Logo
Contact Us
Case studies

Privacy policy

1.1 This Personal Data Protection Policy of GGS IT CONSULTING Sp. z o. o. (formerly: GGS Go Global Services Sp. z o.o. Sp. k.) is established in pursuit of the requirement of accountability, based on Article 5.2 in connection with Article 5.1.c., d. and e., as well as in connection with Article 6.1.f., Articles 15-21, Article 24.1, Article 33 and Articles 35-37 of the GDPR, and taking into account the documents issued by the "Article 29 Work Group" - specifically:

1.1.1. Guidelines on transparency under Regulation 2016/679, 1.1.2. Guidelines on Personal data breach notification under Regulation 2016/679, 1.1.3. Guidelines on Consent under Regulation 2016/679, 1.1.4. Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, 1.1.5. Guidelines on Data Protection Impact Assessment and helping to determine whether processing is "likely to pose a high risk" for the purposes of Regulation 2016/679, 1.1.6 Guidelines on Data Protection Officers ('DPOs'), 1.1.7 Opinion 2/2017 on data processing in the workplace.

2. Definitions

Whenever in the personal data processing documentation applicable to GGS IT CONSULTING Sp. z o. o. (formerly: GGS Go Global Services Sp. z o.o. Sp. k.) the following expressions appear should be given the meaning given below (unless the document directly indicates the contrary):

2.1 Personal data - means information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.

2.2 Processing of personal data - means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, deleting or destroying.

2.3 Personal data set - means a structured set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed.

2.4 GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) dated April 27, 2016. (OJ.L No. 119, p. 1).

2.5 Register - a register of data processing activities, maintained in accordance with Article 30(1) of the GDPR, and a register of all categories of processing activities performed on behalf of the controller, maintained in accordance with Article 30(2) of the GDPR. Both registers are contained in a single document.

2.6. GGS IT CONSULTING Sp. z o. o. (formerly: GGS Go Global Services Sp. z o.o. Sp. k.) with its registered office in Krakow (address: ul. Cystersów 13A/3, 31-553 Krakow, entered in the Register of Entrepreneurs of the National Court Register under number: 0001009100,, identifying itself with NIP number: 9452190015 and REGON number: 363572070, being a controller of personal data within the meaning of Article 4(7) GDPR (i.e. an entity independently or jointly determining the purposes and means of processing personal data) or a processor within the meaning of Article 4(8) GDPR (i.e. an entity processing personal data on behalf of the controller of personal data).

3. Principles relating to the processing of personal data (Article 5 GDPR)

Personal data at GGS shall be: 3.1 __Processed lawfully, fairly and transparently to the data subject ("lawfulness, fairness and transparency"). __

3.1.1 The lawfulness of personal data processing is ensured by consulting a law firm in this regard. Relevant issues related to the processing of personal data are consulted with the law firm on an ongoing basis. GGS will hold periodic training sessions for the GGS team on personal data protection. GGS strives to ensure the ongoing legality of personal data processing. This includes periodic (done no less than once every 12 months) evaluations and updates of this Personal Data Protection Policy. One of the evaluation criteria should be compliance with any codes of conduct adopted for the industry in which it operates, in accordance with Article 40 et seq. GDPR. If necessary, the information provided to data subjects shall also be promptly updated in accordance with Articles 13 and 14 of the GDPR. To the extent that GGS relies on consent as the legal basis for processing personal data - consents are subject to renewal after any change in the information provided in accordance with Article 4 para. 11 in conjunction with recital 42 of the GDPR. 3.1.2 The legal bases for processing personal data are listed in the Register. 3.1.3 The integrity and transparency of the processing of personal data has been guaranteed through the implementation of the Registry and by providing data subjects with the information required under Articles 13, 14 and 21(4) of the GDPR. The information provided under Articles 13 and 14 of the GDPR, as well as Article 4(11) of the GDPR, has been prepared and is updated based on the Article 29 Work Group's Guidelines on transparency under Regulation 2016/679.

