My Data Solution, No. 1 in GDPR compliance for Chartered Accountants

• Enhance data by exploiting data in a legal and qualitative manner
• Increase the trust of customers, partners and prospects through transparency,
• Strengthen and strengthen the firm’s brand image,
• Acquire new customers and new markets,
• Win calls for tenders (public buyers are required to verify the GDPR compliance of bidders),
• Improve the internal organization and strengthen the trust of the organization’s employees.

In the context of the missions carried out by chartered accountants, this question requires a case-by-case analysis. Indeed, if the firms are in particular responsible for the processing they carry out on the personal data of their employees; and that we can consider, to a certain extent, that the firms would rather be qualified as subcontractors with regard to missions relating to payroll and social missions, and as data controllers with regard to accounting and legal secretarial missions. It is nevertheless risky to define typical missions for which the data controller accounting firm and others for which they would be subcontractors within the meaning of the GDPR.

As a reminder, if you act as a subcontractor, that is to say that you process or collect data on behalf of another entity (company, community, association), you have specific obligations to guarantee the protection of the data entrusted to you.

In order to identify this qualification between data controller, subcontractor or joint controller, it is therefore appropriate to ask the following three main questions:

• • Who determines the purpose of the processing?

• • Who has control over the processing of personal data?

• • Who determines the essential means of processing?

If the answer to each of these questions is the accounting firm, then it is responsible for the processing.

The firm’s responsibility and its obligation to provide information differ depending on the qualification. The CSOEC also recommends that the obligation to provide information to individuals be assumed by the client when the firm is jointly responsible for the processing.

Since May 25, 2018, any organization that does not respect its obligations regarding the protection of personal data (GDPR and Data Protection Act) is exposed to administrative and criminal sanctions.

Following inspections or complaints, in the event of non-compliance with the provisions of the GDPR or the law by data controllers and subcontractors, the CNIL may impose sanctions on data controllers and/or their subcontractors who do not comply with these texts.

When breaches of the GDPR or the law are brought to its attention, the CNIL may :

• • Issue a call to order;

• • Request processing to be brought into compliance, including under penalty;

• • Temporarily or permanently limit processing ;

• • Suspend data flows ;

• • Order to comply with requests to exercise the rights of individuals, including under penalty payment ;

• • Imposing an administrative fine which may be made public and the amount of which can be as follows:

• • Up to 2% of the company’s global turnover for breaches such as the absence of a processing register, failure to report following a detected breach, failure to conduct a privacy impact study (in the case of sensitive data), etc.

• • Up to 4% of global turnover, particularly in the event of refusal to comply with CNIL injunctions, data processing illegal, lack of consent, non-compliance with the rights of individuals, etc.

Also, any person affected by a violation of their personal data by the data controller and/or its subcontractor, and having suffered material or moral damage as a result of this violation, may obtain compensation for their loss, in particular in the form of damages. In the event of an inspection by the CNIL, you must be able to guarantee the protection of personal data and demonstrate the measures taken to this effect.

It is necessary to comply with the GDPR for several reasons.

First of all, it is an obligation imposed on any organization, public or private, processing personal data as soon as it is established on the territory of the European Union or its activity directly targets European residents.

Next, organizations that do not comply with the GDPR are exposed to high risks of sanctions, including administrative fines that can amount to 2 or 4% of the company’s annual global turnover.

Finally, beyond being a legal and regulatory obligation and constituting an increased risk of sanction, the GDPR is a real opportunity since it allows to:

• • Valorize data by exploiting data in a legal and qualitative manner

• • Increase the trust of customers, partners and prospects thanks to the transparency

• • Consolidate and strengthen the firm’s brand image

• • Acquire new clients and new markets

• • Win calls for tender (public buyers are required to verify compliance GDPR of tenderers)

• • Improve the internal organization and strengthen the trust of the organization’s employees

Being GDPR compliant is therefore essential.

In application of article 155 of the Decree of March 30, 2012 relating to the exercise of the activity of chartered accountant, chartered accountants are required to provide information and advice to their clients or members.

Therefore, in his capacity and his duty of advice, the role of the chartered accountant is to ensure that his clients comply with the GDPR, in particular during his audit missions or the development of support offers. To avoid any disputes due to lack of information and advice, accountants must therefore at least inform their clients of their obligation to comply with the GDPR.

A partnership between the CNIL and the CSOEC was concluded in this sense in 2020 in order to disseminate a culture of personal data protection among accountants, both for the compliance of their own structure but also in their local role with companies.

Indeed, accountants have in-depth knowledge of the risks linked to their clients’ activity and they are a privileged contact to meet their compliance needs. The CSOEC thus considers that “Accountants are competent in the area of ​​personal data protection since they have already implemented the obligations imposed by the GDPR within their firms. They can therefore propose a mission in which they support their client companies in implementing the GDPR”.

It is in this context that the accountant is required to both alert his clients about their GDPR compliance and to offer them services relating to GDPR compliance.

The GDPR compliance process involves implementing several measures, including:

• • Create a data processing register

It allows the firm to have an overview of the data processing it carries out. The register requires the identification of the main activities of the firm that use the processing of personal data, which are called processing operations. The accountant responsible for processing or the subcontractor must therefore create a file for each processing operation identified, indicating in particular its purpose, i.e. the objective for which the data is processed by the firm.

Finally, the register must be updated regularly because firms may be required to change software, develop their internal organization or change subcontractors. Data protection must therefore be continuous.

