GDPR and DPA for accountants: a step-by-step guide to a compliant practice
Accountants process clients' personal data every day. Learn how to set up GDPR documentation, a Data Processing Agreement (DPA) and confidentiality agreements — digitally.
GDPR and DPA for accountants: a step-by-step guide to a compliant practice
Accountants and tax advisors process names, national ID numbers, bank statements and tax returns every day. Under GDPR this constitutes processing of personal data — and that requires more than a verbal agreement.
If you use cloud-based accounting software (QuickBooks, Xero, Sage or any other SaaS tool), you are also a data processor and must sign a DPA — a Data Processing Agreement — with each tool and each client.
Why accountants must address GDPR proactively
Data protection authorities across the EU have repeatedly fined firms for missing DPAs with processors. For accountants and tax advisors this means:
- You are a processor — you process personal data on behalf of the client (controller).
- You need a DPA with the client — a written agreement covering what you do with their data, where you store it and how you protect it.
- You need DPAs with your tools — every cloud application that holds client data must have a DPA signed with its provider.
- You have a breach notification obligation — if personal data is compromised you must notify your supervisory authority within 72 hours.
Documents every accounting practice needs
| Document | For whom | When | |----------|----------|------| | Mandate agreement + GDPR consent | Client | When every new client signs up | | DPA (Data Processing Agreement) | Client | When you access their personal data | | NDA (confidentiality agreement) | Client, employees | At the start of the engagement | | DPA with software vendor | Cloud tool provider | When you adopt a new tool |
Step by step: GDPR onboarding for a new client
Step 1 — Mandate agreement with processing scope
Alongside standard terms (scope, fees, deadlines) the mandate agreement must include:
- a list of personal data categories processed (national IDs, banking data)
- the purpose of processing (bookkeeping, tax advice)
- the retention period (typically 10 years for accounting records)
Step 2 — DPA as a separate document or annex
The DPA defines in detail:
- technical and organisational security measures (encryption, access controls)
- names of sub-processors (cloud tools, external IT support)
- data subject rights and the procedure for exercising them
- the procedure in the event of a security incident
Step 3 — Digital signature via zipzipdoc
- Create a mandate agreement + DPA template in zipzipdoc.
- Enter the client’s name and email address.
- The client receives a link, reads the documents and signs on their phone — no registration needed.
- Signed documents are stored with an audit trail — timestamp, IP address, document hash.
The entire onboarding takes less than 5 minutes instead of sending PDFs by email, waiting for a scan and archiving manually.
Common GDPR mistakes accountants make
Mistake 1: Mandate agreement without GDPR clauses
The mandate agreement alone is not enough. You need explicit consent for processing and a definition of the purpose.
Mistake 2: No DPA with cloud tools
If your data lives in the cloud, the cloud tool providers are your sub-processors. A DPA with them is a legal obligation.
Mistake 3: Paper documentation with no archive
Paper consents get lost. Digital documents in zipzipdoc are always accessible and searchable.
Mistake 4: Outdated records of processing activities
Every new client, new tool or change in scope requires an update to your records.
Templates for accounting practices in zipzipdoc
- Mandate agreement for bookkeeping (with GDPR clauses)
- DPA — Data Processing Agreement for accountants
- NDA for employees and external collaborators
- Personal data processing consent (client form)
Related contract types: GDPR consent · Data Processing Agreement (DPA) · NDA — non-disclosure agreement · Mandate agreement