Protection and guarantee of digital rights), does not set different bands by company size or sector. Infringements affecting the basic principles of processing, data subjects' rights or the conditions of consent may result in fines of up to €20 million or 4% of total annual worldwide turnover, whichever is higher. Breaches of processor obligations — including the absence of a processing agreement or inadequate security measures — may reach up to €10 million or 2% of worldwide turnover. For most accountancy firms and law practices, which are SMEs or micro-enterprises, the proportional impact of a fine can be devastating; and the reputational harm of a public AEPD decision is even harder to repair in a sector where client trust is the primary asset.

At Summum Consultoria we guide accountancy firms, administrative agencies and law practices through their GDPR compliance with a practical approach, tailored to the real operations of the sector and respectful of the AEPD's supervisory role. We carry out the initial diagnosis of all processing activities, draft the Records of Activities in their dual dimension, prepare the processing agreements adapted to each type of service — tax, labour, accounting, legal —, implement privacy notices for clients and employees, define technical and organisational security measures proportionate to the risk, and train the team on their day-to-day obligations. Our objective is for the practice to be able to demonstrate to the AEPD, at any time and without improvisation, that it manages its clients' data with the diligence and documentation that the law requires.

The GDPR for accountancy firms, administrative agencies and law practices process.

The process · four stages
01

Diagnosis and processing map

We analyse the totality of the practice's personal data processing activities: both its own — employees, billing, candidates, commercial communications — and those carried out on behalf of each client. For each activity we identify whether the practice acts as controller or processor, the applicable legal basis, the categories of data involved, the recipients and the retention periods, and we determine the priority compliance gaps with respect to the GDPR and the LOPDGDD.

02

Processing agreements and privacy documentation

We draft the processing agreements (art. 28 GDPR) tailored to each type of service provided by the practice: labour, tax, accounting or legal advisory. We compile the Records of Activities in their dual dimension — controller (art. 30(1)) and processor (art. 30(2)) —, privacy notices for clients and employees, the website privacy policy and the information clauses required by Articles 13 and 14 of the GDPR.

03

Security measures and staff training

We implement the technical and organisational security measures required by Article 32 of the GDPR, proportionate to the actual risk profile of the practice: access control policy for case files, password management, encryption of sensitive documents, protocol for the use of portable devices and data backups. We train all personnel with access to data on their specific obligations: confidentiality, handling rights requests and responding to security incidents.

04

Ongoing review and incident support

GDPR compliance is not a one-off implementation project, but an ongoing management system. We conduct periodic reviews to update documentation whenever processing activities or legislation change, assist with responding to data subjects' rights requests, reply to AEPD enquiries and support the practice in managing any security breach, including risk assessment and notification to the Agency within the deadline set by Article 33 of the GDPR.

What is included

What GDPR for accountancy firms, administrative agencies and law practices includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Processing agreements (art. 28 GDPR)

    Drafting of agreements between the practice and its clients when it acts as processor: subject matter, processor obligations, controller instructions, confidentiality, security, sub-processing arrangements and return or erasure of data at the end of the service.

  • Records of Activities in dual dimension (art. 30 GDPR)

    Preparation of the Records as controller (art. 30(1)) for the practice's own data, and as processor (art. 30(2)) for data processed on behalf of each client, with the minimum content required by the Regulation.

  • Privacy notices and information clauses

    Drafting of the website privacy policy, notices for clients and employees and information clauses in accordance with Articles 13 and 14 of the GDPR, adapted to the types of data managed by the practice in each service area.

  • Technical and organisational security measures (art. 32 GDPR)

    Assessment and documentation of measures proportionate to the risk: access control to case files, password policy, encryption of sensitive documents, portable device management, data backups and secure destruction of documents containing personal data.

  • Security breach management protocol

    Design of the internal protocol for detecting, classifying and managing security incidents: criteria for notification to the AEPD within 72 hours (art. 33 GDPR), notification templates, communication to affected parties when the risk is high (art. 34) and breach register (art. 33(5)).

  • Training and confidentiality commitments

    Practical training sessions for the team — administrative staff, advisors, lawyers, trainees and external collaborators — on data protection obligations, and drafting of individual confidentiality undertakings in accordance with the LOPDGDD and the GDPR.

