Protection of personal data in the system of modern accounting in the context of the implementation of the Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016

<a href="https://dx.doi.org/10.15611/fins.2019.3.06">DOI: 10.15611/fins.2019.3.06</a> <p>JEL classification: M41, I25.</p> <p xml:lang="en-US"><span>Keywords:</span> accounting, accounting services, data protection, behavior of service providers.</p> <h2>1. Introduction</h2> <p>The modern approach to accounting commonly indicates its practical function, which is to provide users with information to make correct decisions and to hold managers accountable for managing the assets of their organizations, and hence the generated results. As has repeatedly been noted, accounting on a global scale is treated as the language of business, leading to its convergence for transnational audience expectations. The internationalization and globalization of business and the related flows of information result in the need for the protection of personal data being processed and transferred in order to secure the interests of users. As noted by N. Artieniewicz [Artieniewicz 2018], the general view of accounting depicts it as dealing with facts, regulations, and dry numbers alone and where their treatment is not considered as human behavior, which should be reasonable, but it is not always so. Financial and accounting processes should also be seen as including human beings, their qualities, motives, consistency of behavior, decisions, attitudes and individual circumstances. According to the author of this article, they will have <br />a definite influence on the correct understanding and application of EU Regulation 2016/679, which was implemented by individual countries in the form of the provisions in their regulations.</p> <p>This article is an attempt to analyze the existing solutions in the field of personal data protection regarding the above-mentioned Regulation, the Act of May 10, 2018 and the provisions adopted by entities and institutions subject to them, providing services in the field of accounting (accounting offices), tax advisory and audit. It should also be emphasized that the correct implementation of the provisions depends on the actions of the people using them and their diligence in this respect, which undoubtedly has its roots in the perception of accounting through its behavioral prism.</p> <p>The methods adopted for the research were: critical analysis of the available literature and source documents prepared for the implementation of GDPR solutions, and direct interviews.</p> <p>Training and advisory materials on this subject prepared by numerous law firms (32) were analyzed, providing a valid explanation, understanding and implementation of the new obligations in the field of data protection.</p> <p>In addition the author conducted pilot interviews in accounting offices (17) concerning the protection of personal data, to indicate the approach of service providers to the performance of the tasks in the field of personal data protection. However, due to the fact that the new regulations had not been introduced until recently, they did not bring significant results extending beyond the recommendations proposed by the accounting firms. The hypothesis put forward for the purposes of this study was whether there would be an increase in the awareness of the contracting parties with the expiry of the validity of the GDPR solutions. At the time of commencement of the study, representatives of the offices declared unanimously that they were only at the stage of investigating the regulations and that reflection will come at a later stage.</p> <h2>2. GDPR regulations</h2> <p>On 28 May 2018, in Poland and other European Union countries, a regulation on the protection of personal data commonly referred to as the GDPR came into force. Regulation (EU) 2016/679<a id="footnote-32917-1-backlink" href="#footnote-32917-1">1</a> of the European Parliament and of the Council <br />of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation). It should be emphasized that the Regulation on the protection of personal data is a new EU legal act which aims to strengthen and harmonize data protection laws across the European Union. In addition, it aims to provide solutions to improve the Member States’ preparation for the rapid changes caused by developing technologies, especially in the field of data transmission and processing by those responsible.</p> <p>GDPR, however, leaves many issues to the internal regulations of the Member States. This includes the organization of regulatory bodies, certification, the conduct of proceedings before the supervisory authority, the amount of financial penalties and the additional sanctions in case of non-compliance with data protection law. Against this background, the Polish authorities have developed an appropriate law on the protection of personal data, namely the Act of 10 May 2018 on Personal Data Protection [The Act of 10 May 2018…] announced on May 24, 2018. The relevant law should be applied to the specific issues forwarded by the EU legislator to be regulated at the level of national laws. The introduced provisions apply directly, which means that they are binding for each economic operator and apply to all individuals without exception on the provision of their services or other business transactions for individuals throughout the European Union, regardless of whether the seat of the economic entity is located in the EU or not. The starting point is, which is not without significance, the offering of services to persons residing in the Union.