3.2 Collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes ("purpose limitation").

3.2.1 The purposes for which GGS processes personal data are described in the Register. 3.2.2 In the case of personal data obtained by GGS not from the persons to whom it pertains (data of relatives of employees for social security, as well as data of representatives and employees of contractors, clients and suppliers) - in accordance with Article 6(4) of the GDPR GGS, has determined that the processing of personal data of these recipients is carried out for the same purpose for which they were originally collected. Therefore, there is no need for an assessment under Article 6(4) of the GDPR. 3.2.3 The information provided to recipients pursuant to Article 14 of the GDPR includes, among other things, the contents of paragraph 3.2.2 above. 3.2.4 In the case of processing of personal data by the Controller as a processor, the Controller shall act only within the scope of the purposes and means specified by the Controller of personal data.

3.3 Adequate, appropriate and limited to what is necessary for the purposes for which they are processed ("data minimization").

3.3.1 To the extent that personal data are processed for purposes other than the fulfillment of obligations imposed by law, GGS shall review such data on a regular basis (at least once every 12 months) and, if possible, minimize such data (by discontinuing collection, deletion, or anonymization). 3.3.2 GGS shall not perform any operations on personal data and shall not process any personal data that are not necessary for the purposes intended and in a fundamentally unfair manner, even on the basis of the data subject's consent (in accordance with the Article 29 Work Group's guidelines in paragraph 1 of the Guidelines on Consent under Regulation 2016/679 and Opinion 15/2011 on the definition of consent).

3.4 Correct and updated as necessary; take all reasonable activities to ensure that personal data that are inaccurate in light of the purposes of their processing are promptly deleted or rectified ("correctness").

3.4.1 GGS processes personal data on a regular basis, so they are updated and corrected on a regular basis.

3.5 Stored in a form that allows identification of the data subject for no longer than necessary for the purposes for which the data are processed ("retention limitation").

3.5.1 The retention periods for personal data are described in the Register. 3.5.2 The retention of a significant portion of the personal data of contractors and GGS employees is due to legal regulations. The remaining data concerning these persons are processed for the period (and to the extent) necessary for the performance of the contract, including claims arising therefrom, remaining in force even after the expiration of the contract itself (e.g., for payment of remuneration, recourse claims, liquidated damages, related to the concluded confidentiality agreement), until the expiration of the statute of limitations for these claims.

3.6 Processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures ("integrity and confidentiality").

3.6.1 A description of the technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed data is included in the Register.

4. Exercise of rights of data subjects

GGS implements the following procedures to allow for the lawful and transparent realization of data subjects' rights:

4.1 Responding to a request for providing access to personal data made pursuant to Article 15 of the GDPR.

4.1.1 A data subject shall be entitled to obtain from GGS, as Controller of personal data or processor of personal data at the Controller's direction, confirmation as to whether or not personal data concerning him or her is being processed, and, if so, shall be entitled to obtain access to such data and information as provided by law. 4.1.2 GGS shall provide the data subject with a copy of the personal data being processed. For any subsequent copies requested by the data subject, GGS may charge a reasonable fee based on administrative costs. If the data subject requests a copy electronically, and unless he or she indicates otherwise, the information shall be provided by a commonly used electronic means (e.g., by e-mail). At the same time, the right to obtain such a copy shall not adversely affect the rights and freedoms of others. 4.1.3 The authorized person may submit, the request referred to in item. 4.1.1. above in any form, while detailed information on the possible forms of submitting such a request can be found in the relevant privacy policy. 4.1.4 GGS, after verification that the request comes from an authorized person, so as to exclude obtaining information by an unauthorized person, shall provide such information in the form expected by the authorized person, in particular in the same form in which the request was made.

4.2 Response to a request for rectification of personal data made pursuant to Article 16 of the GDPR.

4.2.1 The data subject shall have the right to request from GGS, as Controller of personal data, the immediate rectification of personal data concerning him/her that is inaccurate. 4.2.2 Similarly, taking into account the purposes of the processing, the data subject shall have the right to request from GGS, as Controller of personal data, the completion of incomplete personal data, including by presenting an additional statement. 4.2.3 The authorized person may submit, the request referred to in para. 4.2.1. above in any form, with detailed information as to the possible forms of making such a request in the relevant privacy policy. 4.2.4 GGS, after verifying that the request comes from an authorized person, so as to exclude making changes at the request of an unauthorized person, shall make such rectification in all systems.

4.3 Responding to a request to cease data processing (including the exercise of the right to be forgotten) made pursuant to Article 17 of the GDPR.

