GDPR starter kit for accountants + bookkeepers

Accountants + bookkeepers process financial data + tax data + BSN — layered rules. Key aspects: (1) Retention: financial admin 7 years (Dutch Tax Act Art. 52), Anti-ML data 5 years, contract data duration + 7 years. Then erase, not "just in case". (2) Anti-ML (client research): establish identity + report unusual transactions. BSN not required for Anti-ML — passport yes. (3) Cloud accounting package (Twinfield, Exact, AFAS, Moneybird): DPA + check where data is stored + sub-processors (often AWS/Azure). (4) Client communication: secure portal or encrypted mail. No loose Excel with BSNs via Gmail. (5) Audit data: during audit you often have access to more than strictly needed — minimise what you download + retain. (6) Tax authority APIs: only via authorised routes. (7) Sub-contractors (bookkeepers working for accountant): DPA + clear responsibility allocation. NBA guidelines (Dutch Accountants Association) supplement GDPR with sector-specific rules. Fines 2024-2025: limited accountancy firms fined by AP, but multiple for missing DPAs with external cloud suppliers.