</p> <p>The new solution applies to all sectors of the economy, including accounting offices, tax advisors and auditors (often providing accounting services to businesses in addition to services related to taxes and auditing the financial statements), required to protect customer data.</p> <p>With the right action, when implementing the provisions of the above mentioned Act, on the one hand, an accounting office gains the trust of customers, and <br />on the other, reduces the risk of data leakage and possible financial penalty or even a ban on doing the business in the event of a negative opinion of the Office for the Protection of Personal Data (UODO). This is obviously conditioned by the normal activities and ethics of employees.</p> <p>According to point 26 of the Regulation, personal information is defined <br />as data concerning an identified or identifiable natural person. To determine whether a person is identifiable, one should take into account any reasonably probable ways (including the identification of entries for the person), for which there is a reasonable probability that it will be used by a controller or other person for the direct or intermediate identification of the individual.</p> <p>In order to properly protect the personal data, a controller is appointed who is obliged, on the basis of its their knowledge and experience, to assess the risks and evaluate which solutions will be the most correct in the context of the specific nature of the business entity. The controller also has the obligation to use such technical and organizational measures, which will support the protection of personal data processing. This includes loss, unauthorized access and/or damage.</p> <p>An example of the actions of a controller can be the obligation to keep a register of processing operations that is not occasional or involves the so-called sensitive data (this does not apply to an entity employing fewer than 250 persons, unless the processing of data can cause a risk of violation of the rights or freedoms <br />of the persons). GDPR rules dictate the need to protect personal data by any <br />of the controllers on the level of data collection and processing system design (i.e. Privacy by design) and at the level of the default settings in the data processing systems (i.e. Privacy by default). The purpose of this requirement is to maximize the protection of personal data at every stage of their processing and within the duration of the responsible controller’s role in this task, therefore the controller prepares <br />a draft of the personal data processing system. They should analyze what data will be processed, to what extent, in what period of time and for what purpose.</p> <p>The assessment of the data also leaves the decision as to the obligation to assess the consequences of his/her actions for data protection (privacy impact assessment) as well as a consultation with the supervisory authority or the appointment <br />of a Data Protection Officer (DPO) to support the controller. They shall be appointed by the controller of the data and the actor providing the data to be processed. The DPO’s role has been strengthened thanks to the powers that used to belong to the information security controller (ABI). It should be stressed that the appointment <br />of an inspector has now become the responsibility instead of the earlier privilege <br />of the controller, especially when the main activity of the controller or the processor relates to such processing operations that, because of their sensitivity, scope, purpose and nature and specificity require current, systematic monitoring. </p> <p>It can therefore be assumed that the important personal data will include:</p> <ul> <li>name and surname,</li> <li>PESEL (citizen identification number) or NIP (tax identification number),</li> <li>ID, Internet name,</li> <li>address information,</li> <li>email,</li> <li>other factors: physical, physiological, genetic, mental, economic, cultural or social identity of the individual. </li> </ul> <p>On this basis it must be noted that any operator, including accounting offices, which inherently collect and process data about their customers will be required to implement the requirements of GDPR. This will apply to the stage at which the system is designed (e.g. financial and accounting systems, human resources, tax returns, etc.) where the need to protect customers’ personal data has been introduced.</p> <p>As already emphasized, the responsibility for data protection rests with the controller and the entity processing them. The key action is, therefore, the proper handling of systems using data with privacy as default assumptions.</p> <p>No matter what requirements are adopted, the method of processing and storing data, and of their proper protection, does not exclude storing them on electronic media, in paper form, or in the cloud or on servers owned by the entity. </p> <p>Customer trust in the protection of their data is crucial, due to the fact that they entrust their sales and purchase invoices, employee documents, contracts, bank statements, and many other documents relating to the transactions, to the accountancy firm, tax consultant or auditor. This means in effect that they entrust the following to these service providers:</p> <ul> <li>Information about their contractors (suppliers and recipients).