4.3.1 The data subject shall have the right to request GGS to promptly erase personal data concerning him/her, and GGS shall erase his/her personal data without undue delay if there are reasons for doing so as provided by law and if there are no legal grounds for further processing. 4.3.2 If GGS shares personal data with other entities, and it has an obligation to delete such personal data, it shall take all available activities to inform the controllers of personal data processing that the data subject requests that such controllers delete any links to such data, copies of such personal data, or replications thereof. Given that GGS is aware of all the entities to which it shares personal data, informing these entities will be done promptly. 4.3.3 The authorized person may report, the request referred to in para. 4.3.1. above in any form, with detailed information as to the possible forms of making such a request in the relevant privacy policy. 4.3.4 GGS, after verifying that the request comes from an authorized person, so as to exclude violation of the rights or freedoms of others, shall immediately cease processing of the requester's personal data and delete all his/her personal data from all systems, and shall perform the activities indicated in Section 4.3 above, in accordance with the law.

4.4 Response to a request for restriction of data processing made pursuant to Article 18 of the GDPR.

4.4.1 The data subject shall have the right to request from GGS, as controller of personal data, the restriction of processing of his/her personal data in cases provided for by law. 4.4.2 Where processing has been restricted in accordance with the law, such personal data may be processed by GGS, with the exception of storage, only with the consent of the data subject, or in order to establish, assert or defend claims, or to protect the rights of another natural or legal person, or for compelling reasons of public interest of the Union or a Member State. 4.4.3 Before lifting a restriction on processing, GGS shall inform the person who requested the restriction. 4.4.4 GGS shall promptly restrict the processing of personal data of the person who made the request referred to in para. 4.4.1. above, while first verifying whether the request comes from an authorized person, so as to exclude infringement of the rights or freedoms of others. 4.4.5 The authorized person may submit, the request referred to in sec. 4.4.1. above in any form, while detailed information on the possible forms of submitting such a request can be found in the relevant privacy policy.

4.5 Responding to a data transfer request made pursuant to Article 20 of the GDPR.

4.5.1 GGS shall, at the request of the data subject, provide to the data subject in a structured, commonly used machine-readable format the personal data relating to the data subject that it has provided to GGS. 4.5.2 GGS shall provide the data in the form of XML, JSON, CSV, docx, pdf or xml files and shall not do anything to prevent the data, provided pursuant to Section 4.5.1 above, from being transferred to another controller by an authorized person. 4.5.3 In addition, GGS, in exercising the right to data portability referred to in para. 4.5.1. above, at the request of the data subject will send the data directly to another controller, if technically possible. 4.5.4 The authorized person may submit, the request referred to in item. 4.5.1. above in any form, with detailed information as to the possible forms of making such a request in the relevant privacy policy. 4.5.5 GGS, after verifying that the request comes from an authorized person, so as to exclude infringement of the rights or freedoms of others, shall promptly provide the requested data, in accordance with sec. 4.5.1.-4.5.3. above, in a manner individually agreed upon with the authorized person.

4.6 Responding to an objection to data processing raised pursuant to Article 21 of the GDPR.

4.6.1 If an authorized person raises an objection to the processing of personal data concerning him/her based on Article 6(1)(e) or (f) of the GDPR, including profiling under these provisions, GGS shall cease processing such data unless there are compelling legitimate grounds for the processing overriding the interests, rights and freedoms of the data subject, or grounds for establishing, pursuing or defending claims. 4.6.2 GGS shall also cease processing (to the extent that the processing is related to such direct marketing) of personal data that has been processed for the purposes of direct marketing (including profiling) if the data subject objects to the processing. 4.6.3 GGS shall clearly, conspicuously and separately from any other information, inform, at the latest on the occasion of the first communication with the data subject, of the right to object as referred to in para. 4.6.2. above. 4.6.4 The authorized person may submit, the request referred to in para. 4.6.1. or 4.6.2. above in any form, with detailed information as to the possible forms of submitting such a request in the relevant privacy policy.

4.7 GGS shall notify rectification or deletion of personal data, or restriction of processing, to each recipient to whom personal data have been disclosed, unless this proves impossible or will require disproportionate effort. At the same time, due to the fact that GGS knows the recipients of the personal data, the above information obligation should not be problematic. In addition, GGS shall inform the data subject of these recipients if the data subject so requests.

