Hilfe - Alle Produkte & Anleitungen
Hilfe - Alle Produkte & Anleitungen
Breadcrumbs

Information Sheet for Tax Advisors and Accountants

Non-binding translation
This is an informational English translation. The legally binding version is the German original.

INFORMATION SHEET FOR TAX ADVISORS AND ACCOUNTANTS

Data-Protection-Compliant Use of bessa Access

1. Your Role in Data Protection

You are:

  • A processor for your client (not for meisterwork)

  • A person bound by professional confidentiality with special responsibility

  • Responsible for the secure handling of the data

You are NOT:

  • A controller within the meaning of the GDPR

  • A customer of meisterwork (that is your client)

  • Authorised to use data for other purposes

2. What You May Do

✅ PERMITTED:

  • Read access to tax-relevant data

  • Export for accounting and tax returns

  • Processing in your own systems (DATEV, BMD, etc.)

  • Analyses for business consulting

  • Archiving in accordance with statutory retention periods

❌ PROHIBITED:

  • Modifying data in bessa

  • Disclosing data to other clients

  • Using data for advertising purposes

  • Access by unauthorised employees

  • Storing data in insecure cloud services

3. Quick Start: First Steps

3.1 Before First Access: 

☐ Client has commissioned access in writing
☐ DPA exists with the client
☐ Agreement on bessa access signed
☐ Employees committed and trained
☐ Two-factor authentication activated

3.2 In Daily Work: 

☐ Secure login (no shared password)
☐ Screen lock during absence
☐ No screenshots containing customer data
☐ Separation of client data
☐ Secure transmission for exports

3.3 After End of Engagement: 

☐ Have access revoked
☐ Delete local data (except where retention is required)
☐ Document the deletion
☐ Change password (if still used)

4. Typical Workflows

4.1 Monthly Bookkeeping

  1. Login to bessa with personal credentials

  2. Export invoice data (PDF + CSV/DATEV)

  3. Download the cash books

  4. Logout from the system

  5. Import into accounting software

  6. Processing in your own system

4.2 VAT Pre-Registration

  1. Retrieval of the month's revenue data

  2. Verification of completeness

  3. Export of tax-relevant receipts

  4. Calculation in your own system

  5. Submission via FinanzOnline / ELSTER

4.3 Year-End Closing

  1. Full export of all annual postings

  2. Reconciliation with bank documents

  3. Verification of point-of-sale data

  4. Preparation of balance sheet and P&L

  5. Archiving in accordance with GoBD/BAO

5. Security Requirements

5.1 Password Policy

  • At least 12 characters

  • Upper / lower case letters, numbers, special characters

  • No sharing with colleagues

  • Regular change (every 90 days)

  • No writing down in insecure places

5.2 Workplace Security

  • Screen lock when leaving

  • Clean desk policy

  • Secure disposal of printouts

  • No working in public Wi-Fi networks

  • Use of VPN when working from home

5.3 Data Storage

  • Encryption of sensitive data

  • Implement a backup strategy

  • Set up access restrictions

  • No private cloud services

  • Audit-proof archiving

6. Avoiding Common Mistakes

MISTAKE 1: Shared firm password

CORRECT: Individual credentials for each employee

MISTAKE 2: Data sent via unencrypted e-mail

CORRECT: Encrypted transmission or secure portals

MISTAKE 3: Screenshots in WhatsApp to clients

CORRECT: Official analyses via secure channels

MISTAKE 4: Access after end of engagement

CORRECT: Arrange immediate revocation

MISTAKE 5: All employees have access

CORRECT: Only employees directly involved

7. Emergency Management

7.1 If You Suspect a Data Breach:

IMMEDIATELY (within 1 hour):

  1. Stop the access

  2. Inform your supervisor

  3. Begin documentation

SHORT-TERM (within 12 hours):

  1. Inform clients

  2. Contact meisterwork

  3. Determine the scope

FOLLOW-UP (within 72 hours):

  1. Support reporting to authorities

  2. Initiate measures

  3. Adjust processes

7.2 Important Contacts:

meisterwork Support:
E-mail: support@bessa.app
Tel: +43 720 317 836

Tax advisor chambers:

  • Austria: KSW

  • Germany: BStBK

  • Switzerland: EXPERTsuisse

  • Italy: CNDCEC

8.1 Relevant Laws:

  • GDPR – General Data Protection Regulation

  • StBerG – Tax Advisor Act (Germany)

  • WTBG – Public Accountancy Profession Act (Austria)

  • GoBD – Principles for the proper keeping of books (Germany)

  • BAO – Federal Fiscal Code (Austria)

8.2 Your Professional Obligations:

  • Duty of confidentiality (§ 57 StBerG / § 80 WTBG)

  • Duty of care

  • Independence

  • Conscientiousness

8.3 Penalties for Violations:

  • GDPR: Fines of up to €20 million

  • Professional law: Reprimand to professional ban

  • Civil law: Damages

  • Criminal law: For wilful violations

9. Best Practices

9.1 Monthly Routine:

  • ✅ Review access rights

  • ✅ Delete data no longer needed

  • ✅ Install security updates

  • ✅ Raise employee awareness

9.2 Annual Tasks:

  • ✅ Conduct data protection training

  • ✅ Review processes

  • ✅ Update DPA

  • ✅ Review deletion policy

9.3 On Employee Changes:

  • ✅ Withdraw / grant access

  • ✅ Have employees sign confidentiality declaration

  • ✅ Conduct training

  • ✅ Update documentation

10. Technical Tips

10.1 Efficient Use:

  • Use filter functions

  • Save standard exports

  • Use batch processing

  • Automate recurring exports

10.2 Ensuring Data Quality:

  • Check exports for completeness

  • Reconcile with bank statements

  • Verify cancellations

  • Pay attention to system messages

10.3 Integration into Your Systems:

  • Use the DATEV interface

  • Configure BMD export

  • CSV for individual solutions

  • Request API documentation

11. Checklist for Firms

Organisational:

☐ Data protection officer appointed?
☐ Records of processing activities up to date?
☐ Employee training completed?
☐ Deletion policy in place?
☐ Emergency plan prepared?

Technical:

☐ Firewall and antivirus up to date?
☐ Backup system functional?
☐ Encryption activated?
☐ Access rights documented?
☐ Two-factor auth where possible?

Legal:

☐ DPA with all clients?
☐ Adequate professional indemnity insurance?
☐ Confidentiality declarations up to date?
☐ Privacy notice on website?
☐ Register of processors?

12. FAQ

Q: Can I let an intern work with my credentials? A: No. Everyone needs their own credentials. Request a separate access for them.

Q: May I use screenshots for presentations? A: Only with anonymised / redacted data and the client's consent.

Q: How long must I retain exports? A: In accordance with statutory periods (usually 7-10 years), but check the specific requirements.

Q: What happens when an engagement ends? A: Immediately request access revocation, secure data in accordance with retention obligations, delete the rest.

Q: Can I jointly analyse data from several clients? A: Only fully anonymised and with the consent of all data subjects.

13. Download Area

The following documents are available:

  • DPA template tax advisor ↔ client

  • Employee confidentiality declaration

  • Deletion policy template

  • Records of processing activities template

  • Emergency plan template

Request via: support@bessa.app

Status: [insert date]
Version: 1.0
Next review: [date + 12 months]

Important note:
This information sheet is for orientation and does not replace legal advice. The specific implementation must be adapted to your firm. In case of uncertainty, consult a data protection expert or your professional body.