</li> <li>Information about the values of their transactions.</li> </ul> <p>In the case of HR services, also:</p> <ul> <li>Data of employees (including sensitive data, e.g. sick leaves, information on the degree of disability, genetic code, addictions, sexual orientation, ethnic or racial origin, family, religion, philosophical or political views, political affiliation or relationship, court judgments, penalties, fines, etc.).</li> </ul> <p>Regardless of the fact that the documentation has been transferred to the accounting service provider, it remains the property of the operator who purchases the services. Therefore the accounting firm is considered to be the controller <br />of such personal data and it is their obligation to ensure their confidentiality. This obligation is not limited in any way by concluding an agreement on the financial and accounting services. It should be stressed at the same time that the service provider (accountant) for their part is the controller of their employees’ data.</p> <p>In accordance with the provisions of the Regulation, the controller (within the meaning of the controller of personal data) is a natural or legal person, public authority, or entity, which independently or jointly with others determines the purposes and methods of personal data processing. Where the purposes and means of such processing are specified in EU law or in the law of a Member State, <br />a controller may also either be designated within EU law or in the law of the Member State, or specific criteria for their designation may be specified [Regulation (EU) 2016/679…, art. 4 item 7].</p> <p>On this basis, it should be emphasized that the data controller is obliged, on the basis of their own experience, to assess the potential risks and to estimate which solutions will be optimal to be applied in its business. At the same time, it is incumbent upon the controller to apply technical and organizational measures ensuring the protection of the personal data processed, appropriate to the risks and categories of data covered by the protection. This applies especially to protecting data against unauthorized access, loss, damage or destruction [Szpytko-Waszczyszyn 2017].</p> <p>Accordingly, the accounting office, tax consultant or auditor has tasks determined by the rules of data protection laws. According to the latest solutions, it is in the interest of the client as a data controller to sign a contract with the accounting office concerning data entrustment. Such an agreement will ensure that the data provided (for which the controller − the client of the office – is still responsible) will be processed by the entity providing bookkeeping services with due diligence and in accordance with the provisions on personal data protection. In this way it also reserves the use of the data by the entity to which they are entrusted for purposes other than those of the accounting office to which they were provided.</p> <h2>3. GDPR in the practice of accounting offices, tax advisors and auditors</h2> <p>Professionals dealing with accounting perform many tasks, including financial accounting, management accounting, audit, taxes, finance, analysis, control, information processing processes, consulting, and financial management. The implementation of these tasks involves making decisions which, apart from the integration of the data available to them, are also influenced by the emotions, motivations and preferences of such a person, which affects the behavioral aspect <br />of accounting. This includes the role of the persons involved in the processing <br />of data from accounting operations and their relationship to the activities undertaken [Jaworska 2014].</p> <p>As noted by Birnberg and Shields, the main directions in the area of behavioral accounting are:</p> <ul> <li>management control,</li> <li>collection and processing of data in financial accounting,</li> <li>design of information systems in accounting,</li> <li>external and internal audit,</li> <li>organizational sociology [Birnberg, Shields 1989].</li> </ul> <p>Undoubtedly all these issues fall within the area of the activities of persons employed in accounting offices, tax consultancy and audit, and are a derivative <br />of their decisions and behavior.</p> <p>Due to the collection and processing of large amounts of personal and financial data, accountancy offices are subject to the obligations arising from the provisions <br />of the GDPR, regardless of the fact that the data controllers are the offices’ customers.</p> <p>For its part, the accounting office is, as has already been emphasized, the controller of its employees’ data and also an entity processing the data of its customers in the course of servicing the processes entrusted to it. In such a situation the processing of personal data must, as a rule, take place on the basis of a written agreement. The agreement is based on the provisions of the Regulation, pointing out the need for close cooperation between the controller of personal data and the entity processing them [Trzpioła 2018].