4.8 GGS shall provide support to the person tasked with ensuring compliance with the principles and requirements of personal data protection, including the fulfillment of the obligations referred to in para. 4.1.-4.6. above. This person shall have adequate knowledge of personal data protection and shall be properly trained in this area.

4.9 The person referred to in para. 4.8. above, shall ensure on an ongoing basis that the requests of authorized persons are verified and executed in accordance with the law and internal policies.

4.10. The software used to process personal data at GGS shall have tools to meet the requirements of the GDPR, in particular with regard to searching for personal data, changing it, generating information for authorized persons and effective deletion.

4.11 All activities referred to in para. 4.1.-4.6. above shall be applied to all data carriers - both electronic (including data backups) and in the form of hard copies, processed by GGS and entities processing data for GGS (pursuant to Article 28 GDPR). Relevant contracts with entities processing personal data for GGS pursuant to Article 28 of GDPR entitle GGS to request analogous activities by these entities as well.

4.12 To personal data for which GGS is only a processor (pursuant to Article 28 GDPR), this section shall not apply. In the event of any of the requests described above, GGS shall promptly notify the Controller of personal data of the request, and shall follow the procedure provided for in the relevant contract with the controller in question. In addition, where GGS acts as a processor, GGS shall, in accordance with Article 28(3)(e) of the GDPR, as far as possible, assist the controller through appropriate technical and organizational measures to fulfill its obligation to respond to data subjects' requests for the exercise of their rights.

5 Data breach notification (Articles 33 and 34 of the GDPR)

5.1 In applying this chapter of the Data Protection Policy, the protection of data subjects whose data is processed by GGS should always come first. For the purposes of this chapter, "employee" means a person employed by GGS, regardless of the legal basis of employment.

5.2 In accordance with the Article 29 Work Group's guidelines in the introduction to the Guidelines on Personal data breach notification under Regulation 2016/679, the chapter is divided into subsections discussing the detection, mitigation, risk assessment of a breach of the rights and freedoms of individuals, decision-making on breach notification to the supervisory authority and notification of data subjects, and the procedure for notification and notification.

5.3 Detection of violation.

5.3.1 Chapter I(B)(2) of the Guidelines on personal data breach notification under Regulation 2016/679 provides a general classification of types of data protection breaches. Thus, the Article 29 Work Group distinguishes:

  • breach of confidentiality (meaning unauthorized or accidental disclosure of personal data or allowing access to a third party),
  • breach of integrity (meaning unauthorized or accidental alteration of the content of personal data),
  • loss of access (meaning unauthorized or accidental destruction of personal data or loss of access to it).

5.3.2 GGS shall endeavor to detect a personal data breach as soon as possible after the breach. Thus:

  • personal data breaches involving intrusion into premises where personal data is processed or destruction of such premises (e.g., as a result of a fire) are immediately reported to GGS by employees or relevant services;
  • personal data breaches involving the loss (destruction, theft) of mobile electronic devices used to process personal data (laptops, phones), as well as those involving errors or negligence on the part of GGS employees (e.g., losing a USB drive containing personal data, or mistakenly sending a message containing personal data to the wrong email address) are reported immediately by the employees themselves (employees have been trained in this regard);
  • personal data breaches involving failure of personal data processing software or access to personal data by unauthorized persons (hacking attack) within the GGS IT environment are detected immediately by specialized software or by employees with appropriate qualifications;
  • breaches of personal data by entities processing personal data for GGS within the meaning of Article 28 of the GDPR are reported immediately by these entities to GGS managers or an authorized GGS employee (these entities have been obliged to do so in relevant contracts).

5.4 Limitation of the scope of the breach.

5.4.1 Any GGS employee who detects a data breach shall inform his/her immediate supervisor. 5.4.2 If a data breach is detected by an employee outside of working hours (including, for example, on vacation), the obligation to immediately inform the supervisor shall apply without change. 5.4.3 GGS shall immediately, but no later than within 24 hours, convene a Data Breach Investigation Team. The team shall, at all times, consist of a member of the management board of GGS Sp. z o.o. and, if possible, a representative of the law firm serving GGS. 5.4.4 GGS identifies an incident as falling into one of three categories:

  • an actual or probable data breach,
  • an information system security incident that is not a personal data protection breach,
  • another type of security incident that exposes personal data to the risk of a breach, but is not a personal data protection breach.

