Hilfe - Alle Produkte & Anleitungen
Hilfe - Alle Produkte & Anleitungen
Breadcrumbs

Data Access Agreement for Tax Advisors and Accountants

Non-binding translation
This is an informational English translation. The legally binding version is the German original.

DATA ACCESS AGREEMENT FOR TAX ADVISORS AND ACCOUNTANTS

Supplement to the Data Processing Agreement pursuant to Art. 28 GDPR

between

[Name of the tax advisory firm / accounting office]
[Address]
[Postal Code City]
[Country]
(hereinafter referred to as the "Tax Advisor / Accountant")

and

meisterwork GmbH
Rosentaler Straße 1
9020 Klagenfurt am Wörthersee
Austria
(hereinafter referred to as the "Platform Operator")

as well as

[Operator Name / Client]
[Address]
[Postal Code City]
[Country]
(hereinafter referred to as the "Client / Controller")

Preamble

The client uses the bessa software system of meisterwork GmbH and has engaged its tax advisor / accountant to handle tax and accounting tasks. To enable efficient performance of these tasks, the tax advisor / accountant is granted read-only access via the bessa platform to the data required for their activities. This agreement governs the data protection framework for that access.

1.1 Data Protection Roles

  • Client: Controller of the data processing pursuant to Art. 4 No. 7 GDPR

  • Tax Advisor / Accountant: Processor of the client pursuant to Art. 4 No. 8 GDPR

  • meisterwork GmbH: Processor of the client and technical service provider

  • The data processing by the tax advisor / accountant is based on the engagement relationship

  • Access via bessa is based on the express instruction of the client

  • Legal basis: Art. 6(1)(b) (performance of contract) and (c) (legal obligation) GDPR

2. Subject and Scope of Data Access

2.1 Purpose of Access

Data access is granted exclusively for the following tax and accounting purposes:

  • Preparation of financial accounting

  • VAT pre-registrations

  • Payroll accounting and wage tax registrations (where relevant)

  • Annual financial statements (balance sheet, P&L, notes)

  • Tax returns

  • Business analyses (BWA)

  • Tax advice and optimisation

  • Compliance with statutory reporting and retention obligations

2.2 Type of Access

  • Read-only access exclusively (read-only)

  • No authorisation to modify data

  • No authorisation to delete data

  • No authorisation to create new records

  • Export functions only for tax-relevant data

2.3 Scope of Accessible Data

Access to:

  • Outgoing and incoming invoice data

  • Revenue data and cash books

  • Payment status (open / paid)

  • Cancellations and corrections

  • Tax-relevant master data (company data, tax numbers)

  • Export interfaces (DATEV, BMD, RZL, etc.)

  • Point-of-sale data pursuant to RKSV / KassenSichV

NO access to:

  • Detailed customer master data (only insofar as tax-relevant)

  • Marketing and customer loyalty data

  • Employee credentials

  • System configurations

  • Support communication

3. Obligations of the Tax Advisor / Accountant

3.1 Professional Confidentiality

The tax advisor / accountant is subject to the professional duty of confidentiality pursuant to:

  • § 57 StBerG (German Tax Advisor Act) for tax advisors

  • § 43 WPO (German Auditor Code) for auditors

  • § 80 WTBG (Austrian Public Accountancy Profession Act)

  • Corresponding rules for accountants and certified public accountants

3.2 Purpose Limitation

The tax advisor / accountant undertakes to:

  • Use data exclusively for the agreed tax / accounting purposes

  • Not use it for own advertising purposes

  • Not disclose it to third parties (except where legally required)

  • Not combine it with data of other clients

3.3 Technical and Organisational Measures

  • Use of secure, individual credentials

  • Activation of two-factor authentication (where available)

  • Access only from secured workstations

  • No storage of credentials in insecure systems

  • Regular password changes

  • Immediate notification on suspected compromise

3.4 Data Exports and Local Processing

For exports of data from bessa:

  • Secure storage in own systems

  • Encryption of sensitive data

  • Access restricted to authorised employees

  • Deletion after expiry of statutory retention periods

  • Compliance with GoBD / BAO requirements

3.5 Employee Management

  • Commitment of all employees to data secrecy

  • Restriction of access to required employees

  • Regular data protection training

  • Documentation of access

4. Obligations of the Platform Operator (meisterwork)

4.1 Technical Provision

  • Provision of the technical access option

  • Implementation of read-only authorisations

  • Logging of all access

  • Secure data transmission (SSL/TLS)

4.2 Access Management

  • Setup only on the express instruction of the client

  • Immediate revocation upon withdrawal by the client

  • Separation of client data (multi-tenancy)

  • No unilateral expansion of rights

5. Obligations and Rights of the Client

5.1 Right to Issue Instructions

  • The client issues the instruction to grant access

  • Right to revoke at any time without giving reasons

  • Determination of the scope of accessible data

5.2 Responsibility

  • The client remains controller within the meaning of the GDPR

  • Ensures the lawfulness of the data processing

  • Informs the affected individuals about the disclosure

5.3 Control

  • Inspection of access logs

  • Verification of compliance with this agreement

6. Subprocessors

6.1 No Further Sub-processing

Without the prior written consent of the client, the tax advisor / accountant may not engage any further sub-processors with access to bessa data.