</p> <p>The basis of the service provider’s obligation is to secure the data received <br />in formal and technical terms. On this basis, it should be emphasized that when taking over and collecting data sets, the office is obliged to conclude an agreement with the customer confirming the status of data processing rights. Such an agreement will ensure that the data provided, for which the controller − the client of the accounting firm − is still responsible, will be processed by the entity providing bookkeeping services with due diligence and in accordance with the provisions on personal data protection. Thus, the client of the office (data controller) should use only the services of such processors, which provide sufficient guarantees for the implementation <br />of the technical and organizational measures required by the GDPR.</p> <p>Ensuring the reliability of accounting offices as to the principles of implementing the requirements of the GDPR can be achieved thanks to numerous recent training courses for employees in this area, which are conducive to its proper implementation. In particular, law firms which examine the scope of activities of their clients and prepare guidelines for the proper application of the GDPR requirements, specialize in the implementation of training and consultancy. They also develop specific agreements on data entrustment, which should define, among other things, the scope of data processing activities. The following are considered to be important:</p> <ul> <li>name and surname of the employee serving a specific customer or name and contact details of the processor(s),</li> <li>the data of each controller (customer of the office) on whose behalf <br />the accountancy office processing their data acts and, where applicable, <br />the representative of the controller or processor,</li> <li>the Data Protection Officer’s information,</li> <li>the classification of the categories of processing carried out on behalf of each controller,</li> <li>information about the transfer of personal data to a third country or an international organization if such will be the case (including the name of that third country <br />or international organization),</li> <li>a description of the technical and organizational security measures applied in the course of data processing.</li> </ul> <p>As can be seen from the above, the proper implementation of the law requires detailed analysis of the data processing procedures and their basis, rules and security measures applied by those responsible.</p> <p>As regards the first issue, i.e. the data processing itself, it is important <br />to determine in which processes personal data are involved, whether they have been collected by the processors’ own effort or entrusted to them by the client, what the data are and whether there are sensitive data among them. It is also important to recognize the basis for processing the data, the purposes they serve and the processes they concern, as well as the time of their processing. The data processing itself is subject to analysis from the point of view of, among others, their transfer <br />to other entities (e.g. ZUS, US, GUS, etc.), the client’s consent, and their awareness in this respect. Moreover, in some situations where, for example, data are entrusted to another entity for the purpose of processing, such a fact should be indicated.</p> <p>The principles underlying the data processing itself include designating the specific person or persons responsible for handling access requests, and clearing <br />the procedures to be followed in the event of such requests. It is important to appoint a data protection coordinator in the company and to verify data compliance. He or she should also be able to provide answers in the event of questions about the legitimacy of the inclusion of specific data when the customer expresses doubt as to the need for such a wide range of information that the accounting office expects about him or her. In addition, rules should be drawn up for the formal revision <br />of data by the coordinator, and other staff should be made aware of the coordinator’s role and the need for cooperation with them. It is also important that those whose data are collected and processed are aware of this fact without raising unnecessary suspicion.</p> <p>From the point of view of the use of data collection systems, it is important <br />to adopt procedures to clear databases from unnecessary, outdated or customer-related data when the purpose for which they were collected has been achieved. It is also important to check the correctness of the maintained data, including their timeliness, with particular emphasis on sensitive data.</p> <p>In the context of the measures for the protection of personal data, it is necessary to mention the protection of access to data only for authorized persons and at the same time to prevent unauthorized access. This applies to staff training as well as to the use of computer hardware and other physical security measures.</p> <p>In the case of the accounting office staff, they should be familiar with the regulations of the GDPR, securing data in the IT system and the obligation <br />of confidentiality. From the point of view of the equipment used, one should analyze server security, the use of wireless desktops, business computers in a local network or connected to the Internet, for example, used a LAN, MAN, etc., followed by <br />an analysis of whether it is a private, protected or public network. In addition, there are important network protection systems, antiviruses, and anti-spyware. Computers should be password protected, passwords often changed and sometimes encrypted. One can also use automatic logout in case of interruptions.