5.4.5 GGS shall collect all information regarding the incident and provide it immediately to the Data Protection Breach Team. In particular, the following information shall be collected:

  • date and time of occurrence of the event and its duration,
  • date and time of detection of the event,
  • the person who detected the event,
  • description of the event,
  • the approximate number of people who may be affected by the event,
  • information on the steps already taken to minimize or reduce the impact of the event on data subjects,
  • data of persons who are aware that the event has occurred,
  • data of subcontractors (personal data processors) associated with the event.

5.4.6 GGS shall ensure that as few persons as possible within GGS have access to the information collected in accordance with paragraph 5.4.5 above. 5.4.7 Limiting the scope of a data breach shall include immediately ending the duration of the incident and minimizing its scope and impact on data subjects as soon as possible. To this end, the Data Breach Team shall make decisions binding on GGS as soon as possible and proceed to implement them.

5.5 Assessment of the risk of violation of data subjects' rights and freedoms.

5.5.1 The Data Breach Team shall issue an opinion as to whether an event constitutes a data breach. For this purpose, the Data Breach Team shall primarily rely on the guidelines of the Article 29 Work Group contained, inter alia, in Annex B to the Guidelines on Personal data breach notification under Regulation 2016/679. The opinion shall be in writing. 5.5.2 If an event is classified as a personal data breach, the Data Breach Team shall conduct an investigation to determine:

  • whether the breach is a breach of confidentiality, integrity or loss of access,
  • the categories and amount of data covered by the breach,
  • the sensitivity of the data,
  • what range of information about data subjects can be read from the personal data covered by the breach,
  • the number of people affected by the breach,
  • what type of people were affected by the breach (e.g. clients, candidates, employees),
  • existing safeguards for the data covered by the breach (e.g., data pseudonymization or carrier encryption),
  • whether the data could end up in the hands of third parties and potentially be used for illegal or other improper purposes.

5.5.3 The investigation shall be completed no later than 36 (thirty-six) hours after the discovery of the breach. The results of the investigation shall be documented in writing. 5.5.4 Taking into account the results of the investigation, the Data Breach Investigation Team shall issue an opinion within 60 (sixty) hours of the discovery of the breach as to whether the personal data breach requires notification to the supervisory authority competent under Article 55 of the GDPR or notification to data subjects. The opinion shall be in writing. 5.5.5. In giving its opinion, the Data Protection Breach Panel shall be guided primarily by whether the breach that has occurred is likely to result in physical harm, property damage or non-property damage to individuals, such as loss of control over their own personal data or restriction of rights, discrimination, identity theft or falsification, financial loss, unauthorized reversal of pseudonymization, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, or any other significant economic or social damage (in accordance with recital 85 of the GDPR). In addition, the Data Breach Team is guided by the Article 29 Work Group's guidelines in Chapter II(A) and (D), as well as Chapter III(A) and Chapter IV(A) and (B), and Annex B to the Guidelines on Personal data breach notification under Regulation 2016/679. 5.5.6 Whenever the Data Breach Team becomes doubtful as to whether a data breach requires notification to the supervisory authority, or if it is not unanimous in this regard - it shall be assumed that notification is required. In case of doubt as to whether a data protection breach requires notification of the affected persons - GGS will absolutely follow the recommendation of the supervisory authority in this regard. 5.5.7 To the extent that the identified breach relates to personal data for which GGS is only a processor (in accordance with Article 28 of the GDPR), points. 5.5.4.-5.5.6. above as well as points. 5.6. and 5.7. do not apply. In such case, GGS shall promptly notify the controller of the breach and follow the procedure provided for in the relevant contract with the controller.

