GDPR for Tax Advisors and Law Firms: Client Data Specifics
TL;DR
- BayLDA clarification 2024: Tax advisors and lawyers are independent controllers — NOT processors; no Art. 28 DPA required
- Professional secrecy under Section 203 StGB (German Criminal Code) is stricter than GDPR — breach triggers criminal charges plus a fine in parallel
- Retention: 10 years (Tax Advisor Act), 6 years (BRAO, Federal Lawyers Act); access restricted to qualified professionals and assigned staff
- DATEV, Stack-IT, Wolters Kluwer are common DE-hosted options; US hosting demands TIA plus extra caution due to confidentiality duty
- BeA (special lawyer mailbox) mandatory for German lawyers; S/MIME or PGP recommended for tax advisor-client email
1. The BayLDA Clarification 2024
The Bavarian DPA (BayLDA) and EDPB confirm: tax advisors and lawyers act as independent controllers, not as processors. Therefore no Art. 28 GDPR DPA is required when a client engages them. A standard engagement contract with confidentiality clause suffices.
2. Professional Secrecy under Section 203 StGB
Section 203 StGB (German Criminal Code) imposes confidentiality obligations stricter than GDPR. A breach triggers criminal liability plus a parallel administrative fine under GDPR. Onboard every staff member with a Section 203 commitment in addition to the GDPR data protection obligation.
3. Client File Protection
Strict retention applies: 10 years under StBerG (Tax Advisor Act), 6 years under BRAO (Federal Lawyers Act). Access is restricted to qualified professionals and the staff specifically assigned to the matter. Implement role-based access in the file management system.
4. Cloud Software for Practices
DATEV (DE-hosted), Stack-IT, and Wolters Kluwer Anwaltssoftware dominate the DACH market. US hosting requires a Transfer Impact Assessment plus additional caution because professional secrecy compounds the risk. Avoid US tools for case files unless the client explicitly consents.
5. Email with Clients
S/MIME or PGP encryption is recommended. For German lawyers, the besonderes elektronisches Anwaltspostfach (BeA, special electronic lawyer mailbox) is mandatory for court correspondence. Document the encryption practice in the engagement letter.
6. Breach Specifics
A data breach triggers GDPR notification AND a Section 203 StGB risk in parallel. Law firms may also need to inform their bar association. Maintain a breach playbook tailored to the dual reporting regime — supervisory authority within 72 hours, criminal exposure assessed in parallel.
Summary
Tax advisors and lawyers face a stricter regime than ordinary controllers because professional secrecy adds criminal liability on top of GDPR. The safe baseline: independent-controller engagement contract, Section 203 onboarding, DE-hosted software, encrypted client email, and a tailored breach playbook. DPO appointment is mandatory at 20+ employees with automated processing under Section 38 BDSG.
Frequently Asked Questions
Really no DPA needed?
DPO obligation?
Sources
- Regulation (EU) 2016/679 — GDPR (As of: 2026-05-02)
- German Federal Data Protection Act (BDSG) (as of: ongoing)
- Section 147 AO — Fiscal Code retention periods (as of: ongoing)