</p> <p>Data entrustment agreements should also include clauses on the acceptance <br />of the persons to whom the data will be ‘sub-contracted’ (e.g. an office to <br />a company providing IT services), the possibility of controlling or inspecting the accounting office, the determination of the time − usually very short − within which <br />the customer is to be notified of a possible incident of a personal data breach, and other measures to promote the security of data collection, processing and storage [https://www.rp.pl].</p> <p>E. Szczepankiewicz conducted some research into ways of securing IT resources in Polish business entities and pointed to two hypotheses which she later confirmed, namely that the level of IT security of accounting resources in different groups <br />of entities may differ significantly, although all entities should apply the requirements of the Accounting Act in the same way. She also determined that, in this respect, the differences identified may be due to the impact of additional sector-specific regulations and due the fact that in the private sector, only accounting offices and audit firms comply more stringently than other small and medium-sized enterprises with the rules on the security of IT resources. It also stressed that theoretical models should be developed to enable effective methods and tools to be applied and appropriate legislative initiatives to be taken [Szczepankiewicz 2018].</p> <p>Regarding the physical security features, it is worth mentioning the place <br />of storing computers and documents kept in a paper version. It will be important to protect the access to the rooms from unauthorized persons, so the rooms should be locked with a key. This also applies to the cabinets used in them. In the case <br />of documents which need to be destroyed, an office shredder should be used. For full security, the accounting office should also be equipped with fire-fighting measures such as smoke detectors and fire extinguishers. It is important for the company <br />to appoint a person responsible for the security system used.</p> <p>The above-mentioned methods of securing personal data do not exhaust the full scope of protection, but are to be the direction of actions that should be taken in the nearest future in accounting offices and other entities providing services within <br />the broadly understood accounting. In particular, tax advisors and auditors should be mentioned here.</p> <p>Therefore, as mentioned above, the entities to which the new rules apply also include advisory firms, including tax advisors and auditors. GDPR does not provide exemptions in this regard.&#160;On this basis, Resolution No. 93/2018 V National Council of Tax Advisers of 14 January 2018 on the authority of the National Council of Tax Consultants in the development, approval and adoption of the Approved Code <br />of Practice of the National Chamber of Tax Advisors on the protection of personal data was introduced<a id="footnote-32917-2-backlink" href="#footnote-32917-2">2</a>. At the same time, the National Council of Tax Advisers was obliged to carry out information activities in a manner ensuring that the members of the Chamber adjust the provisions of the Code of Conduct until 25 May 2018, and appointed the Council to develop a Code of Conduct (KIDP) with regard to personal data.&#160;The effect of the activities in this area is the booklet prepared for the informant of tax advisors, Ochrona danych osobowych przez doradcę podatkowego po wejściu w życie RODO (The protection of personal data by tax advisors after the introduction of GDPR) which includes: </p> <ol> <li>information on the processing of data in terms of the GDPR,</li> <li>a description of key information obligations and personal data security, <br />to which tax advisors will be obliged to comply,</li> <li>specimens of statements and documents adapted to the specificity of the tax adviser’s activity [Booklet 2018]. </li> </ol> <p>A similar situation also applies to the activities of auditors who, for the purposes of financial statements, use information from audited entities, where data controllers own the data. In order to ensure the protection of personal data, the State Chamber of Statutory Auditors (PIBR) issued a relevant Note 36/2018 in which it included three annexes relating to this issue:</p> <ol> <li>a specimen audit contract, which may apply to future contracts, including provisions on the rights and obligations of the parties to the contract arising from the GDPR,</li> <li>a specimen of an entrustment agreement that may apply to ongoing audit contracts,</li> <li>guidelines for an exemplary study contract and an exemplary entrustment agreement with regard to the provisions concerning the processing of personal data.