Qualification of accountants - data processor or data controller

GDPR became fully effective and many colleagues and consultants still argue about the qualifications of an accountant regarding the data processing. Many accounting offices provide their clients with Data processing agreements, asking their clients for conclusion of such agreement. It is recommended to read following articles before deciding on qualification of processing role / conclusion of data processing agreement.   


„A firm uses an accountant to do its books. When acting for his client, the accountant is a data controller in relation to the personal data in the accounts. This is because accountants and similar providers of professional services work under a range of professional obligations which oblige them to take responsibility for the personal data they process. For example if the accountant detects malpractice whilst doing the firm’s accounts he may, depending on its nature, be required under his monitoring obligations to report the malpractice to the police or other authorities. In doing so an accountant would not be acting on the client’s instructions but in accordance with its own professional obligations and therefore as a data controller in his own right.

Where specialist service providers are processing data in accordance with their own professional obligations they will always be acting as the data controller and cannot agree to hand over or share data controller obligations with the client in this context. „


(page 13)

Art.29 WP

Example No. 23: Accountants

“The qualification of accountants can vary depending on the context. Where accountants provide services to the general public and small traders on the basis of very general instructions (”Prepare my tax returns”), then - as with solicitors acting in similar circumstances and for similar reasons - the accountant will be a data controller.

However, where an accountant is employed by a firm, and subject to detailed instructions from the in-house accountant, perhaps to carry out a detailed audit, then in general, if not a regular employee, he will be a processor, because of the clarity of the instructions and the consequent limited scope for discretion. However, this is subject to one major caveat, namely that where they consider that they have detected malpractice which they are obliged to report, then, because of the professional obligations they owe they are acting independently as a controller.“


(page 29)


Further guidance and opinions on this issue were recently issued also by german DP authorities, cleary defining accountants as the data controllers.

Please check following links: