GDPR for accountants in the EU
An EU accountancy practice has three overlapping data protection roles: data controller for its own operations, data processor for client data handled under instruction, and a regulated entity under AMLD4/5 whose statutory retention obligations directly conflict with GDPR’s storage limitation principle. Each role requires separate documentation, and the conflicts between them require a specific documented resolution.
Controller and processor — both apply
An accountancy practice is a controller for its own operational data — staff records, accounts, practice management, marketing. It is a processor for data handled on client instructions — payroll, employee records, bookkeeping with client customer or supplier data. Both roles must be documented. A Data Processing Agreement compliant with Article 28(3) EU GDPR must be in place with each client for whom the firm acts as processor, before processing begins. Most engagement letters do not satisfy Article 28(3).
Article 28(3) DPA mandatory content
The DPA must specify: processing only on documented controller instructions; confidentiality obligations on staff; security measures under Article 32; sub-processor restrictions and equivalent obligations; assistance with data subject rights and security obligations; deletion or return of data on termination; and provision of information and audit cooperation. A generic data protection clause in an engagement letter does not contain these provisions and does not satisfy the requirement.
AMLD4/5 retention conflict
AMLD4/5 (as transposed in each member state) requires accountancy practices to retain CDD records for five years from the end of the client relationship. GDPR’s storage limitation principle requires deletion when no longer necessary. Article 17(3)(b) resolves the conflict — the exemption from erasure where retention is required by law — but the resolution requires active documentation:
- The conflict and its resolution documented in the data retention policy
- The five-year retention period reflected in the privacy notice served on clients
- The exemption applied only to CDD records, not all client data
- Destruction of CDD data at the end of the five-year period, with destruction recorded
DSAR and tipping off
Where an accountancy firm has filed a Suspicious Transaction Report (STR) with a national FIU and that client submits a data subject access request, responding fully could disclose the STR — constituting the tipping-off offence under AMLD4/5 Article 39 and national implementing legislation.
Member state law implementing Article 23 EU GDPR typically provides a crime prevention exemption from the right of access. A documented procedure should be in place before this situation arises, covering:
- STR log check on receipt of every DSAR
- MLCO escalation where the requester matches an STR subject
- Selective withholding of STR-related information under the Article 23 exemption
- Documented basis for each withholding decision, retained as evidence
Professional body obligations
EU accountancy professional bodies (including ACCA, ICAEW for EU-registered members, national institutes) may have their own quality assurance and inspection programmes that include review of data protection arrangements. Evidence of a complete, governed compliance programme — ROPA, DPAs, breach log, staff training, retention policy with AML conflict addressed — materially strengthens the firm’s position in any professional body inspection or supervisory authority investigation.
Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.