Abissruffo

GDPR Compliance

Last updated: April 23, 2026

Our Commitment to GDPR Compliance

Abissruffo is committed to complying with the General Data Protection Regulation (GDPR) and protecting the privacy rights of individuals in the European Economic Area (EEA). This page explains how we fulfill our obligations under GDPR when processing personal data.

Data Controller Information

For the purposes of GDPR, Abissruffo acts as the data controller for personal information collected through our website and services.

Data Controller: Abissruffo
Address: 875 Wellington Street West, Suite 412, Toronto, ON M5V 3G4, Canada
Contact Email: [email protected]

Legal Basis for Processing

We process personal data only when we have a lawful basis to do so under GDPR Article 6:

1. Consent (Article 6(1)(a))

When you provide explicit consent for specific processing activities, such as receiving marketing communications or using certain website features.

2. Contract Performance (Article 6(1)(b))

Processing necessary to perform our accounting services contract with you, including:

  • Preparing tax returns and financial statements
  • Providing bookkeeping and payroll services
  • Delivering consulting and advisory services
  • Managing client relationships and communications

3. Legal Obligation (Article 6(1)(c))

Processing required to comply with legal and regulatory obligations, including:

  • Tax law compliance and reporting
  • Anti-money laundering regulations
  • Professional accounting standards
  • Record retention requirements

4. Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests, such as:

  • Improving our services and website functionality
  • Fraud prevention and security measures
  • Internal business administration
  • Direct marketing to existing clients (with opt-out option)

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right to Access (Article 15)

You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17)

Also known as the "right to be forgotten," you may request deletion of your personal data in certain circumstances. Note that we may be required to retain certain data due to legal or professional obligations.

Right to Restriction of Processing (Article 18)

You can request that we limit the processing of your personal data in specific situations.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object (Article 21)

You may object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds that override your interests.

Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in the EU member state of your residence, workplace, or where an alleged infringement occurred.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us at [email protected] with the subject line "GDPR Request." Please include:

  • Your full name and contact information
  • Description of your request
  • Proof of identity (to prevent unauthorized access)
  • Any relevant details to help us locate your information

We will respond to your request within one month of receipt. In complex cases, we may extend this period by up to two additional months and will inform you of the extension.

Data Processing Activities

Categories of Personal Data We Process

  • Identity Data: Name, title, date of birth, government identification numbers
  • Contact Data: Address, email, business information
  • Financial Data: Bank account details, transaction records, tax information
  • Technical Data: IP address, browser type, device information
  • Usage Data: Website interaction data, service usage patterns
  • Communication Data: Emails, phone calls, meeting notes

Data Recipients

We may share personal data with:

  • Cloud service providers (data storage and processing)
  • Email and communication service providers
  • Government tax authorities (when required by law)
  • Professional regulatory bodies
  • Legal advisors and auditors

All third-party processors are contractually bound to protect your data in accordance with GDPR requirements.

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses approved by the European Commission
  • Adequacy decisions confirming recipient countries provide adequate protection
  • Binding Corporate Rules where applicable

Data Retention

We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy or as required by law. Typical retention periods include:

  • Client accounting records: Minimum 7 years (Canadian tax law requirement)
  • Engagement documentation: 7 years after service completion
  • Marketing data: Until consent is withdrawn or data is no longer relevant
  • Website analytics: 26 months maximum

Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling activities that produce legal or similarly significant effects on individuals.

Data Security Measures

We implement appropriate technical and organizational measures to ensure data security, including:

  • Encryption of data in transit and at rest
  • Access controls and authentication protocols
  • Regular security assessments and penetration testing
  • Staff training on data protection and security
  • Incident response and data breach procedures

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware
  • Notify affected individuals without undue delay if the breach poses a high risk
  • Document the breach and our response measures

Updates to GDPR Compliance

We regularly review and update our GDPR compliance practices. Changes to this page will be posted with an updated revision date. We encourage you to review this page periodically.

Contact and Questions

If you have questions about our GDPR compliance or data protection practices, please contact us:

Email: [email protected]
Subject Line: GDPR Inquiry
Address: 875 Wellington Street West, Suite 412, Toronto, ON M5V 3G4, Canada