Frequently asked questions about GDPR for accountancy firms, administrative agencies and law practices.

In what situations does an accountancy firm or administrative agency act as processor?

An accountancy firm or administrative agency acts as processor whenever it processes personal data on behalf of its client and following that client's instructions. The most common situations are: a labour advisory firm that manages payroll, employment contracts and sick leave for a corporate client; an administrative agency that handles tax returns or social security registrations including third-party data; a law practice that handles procedural documentation containing personal data of the parties. In all these cases, Article 28 of the GDPR requires that a processing agreement exist between the practice and its client, and that the practice fulfil the specific obligations that article imposes on the processor. Without that agreement, both the practice and the client are in breach.

What must the processing agreement with clients include?

Article 28(3) of the GDPR sets out the mandatory minimum content: the subject matter and duration of the processing, its nature and purpose, the type of data and the categories of data subjects. In addition, the agreement must capture the specific obligations of the processor: processing data only on the basis of the controller's documented instructions; ensuring the confidentiality of all authorised personnel; implementing the security measures under Article 32; not engaging sub-processors without the controller's prior authorisation; assisting the controller in fulfilling data subjects' rights and managing security breaches; returning or erasing data at the end of the engagement; and providing the information needed to demonstrate compliance. The AEPD has published a specific guide on the controller-processor relationship setting out the content and interpretation of each of these clauses.

Are law practices or administrative agencies required to appoint a DPO?

The obligation to designate a Data Protection Officer depends on the specific characteristics of the processing activities. Under Article 37(1) of the GDPR, a DPO is mandatory where the core activities of the controller or processor involve large-scale processing of special categories of data (art. 9 GDPR, such as health data) or the regular and systematic monitoring of data subjects on a large scale. For most small- and medium-sized practices and agencies this condition is not met and a DPO is not legally required. The LOPDGDD (LO 3/2018) adds Spain-specific situations of mandatory appointment for certain entities, but does not establish a general obligation for the advisory sector. Regardless of the legal requirement, having an external DPO provides legal certainty, expert availability before the AEPD and continuous compliance oversight.

Can the practice share client data with external collaborators or cloud software?

When a practice subcontracts part of the processing to an external collaborator, an associated agency or a cloud software provider, that third party acts as sub-processor. Article 28(2) of the GDPR requires the practice to obtain the client's (controller's) prior authorisation before engaging sub-processors, and to ensure that the sub-contract imposes on the sub-processor the same security and confidentiality obligations as the main agreement. If the practice's management software processes client data on third-party servers, the provider is a sub-processor and the practice must verify that the appropriate agreement is in place and that the provider applies security measures equivalent to those required by Article 32 of the GDPR.

What sanctions can the AEPD impose on an accountancy firm or law practice that breaches the GDPR?

Article 83 of the GDPR establishes a tiered sanctions regime. The most serious infringements — violating the basic principles of processing, data subjects' rights or the conditions of consent — may result in fines of up to €20 million or 4% of total annual worldwide turnover, whichever is higher. Breaches of processor obligations — such as not having formalised the agreement required by Article 28 or not applying adequate security measures — may carry fines of up to €10 million or 2% of worldwide turnover. The AEPD takes into account as mitigating circumstances cooperation with the Agency, measures taken to reduce harm and the non-intentional nature of the breach; the final amount in the case of an SME is weighted according to its actual economic capacity.

What is the difference between the repealed LOPD and the current LOPDGDD as it affects practices?

Organic Law 15/1999 on Data Protection (LOPD) was repealed and replaced by Organic Law 3/2018 on Personal Data Protection and guarantee of digital rights (LOPDGDD), which aligns the Spanish legal order with the GDPR applicable since 25 May 2018. For accountancy firms and law practices the most relevant differences are: the LOPDGDD expressly regulates the processing of data in the employment sphere and the conditions for employee consent; it extends employees' digital rights, such as the right to digital disconnection; it regulates the DPO role and the situations in which appointment is mandatory in Spain; and it articulates the sanctions regime pursuant to Article 83 of the GDPR. Documenting processing activities in accordance with the current LOPDGDD, and not the repealed LOPD of 1999, is the standard required before the AEPD.