</li> </ol> <p>The purpose of the Note is to support the activities of the auditors by, inter alia, developing a sample audit agreement, as set out in Annex 1. In the opinion of the National Council of Statutory Auditors (KRBR), this agreement should be treated only as a proposal to be used, as the Civil Code expresses the principle <br />of “freedom of contract” without imposing their final content and form. Thus, each contract concluded should be adjusted to the specificity and conditions of the order received by the auditor and also take into account the requirements of the National Audit Standard (KSB) 210, which are<a id="footnote-32917-3-backlink" href="#footnote-32917-3">3</a>:</p> <ol> <li>the purpose and scope of the study,</li> <li>the responsibility of the statutory auditor,</li> <li>management responsibility,</li> <li>an indication of the applicable financial reporting framework assumptions used in the preparation of financial statements,</li> <li>a reference to the expected form and content of any reports to be issued by <br />the statutory auditor and a statement that there may be circumstances that may cause the report to differ from the expected form and content. </li> </ol> <p>The sample agreement also includes issues related to the rights and obligations of the parties to the agreements resulting from the implementation of the obligations of the GDPR, in particular with regard to newly concluded agreements.</p> <p>The second Annex shows the principles favoring the application of the GDPR in already concluded contracts. They are organized by model (example) agreement for “Entrusting personal data”. It may be concluded as a separate (supplementary) agreement from the audit agreement, regulating the processing of personal data. Moreover, the KRBR stressed that there is no need to conclude such agreements <br />in relation to orders already completed.</p> <p>Annex 3 to this Note contains detailed guidelines to complement the sample agreement and the sample entrustment agreement with regard to the provisions concerning the processing of personal data [Komunikat nr 36/2018…].</p> <p>Violation of the GDPR has significant financial consequences. If the entity obliged to protect personal data is in breach, the entrepreneur has 72 hours to report the breach to the Office of Personal Data Protection − UODO (formerly GIODO). During the analysis and qualification of a specific violation, the effects that it may have on the individual(s) by undermining his or her (their) personal freedom shall be assessed [https://pomoc.mojebiuro24.pl]. On this basis, a financial penalty is charged, which involves an amount of up to 20 million or 4% of the annual worldwide turnover of the company, whichever is the higher.</p> <h2>4. Conclusions</h2> <p>The issue of protection of information and personal data has been known for many years, but has never before been the subject of such protection. Today’s situation is <br />a result of, among other things, the globalization of the economy and, consequently, the flow of data with the use of the latest technologies. Protecting sensitive data by those responsible, who undoubtedly include the professionals connected with business bookkeeping.</p> <p>The conclusion formulated against the background of these considerations is that the problem of personal data protection has been taken up widely among institutions and service providers in the field of accounting (including consultancy and audit), which indicates an understanding of the need for personal data protection in the modern economy. This confirms the hypothesis that the passage of time has <br />a significant impact on the understanding of the need to implement GDPR solutions.</p> <p>Therefore, one can also point to the link between the behavioral accounting approach, where the behavior of decision-makers and persons performing certain tasks is analyzed, and the information generated by accounting and its procedures [Artieniewicz 2013].</p> <p>Submitting a statement that the accounting office meets the requirements <br />of the GDPR, in many cases becomes the basis for concluding a contract with the customer, and at the same time, the failure to comply with the recommendations <br />of the Act in this respect may result in the risk of a fine being imposed by <br />a supervisory authority and may lead to the loss of both current and future customers. The author’s significant contribution to the research issue is the presentation of the key points of agreements (and discussion of their terms) that should be brought <br />to the attention of parties in order to avoid misunderstandings and additionally, <br />the way in which they should be implemented in order to adapt to the different actors in the field of accounting. The article may also be helpful in developing new contracts or correcting existing ones. The analysis of the existing regulations and the conclusions drawn from it will allow for proper the implementation of new solutions. This results from the author’s research that the correct implementation of the GDPR solutions is therefore no longer seen as an additional complication and obligation, threatened with penalties in the event of non-compliance, but particularly as an opportunity to gain additional customers by assuring them of the complete reliability of the service provider with regard to the data entrusted to them.</p> <p xml:lang="en-US">References</p> <p>Artieniewicz N., 2013, Rachunkowość behawioralna jako interdyscyplinarny nurt rachunkowości <br />i społecznych nauk o zachowaniu, Zeszyty Teoretyczne Rachunkowości, t. 71 (127), SKwP, Warszawa, pp. 7-23.</p> <p>Artieniewicz N., 2018, Rachunkowość behavioralna, CeDeWu, Warszawa.