6.2 Exception: Professional Firms

For partnerships, professional partnerships or other associations of professionals, the following applies:

  • Access only for persons directly involved with the engagement

  • Same duty of confidentiality for all persons accessing

  • Documentation of the persons authorised to access

7. Notification Obligations

7.1 Personal Data Breaches

In the event of knowledge or suspicion of a personal data breach:

  • Immediate notification to the client (max. 12 hours)

  • Notification to support@bessa.app

  • Support with reporting to supervisory authorities

  • Documentation of the incident

7.2 Requests from Authorities

  • Inform the client of any requests for information from authorities

  • No unilateral disclosure of data (except where legally required)

8. Liability and Indemnification

8.1 Liability

  • Each party is liable in accordance with statutory provisions

  • The professional liability of the tax advisor remains unaffected

  • The professional indemnity insurance of the tax advisor applies

8.2 Indemnification

The tax advisor shall indemnify the platform operator against third-party claims based on a breach of this agreement by the tax advisor.

9. Termination

9.1 Termination of Access

Access automatically ends upon:

  • Termination of the engagement relationship

  • Revocation by the client

  • Termination of the bessa contract by the client

  • Material breach of this agreement

9.2 Obligations after Termination

  • Immediate cessation of any use

  • Deletion of locally stored data (except where retention is required)

  • Written confirmation of deletion upon request

10. Remuneration

Access via bessa is free of charge for the tax advisor / accountant. Remuneration for the tax / accounting services is settled directly between the client and the tax advisor.

11. Audit and Control

11.1 Evidence

The tax advisor shall, on request, provide evidence of:

  • Implemented security measures

  • Employee commitments

  • Deletions after termination

11.2 Access Logs

  • Automatic logging of all access in bessa

  • Visible to clients

  • Retention for 12 months

  • In case of issues: contact support@bessa.app

12. Final Provisions

12.1 Order of Precedence

In the event of conflicts, the following order of precedence applies:

  1. Statutory provisions (GDPR, professional law)

  2. This agreement

  3. Engagement agreement tax advisor ↔ client

  4. DPA meisterwork ↔ client

12.2 Amendments

Amendments must be made in writing and require the consent of all three parties.

12.3 Severability Clause

Should individual provisions be invalid, the validity of the remaining provisions remains unaffected.

12.4 Governing Law and Place of Jurisdiction

Austrian law applies. Place of jurisdiction is Klagenfurt am Wörthersee.

Annex 1: Technical and Organisational Measures

Minimum requirements for the tax advisor / accountant:

  1. Physical Access Control

  • Secured office premises

  • Access only for authorised persons

  1. System Access Control

  • Password-protected workstations

  • Automatic screen lock

  • Strong passwords (at least 12 characters)

  1. Data Access Control

  • Only authorised employees obtain access

  • Documentation of those authorised to access

  • Regular review

  1. Transfer Control

  • Encrypted e-mail communication for sensitive data

  • No use of insecure cloud services

  • Secure destruction of printouts

  1. Input Control

  • Read-only access in bessa

  • Changes only in own systems

  • Audit-proof archiving

  1. Order Control

  • No further sub-processing

  • Clear engagement documentation

  1. Availability Control

  • Backup of own systems

  • Antivirus and firewall

  • Regular updates

  1. Separation Requirement

  • Strict client separation

  • Separate data processing

  • No mixing of data

Annex 2: Persons Authorised to Access

At the tax advisor / accountant:

Name

Function

Type of Access

Authorised Since

[Name]

Tax advisor

Full access (read-only)

[Date]

[Name]

Tax assistant

Bookkeeping

[Date]

[Name]

Certified accountant

Annual financial statements

[Date]

Access rights in bessa:

Scope of authorisation:

  • ☑️ Invoice overview

  • ☑️ Cash book export

  • ☑️ Revenue analyses

  • ☑️ DATEV export

  • ☑️ Point-of-sale data

  • ☑️ Tax reports

  • ☐ Customer master data (only tax-relevant)

  • ☐ System settings

  • ☐ Employee management

Annex 3: Sample Withdrawal Declaration

To: meisterwork GmbH

Subject: Withdrawal of Access Authorisation

I hereby withdraw the access authorisation for:

Tax advisor / accountant: [Name of the firm]
Client: [Company name]
Customer number: [bessa customer number]

Access shall be revoked with immediate effect.

Date: _____________

Signature client: _____________

Annex 4: Country-Specific Requirements

Austria

  • Compliance with the Federal Fiscal Code (BAO)

  • RKSV-compliant data processing

  • Consideration of the WT-RL (public accountancy guideline)

Germany

  • Compliance with GoBD

  • KassenSichV-compliant processing

  • Consideration of the StBerG professional code

Switzerland

  • Compliance with the Ordinance on the Keeping and Storage of Books (GeBüV)

  • Consideration of cantonal regulations

  • VAT-compliant records

Italy

  • Compliance with Italian accounting regulations

  • Fatturazione elettronica requirements

  • Consideration of the Consiglio Nazionale specifications

Place, date: _______________________

For the tax advisor / accountant:

Name, position
Stamp and signature

For meisterwork GmbH:

Name, position
Signature

For the client / controller:

Name, position
Signature

The undersigned client hereby confirms:

☐ Access authorisation for the above-mentioned tax advisor / accountant is granted
☐ The data is disclosed to fulfil tax / accounting obligations
☐ The affected individuals (customers / employees) have been informed
☐ The right to withdraw at any time has been acknowledged

Date, signature client