5.6 Procedure for notification and notification.

5.6.1 In the event that a reportable data breach of personal data protection is determined in accordance with this Chapter, GGS shall, without undue delay - if possible, no later than 72 (seventy-two) hours after the discovery of the breach - report it to the supervisory authority having jurisdiction pursuant to Article 55 of the GDPR. A notification submitted to the supervisory authority after the expiration of 72 (seventy-two) hours shall be accompanied by an explanation of the reasons for the delay. 5.6.2 The breach notification must at least:

  • describe the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach;
  • contain the name and contact information of the data protection officer or the designation of another point of contact from whom more information can be obtained;
  • describe the possible consequences of the personal data breach;
  • describe the measures applied or proposed by GGS to remedy the personal data protection breach, including, if applicable, measures to minimize its possible negative consequences.

5.6.3 In the event that the information required under paragraph 5.6.2. first indent above is not available, GGS shall make a notification with presumptive or approximate data. In making the notification, the focus shall be on reversing or reducing the effects of the violation, rather than on investigating exact numbers. 5.6.4 If, and to the extent that, information cannot be provided at the same time, it may be provided successively without undue delay. 5.6.5 A model notification is attached as Appendix No. 1 to this Data Protection Policy. 5.6.6 In the event that it is determined in accordance with this Chapter that a personal data protection breach requiring notification of data subjects has occurred - GGS shall immediately notify such data subjects. 5.6.7 The notification shall contain at least the following information (Article 34(2) of the GDPR and Recital 86. of the GDPR):

  • a description of the nature of the data protection breach,
  • the name and contact information of the Data Protection Officer or the designation of another point of contact from whom more information can be obtained,
  • a description of the possible consequences of the personal data protection breach,
  • a description of the measures applied or proposed by GGS to remedy the personal data protection breach, including, if applicable, measures to minimize its possible negative effects,
  • recommendations to affected individuals on how to minimize potential adverse effects (e.g., performing password resets).

5.6.8 The notification shall be made in clear and simple language. Information shall be provided to data subjects as soon as reasonably practicable, in close cooperation with the supervisory authority, respecting guidance provided by the supervisory authority or other relevant authorities, such as law enforcement. For example, the need to minimize the immediate risk of harm will require immediate notification of data subjects, while the implementation of appropriate measures against the same or similar data breaches may justify later notification (Recital 86 of the GDPR). 5.6.9 The GGS shall notify those affected by a data protection breach directly, unless doing so would require a disproportionate effort. In such a case, a public notice shall be issued or a similar means shall be used by which data subjects are informed in an equally effective manner. 5.6.10 If an electronic means (e.g., email or text message) is chosen for notification, such message shall be sent separately (and shall be distinctly different) from other regularly sent standard messages (e.g., newsletters). This is to ensure that the notice does not go unnoticed by the recipient. GGS may, if warranted, decide to use several methods of notification simultaneously (e.g., via email and snail mail in parallel). 5.6.11 When the findings of a given event indicate that the addressees of a notice may be persons who do not speak Polish, any such notice shall be made - in addition to Polish - at least in English.

5.7 The GGS shall document all data protection breaches, including the circumstances of the data protection breach, its consequences, and the remedial actions taken. The documentation shall also include incidents that have not been classified as personal data protection violations after the procedure provided for in this chapter, as well as such personal data protection violations that have not been reported to the supervisory authority. The documentation shall include, in particular, the results of the investigation pursuant to paragraph 5.5.3. above, as well as the opinions issued by the Data Protection Breach Investigation Team pursuant to paragraphs 5.5.1. and 5.5.4. above. The documentation allows the supervisory authority to verify GGS's compliance with Article 33 of the GDPR. The template of the data breach report is Appendix 2 to this Data Protection Policy, and the template of the data breach records is Appendix 3 to this Data Protection Policy.

6. Procedure for amending and deleting personal data

Bearing in mind that personal data must be deleted in the event that they are no longer useful for the purpose of processing, as well as, inter alia, in the event of an effective objection or request to "be forgotten" by the data subject, as well as in the event that such a request is made to GGS by the controller entrusting GGS with data processing under Article 28 of the GDPR - the following procedure is implemented to ensure full and irreversible deletion of data:

6.1 There is a designated person at GGS whose task is to ensure that the principles and requirements of personal data protection are maintained, including fulfilling the obligation to amend or delete personal data. This person has adequate knowledge of personal data protection and is properly trained in this field.

6.2 The person referred to in para. 6.1. above, shall ensure on an ongoing basis that personal data are deleted in the event that they are no longer useful for the purpose of processing, as well as, inter alia, in the event of an effective objection or request to "be forgotten" by the data subject.

