- Objective This policy outlines how Compasso Consulting s.r.o. handles personal data in accordance with applicable privacy regulations, including the GDPR. It reflects our commitment to transparency, data minimization, and responsible business practices.
2. Scope
This policy applies to all personal data that may be encountered or collected during the course of our consulting services, website operation, and business communications. It covers both internal handling and external-facing practices.
3. Roles and Responsibilities
All team members are responsible for respecting privacy principles and following this policy.
Our leadership team actively embeds privacy practices across our operations and ensures policies are reviewed and updated as needed to maintain compliance and relevance.
We do not process personal data on behalf of our clients. As they are responsible for the personal data they handle as data controller, we advise clients to mask all personal data in any documentation shared with us.
Data subjects may contact us regarding their rights at info@compassoconsulting.com.
4. Principles of Personal Data Handling
The following general practices apply to all employees and contractors:
- Access to systems, applications, and data must be granted based strictly on job responsibilities on a need-to-know basis (Principle of Least Privilege)
- Where feasible, critical tasks shall be divided among multiple individuals to reduce the risk of unauthorized or unintentional actions. (Segregation of Duties (SoD))
- Access to sensitive or confidential information must be limited to individuals with a clear business need. (Need-to-Know Access)
4.1 What We Collect
| Source | Data Type | Purpose |
| Website visitor | IP address, browser type (via cookies) | Site performance and security |
| Client Engagement | Name, email, job title (business contact only) | Communication and service delivery |
| Client Documents | Names of policy authors/reviewers (incidental) | Not processed or retained |
We instruct clients to redact or mask personal data in any shared evidence artifacts.
4.2. How We Use Personal Data
We use personal data only for:
- Communicating with clients and prospects
- Delivering contracted services
- Fulfilling legal obligations
We do not use personal data for profiling, marketing, or analytics.
4.3 Authentication Requirements
We have implemented both technical tools and internal policies to help keep your personal information safe from unauthorized access or misuse. As technology evolves, we will continue to review and improve these measures to make sure they stay effective and up to date.
4.4. Data Subject Rights (DSR)
While Compasso Consulting is registered in Slovakia and governed by the Office for Personal Data Protection of the Slovak Republic, we recognize and respect the rights of individuals globally under applicable data protection laws, including the GDPR.
If we hold personal data about you, you may exercise the following rights:
| Right | Description |
| Access | Request a copy of your personal data |
| Rectification | Correct inaccurate or incomplete data |
| Erasure | Request deletion of your data |
| Restriction | Limit how your data is used |
| Portability | Receive your data in a structured format |
| Objection | Object to processing under certain conditions |
To submit a request, email us at info@compassoconsulting.com. If we determine that no personal data is held or processed, we will inform you accordingly.
4.5. Data Sharing
We may share data with:
- Subcontractors (if needed to fulfill services)
- Service providers:
- Microsoft Corporation (EU-based storage)
- Hostinger International Ltd. (EU-based web hosting)
We do not sell or disclose personal data to third parties for marketing purposes.
5. Data Security
We take data protection seriously. We operate with encrypted laptops and follow strict access controls. We apply all reasonable technical and organizational measures to protect data against unauthorized access, disclosure, alteration, or destruction.
6. Data Retention
We retain personal data only as long as necessary to fulfill business, legal, or contractual obligations. We do not retain client-shared documents beyond the period we agree in our engagements and defined in our Information Security Policy.