</p> <p>Birnberg J.G., Shields J.F., 1989, Three decades of behavioral accounting research. A search for order, Behavioral Research in Accounting, vol. 1, pp. 23-74.</p> <p>Booklet, 2018, Ochrona danych osobowych przez doradcę podatkowego po wejściu w życie RODO, prepared by the Commission on the drafting of the Code of Conduct of the National Chamber <br />of Tax Advisers in the field of personal data, Warsaw, April 20.</p> <p><a href="https://pomoc.mojebiuro24.pl/-rodo-w-biurze-rachunkowym-jak-sie-przygotowac"><span>https://pomoc.mojebiuro24.pl/-rodo-w-biurze-rachunkowym-jak-sie-przygotowac</span></a><span> </span>(accessed 10.11.2018).</p> <p><a href="https://www.rp.pl/Rachunkowosc/305099990-RODO-obowiazki-biur-rachunkowych-jako-administratorow-danych-osobowych.html"><span>https://www.rp.pl/Rachunkowosc/305099990-RODO-obowiazki-biur-rachunkowych-jako-administratorow-danych-osobowych.html </span></a>(accessed 10.11.2018).</p> <p>Jaworska E., 2014, Perspektywa behawioralna w rachunkowości w świetle wybranych teorii psychologii motywacji, Zeszyty Naukowe Uniwersytetu Szczecińskiego, nr 830, Finanse, Rynki Finansowe, Ubezpieczenia nr 70, pp. 49-58.</p> <p>Komunikat nr 36/2018 Krajowej Rady Biegłych Rewidentów z dnia 5 czerwca 2018 r. w sprawie przyjęcia przykładowej umowy o przeprowadzenie badania ustawowego sprawozdania finansowego.</p> <p>Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).</p> <p>Resolution No. 93/2018 V National Congress of Tax Advisers of 14 January 2018 On the authority <br />of the National Council of Tax Consultants in the development, approval and adoption of the Approved Code of Practice of the National Chamber of Tax Advisors on the protection of personal data.</p> <p>Szczepankiewicz E.I., 2018, Zarządzanie bezpieczeństwem zasobów informatycznych rachunkowości w polskich jednostkach – wyniki badań, <a href="http://cejsh.icm.edu.pl/cejsh/element/bwmeta1.element.cejsh-9d333a0e-46f2-4a13-a4e0-43fa160aac0b"><span>Zeszyty Teoretyczne Rachunkowości</span></a><span>, </span>nr <a href="http://cejsh.icm.edu.pl/cejsh/element/bwmeta1.element.desklight-3ab8d513-8f65-4c9e-8b9d-16f7e0b1c0bb"><span>97(153)</span></a>, <br />pp. 115-138.</p> <p>Szpytko-Waszczyszyn E., 2017, Umowa powierzenia przetwarzania danych osobowych w biurze ra- chunkowym, <a href="https://poradnikprzedsiebiorcy.pl/-umowa-powierzenia-przetwarzania-danych-osobowych-w-biurze-rachunkowym"><span>https://poradnikprzedsiebiorcy.pl/-umowa-powierzenia-przetwarzania-danych-oso-<br />bowych-w-biurze-rachunkowym</span></a> (accessed 16.05.2018).</p> <p>The Act of 10 May 2018 on Personal Data Protection, 2018 (Journal of Law 2018, item 1000).</p> <p>Trzpioła K., 2018, RODO w księgowości i w biurze rachunkowym – sprawdź, jak przygotować się na nowe przepisy, <a href="https://www.portalfk.pl"><span>https://www.portalfk.pl</span></a> (accessed 16.05.2018).</p> <p><a href="http://www.pibr.org.pl"><span> www.pibr.org.pl </span></a>(accessed 14.06.2018).</p> <p xml:lang="en-US"></p> <p xml:lang="en-US">OCHRONA DANYCH OSOBOWYCH W SYSTEMIE WSPÓŁCZESNEJ RACHUNKOWOŚCI W KONTEKŚCIE IMPLEMENTACJI ROZPORZĄDZENIA PARLAMENTU EUROPEJSKIEGO I RADY (UE) 2016/679 Z DNIA 27 KWIETNIA 2016</p> <p xml:lang="en-GB"><span>Streszczenie:</span> Artykuł jest próbą analizy obowiązujących rozwiązań w zakresie ochrony danych osobowych. Analizie poddano materiały szkoleniowe oraz doradcze przygotowane na wskazany temat przez liczne kancelarie prawne (32) służące pomocą w prawidłowym wyjaśnieniu, zrozumieniu i we wdrażaniu nowo wprowadzanych obowiązków w zakresie ochrony danych osobowych. Autorka przeprowadziła pilotażowe wywiady w biurach rachunkowych (17) dotyczące ochrony danych osobowych, mające wskazać na podejście usługodawców do zadań z zakresu ochrony danych osobowych. Wśród kluczowych ustaleń będących pochodną prowadzonych badań zauważalny jest wzrost zainteresowania stron zawieranych umów zagadnieniami ochrony danych, a także prezentacja ich atutów oraz ewentualnych problemów w zastosowaniu w praktyce. Istotnym wkładem autorki w omawiane zagadnienie jest także prezentacja kluczowych punktów umów, na które powinny zwrócić uwagę strony w celu uniknięcia nieporozumień.</p> <p>Słowa kluczowe: rachunkowość, usługi księgowe, ochrona danych, zachowania usługodawców,</p> <div class="footnotes"> <div> <p><a id="footnote-32917-1" href="#footnote-32917-1-backlink">1</a><span class="char-style-override-1">&#9;</span>Hereinafter referred to as the Regulation.</p> </div> <div> <p><a id="footnote-32917-2" href="#footnote-32917-2-backlink">2</a><span class="char-style-override-1">&#9;</span>Resolution No. 93/2018 V National Congress of Tax Advisers of 14 January 2018. On the authority of the National Council of Tax Consultants for the development, approval and adoption of the Approved Code of Practice of the National Chamber of Tax Advisors on the protection of personal data.</p> </div> <div> <p><a id="footnote-32917-3" href="#footnote-32917-3-backlink">3</a><span class="char-style-override-1"> </span>Currently, following the implementation of the MSB, KSB 210 includes the provisions concerning KSRF (National Standard on Auditing) 210 Agreeing on the terms of the audit engagement, which refers to the auditor’s liability for agreeing on the terms of the audit engagement with the management (and − if justified − the persons responsible for supervision), i.e. the audit agreement [<a><span>www.pibr.org.pl]. </span></a></p> </div> </div>