6.3 All activities referred to in para. 6. shall be applied to all data carriers - both electronic (including data backups) and in the form of hard copies, processed by GGS and data processors for GGS (pursuant to Article 28 GDPR). Relevant contracts with entities processing personal data for GGS under Article 28 GDPR entitle GGS to request analogous activities from these entities as well. 6.4 The software used to process personal data at GGS shall have tools to meet the requirements of GDPR, in particular with regard to searching for personal data, changing it, generating information for authorized persons and effective deletion.

7. Opinion on the existence of an obligation to appoint a Data Protection Officer, pursuant to Article 37 of the GDPR

GGS considered the existence of an obligation to appoint a Data Protection Officer and decided that it was not affected by this obligation. In making this decision, it was guided by the fact that:

7.1. GGS is not a public authority or entity.

7.2. the GGS's main activity does not consist of processing operations that by their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale.

7.3 GGS's main activity does not consist of large-scale processing of special categories of personal data, as referred to in Article 9 (1) of the GDPR, and personal data relating to convictions and violations of law, as referred to in Article 10. of the GDPR.

7.4 Detailed justification is provided in a separate document entitled "Information on the lack of obligation to appoint a Data Protection Officer under Article 37. of the GDPR".

8. Opinion on the existence of an obligation to create and conduct a risk assessment of personal data processing, pursuant to Articles 35 and 36 of the GDPR

8.1 GGS has considered the creation and conduct of an impact assessment for the processing of personal data and has concluded that it is not affected by this obligation.

8.2 In making this determination as in para. 8.3. above, it has taken into account in particular that the other operations listed in this Data Protection Policy:

8.2.1. are not operations that fall within the scope indicated in Article 35.3. of the GDPR; 8.2.2. are not operations that have been indicated by the President of the Personal Data Protection Office in the "List of types of personal data processing operations requiring an assessment of the effects of processing on the protection of personal data," which list was available in October 2022 at: http://monitorpolski.gov.pl/MP/2019/666 and https://uodo.gov.pl/424 8.2.3. are not the operations identified by the Article 29 Work Group on pages 13 and 14 of the "Guidelines on data protection impact assessment and helping to determine whether processing is "likely to pose a high risk" for the purposes of Regulation 2016/679" as those for which it is likely that a processing impact assessment will be required; 8.2.4. according to the Guidelines on Data Protection Impact Assessment and Helping to Determine Whether Processing "is Likely to Cause High Risk" for the Purposes of Regulation 2016/679 prepared by the Article 29 Work Group, do not meet the criteria indicated in these guidelines, and that is: 8.2.4.1 Assessment or scoring, including profiling and forecasting based in particular on "aspects relating to work performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movement of the data subject" (recitals 71 and 91). None of the operations meet this criterion. 8.2.4.2 Automatic decision-making with legal effect or similarly significant effect: processing aimed at making decisions about data subjects that produce "legal effects on the natural person" or decisions that "similarly significantly affect the natural person" (Article 35(3)(a)). None of the operations meet this criterion. 8.2.4.3 Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected via networks or as part of "large-scale systematic monitoring of publicly accessible locations" (Article 35.3.c). None of the operations meet this criterion. 8.2.4.4 Sensitive or highly personal data: includes special categories of personal data as defined in Article 9 (e.g., information on citizens' political views) and personal data relating to criminal convictions or violations of law as defined in Art. 10 of the GDPR, as well as other sensitive data in line with the common understanding of the term, i.e., related to household and private activities or relating to the exercise of a fundamental right (e.g., location data is related to the right to freedom of movement), or data whose violation may have a clear impact on the subject's daily life (e.g., financial data that may be used for payment fraud). A portion of operations meet this criterion, including operations relating to the processing of data on the health of contractors and employees or contractors of GGS's clients, as well as GGS's employees or contractors and their family members (in the latter case, data of a highly personal nature are not processed, but only, for example, data related to health status for social security purposes on the basis of an obligation imposed on GGS by law).