Please note: It is strongly recommended that the data protection officer (DPO) be responsible for keeping the processing register, who will be responsible for updating it regularly.

• • Sort the data

The firm must limit itself to collecting data that is strictly necessary for processing. This is the principle of data minimization. Thus, data must only be processed if:

• • they are necessary for the activity of the organization;

• • they are not so-called “sensitive” data, otherwise it is necessary to ensure that the firm has the right to process them;

• • data is accessible only to authorized persons;

• • data is kept only for the necessary and/or regulatory time;

• • Respect the rights of individuals.

The GDPR aims to strengthen the protection of individuals’ data. This is why it has come to confer on them a certain number of rights, in particular the right of access, rectification, opposition, erasure, the right to limit processing, and portability. It is up to the data controller to implement measures to ensure that these rights are respected.

• • Securing personal data

The data controller must take the necessary measures to ensure the security of personal data by reducing the risks of data breaches, in particular by respecting the following principles:

• • The principle of confidentiality: data must be accessible only to authorized persons

• • The principle of integrity: data must not be altered or modified

• • The principle of availability : data must be permanently accessible to authorized persons

<!– /wp:list

Au-delà des responsabilités inhérentes à la qualité de responsable de traitement, le RGPD implique de nouvelles responsabilités pour les experts-comptables. Tout d’abord, ils voient leur responsabilité renforcée en matière de devoir d’information et de conseil, du fait de leur devoir d’informer leurs clients quant à l’obligation d’être en conformité au RGPD.

Ensuite, le RGPD consacre une logique de responsabilisation de tous les acteurs et impose des obligations spécifiques aux sous-traitants qui doivent aider les responsables de traitement dans leur démarche permanente de mise en conformité.

Dès lors, dès qu’un cabinet intervient en qualité de sous-traitant dans le cadre de ses missions, celui-ci doit offrir à ses clients « des garanties suffisantes quant à la mise en œuvre de mesures techniques et organisationnelles appropriées de manière à ce que le traitement réponde aux exigences du présent règlement et garantisse la protection des droits de la personne concernée » (Art.28 RGPD).

Le cabinet doit alors notamment assister et conseiller ses clients dans leur conformité à certaines obligations prévues par le RGPD (analyses d’impact, notification de violation, sécurité, destruction des données, contribution aux audits). Cela implique :

• • Une obligation de transparence et de traçabilité

• • La prise en compte des principes de protection des données dès la conception et par défaut

• • Une obligation de garantir la sécurité des données traitées

• • Une obligation d’assistance, d’alerte et de conseil

C’est dans ce contexte que l’Ordre des experts comptables préconise notamment de revoir les contrats de mission conclus entre les experts-comptables et leurs clients, en incluant dans les lettres de mission de nouvelles clauses sur la responsabilité des traitements des do

Le RGPD a instauré la fonction de Délégué à la Protection des Données (DPD) / Data Protection Officer (DPO). L’article 37 du RGPD vise 3 situations dans lesquelles la désignation d’un DPO est obligatoire :

• • Le traitement de données personnelles est mis en œuvre par une autorité publique ou un organisme public ;

• • L’entité concernée a pour activités de base la mise en œuvre de traitement de données qui, du fait de leur nature, de leur portée et/ou de leur finalité, exigent un suivi régulier et systématique à grande échelle d’individus ;

• • L’entité concernée a pour activités de base la mise en œuvre de traitement à grande échelle de catégories particulières de données (données de santé, relatives aux opinions philosophique, religieuses, etc.) ou de données relatives à des condamnations pénales ou des infractions.

Si l’un de ces trois critères est rempli, l’entité concernée a l’obligation de désigner un DPO. Si la désignation d’un DPO n’est donc pas nécessairement obligatoire, il est dans tous les cas vivement recommandé de désigner à minima un référent RGPD parmi les collaborateur

The AFCDP has established a list of 15 good reasons to appoint a DPO, namely the appointment of a DPO:

• helps reduce legal risk
• contributes to reducing administrative formalities
• allows an organization to benefit from a privileged relationship with the CNIL, with dedicated contacts
• enables an organization to implement personal data processing more quickly
• improves the organization’s brand image
• contributes to improving the social climate (cyber surveillance management)
• promotes the implementation of a quality approach for information management within the organization (processing mapping)
• helps improve the organization’s IT security policy
• helps reduce information processing costs (streamlining processes, deleting obsolete data)
• helps reduce customer management costs (exercising access rights, dispute management)

The GDPR implies two main changes in the exercise of the missions of chartered accountants. First of all, chartered accountants now have the duty to inform their clients about the obligation to be in compliance with the GDPR. Then, the GDPR establishes a logic of accountability for all stakeholders and imposes specific obligations on subcontractors who must assist data controllers in their ongoing compliance process.

Therefore, as soon as a firm acts as a subcontractor in the context of its missions, it must in particular assist and advise its clients in their compliance with certain obligations provided for by the GDPR (impact analyses, breach notification, security, data destruction, contribution to audits). This implies:

• • An obligation of transparency and traceability

• • Taking into account data protection principles from the design stage and by default

• • An obligation to guarantee data security processed

• • An obligation to provide assistance, alerts and advice

It is in this context that the Order of Chartered Accountants recommends reviewing the mission contracts concluded between chartered accountants and their clients, by including new clauses on the responsibility for the processing of personal data in the mission letters.