8.2.4.5 Data processed on a large scale. The provisions of Regulation 2016/679 do not define the concept of large scale, but some interpretive guidance is provided by Recital 91 of the GDPR, according to which large-scale processing operations are those that process a significant number of personal data at a regional, national or supranational level and that are likely to affect a large number of data subjects and that are likely to cause high risks. The Article 29 Work Group stressed that it is not possible to indicate a specific value, be it the size of the dataset or the number of data subjects, which would determine large scale, so several elements should be taken into account when analyzing the concept of large-scale processing: the number of data subjects, the scope of personal data processed, the area in which the data are processed, or the length of time for which they are processed. As for the criterion of the number of people whose data are processed, it should be pointed out that it can refer both to a specifically defined number and also to the proportion (percentage) of the group in relation to a certain part of the population. If the data processing is purely regional, the premise of large scale will be fulfilled by the data of a smaller number of people than if it is international. The amount and scope of data that are processed by the controller or processor are important for assessing whether data processing meets the condition of large scale, as is the period for which the personal data will be processed. For assessing large scale, processing over a longer period of time will be greater than sporadic processing. A factor that should also be taken into account in assessing large scale is the area in which the processing will take place - the larger the territory, the greater the number of data will be the basis for considering that the processing is large scale. In such a view, it should be concluded that GGS activities can meet the "large scale" criterion. 8.2.4.6 Matching or combining data sets, e.g., from two or more data processing operations carried out for different purposes or by different data controllers, in a way that goes beyond the legitimate expectations of data subjects. No operation meets this criterion. 8.2.4.7 Data relating to vulnerable data subjects: processing of this type of data is one of the criteria due to the increased power imbalance between data subjects and the data controller, which means that individuals may have difficulty consenting to or objecting to the processing of their data, or may have difficulty exercising their rights. Vulnerable data subjects may include children (they may be considered incapable of consciously and thoughtfully objecting to data processing or consenting to data processing), employees, more vulnerable populations in need of special protection (the mentally ill, asylum seekers or the elderly, patients, etc.), and in any situation where an imbalance between the position of the data subject and the position of the data controller can be established. Some of the operations meet this criterion, including operations relating to the processing of health data of GGS employees and contractors, and data provided by the GGS client in connection with services provided by GGS. The processing of personal data of GGS employees is not based on consent, and most of it is required by universally applicable labor and social security laws to protect that employee, so it is processed for the benefit of that employee - so that he or she can, for example, receive social security or pension and there is no possibility of imposing anything on the employee here, because neither the employer nor the employee can change universally applicable social security requirements or universally applicable labor law standards. 8.2.4.8 Innovative use or application of new technological or organizational solutions, such as combining fingerprint and facial recognition technology to improve physical access control, etc. None of the operations meet this criterion. 8.2.4.9 When the processing itself "prevents data subjects from exercising a right or enjoying a service or contract" (Article 22 and Recital 91). This includes processing operations aimed at enabling, altering or denying data subjects' access to a service or contract.

None of the operations meet this criterion.

1.1 Although the processing operations of special categories of data on employees may meet two criteria at the same time (sensitive data and sensitive persons), after additional analysis, supported by the "Register of data processing operations" template provided by the DPA, available at: https://uodo.gov.pl/pl/123/214, the GGS considers that operations involving the processing of employees' personal data in connection with their employment, and in particular for the purpose of fulfilling the employer's obligations under the law, are not grounds for preparing an impact assessment of the processing of personal data. Similarly, some operations of processing special categories of data provided by the GGS client in connection with the services provided by GGS may meet two criteria at the same time (sensitive data and specially protected persons), then after additional analysis, GGS considers that the above operations are not the basis for preparing a personal data processing impact assessment (including due to the manner of securing such data and limited access).

8.3 In accordance with Article 35 (1) and (11) of the GDPR and the guidelines of the Article 29 Work Group and the DPA, the GGS shall analyze the risks of processing personal data on an ongoing basis and, if necessary, prepare a processing impact assessment for the relevant operations when there is a basis for doing so, in particular:

8.3.1. prior to the start of a new processing operation - in particular, with the use of new technologies - which, due to its nature, scope, context and purposes, may cause a high risk of violation of the rights or freedoms of natural persons, 8.3.2. after the occurrence of a personal data breach, 8.3.3. after a change in the law relating to the protection of personal data, as well as the issuance of guidelines by the Article 29 Work Group or a national supervisory authority on conducting a data processing impact assessment or a processing risk assessment.