1.1 This Personal Data Protection Policy of GGS Go Global Services Sp. z o.o. Sp. k. is established in pursuit of the requirement of accountability, based on Article 5.2 in connection with Article 5.1.c., d. and e., as well as in connection with Article 6.1.f., Articles 15-21, Article 24.1, Article 33 and Articles 35-37 of the GDPR, and taking into account the documents issued by the "Article 29 Work Group" - specifically:
1.1.1. Guidelines on transparency under Regulation 2016/679, 1.1.2. Guidelines on Personal data breach notification under Regulation 2016/679, 1.1.3. Guidelines on Consent under Regulation 2016/679, 1.1.4. Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, 1.1.5. Guidelines on Data Protection Impact Assessment and helping to determine whether processing is "likely to pose a high risk" for the purposes of Regulation 2016/679, 1.1.6 Guidelines on Data Protection Officers ('DPOs'), 1.1.7 Opinion 2/2017 on data processing in the workplace.
Whenever in the personal data processing documentation applicable to GGS Go Global Services Sp. z o.o. Sp. k. the following expressions appear should be given the meaning given below (unless the document directly indicates the contrary):
2.1 Personal data - means information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
2.2 Processing of personal data - means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collection, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, deleting or destroying.
2.3 Personal data set - means a structured set of personal data accessible according to specific criteria, regardless of whether the set is centralized, decentralized or functionally or geographically dispersed.
2.4 GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) dated April 27, 2016. (OJ.L No. 119, p. 1).
2.5 Register - a register of data processing activities, maintained in accordance with Article 30(1) of the GDPR, and a register of all categories of processing activities performed on behalf of the controller, maintained in accordance with Article 30(2) of the GDPR. Both registers are contained in a single document.
2.6. GGS - GGS Go Global Services spółka z ograniczoną odpowiedzialnością sp. k. with its registered office in Krakow (address: ul. Cystersów 13A/3, 31-553 Krakow, entered in the Register of Entrepreneurs of the National Court Register under number: 0000752698, identifying itself with NIP number: 9452190015 and REGON number: 363572070, being a controller of personal data within the meaning of Article 4(7) GDPR (i.e. an entity independently or jointly determining the purposes and means of processing personal data) or a processor within the meaning of Article 4(8) GDPR (i.e. an entity processing personal data on behalf of the controller of personal data).
Personal data at GGS shall be: 3.1 __Processed lawfully, fairly and transparently to the data subject ("lawfulness, fairness and transparency"). __
3.1.1 The lawfulness of personal data processing is ensured by consulting a law firm in this regard. Relevant issues related to the processing of personal data are consulted with the law firm on an ongoing basis. GGS will hold periodic training sessions for the GGS team on personal data protection. GGS strives to ensure the ongoing legality of personal data processing. This includes periodic (done no less than once every 12 months) evaluations and updates of this Personal Data Protection Policy. One of the evaluation criteria should be compliance with any codes of conduct adopted for the industry in which it operates, in accordance with Article 40 et seq. GDPR. If necessary, the information provided to data subjects shall also be promptly updated in accordance with Articles 13 and 14 of the GDPR. To the extent that GGS relies on consent as the legal basis for processing personal data - consents are subject to renewal after any change in the information provided in accordance with Article 4 para. 11 in conjunction with recital 42 of the GDPR. 3.1.2 The legal bases for processing personal data are listed in the Register. 3.1.3 The integrity and transparency of the processing of personal data has been guaranteed through the implementation of the Registry and by providing data subjects with the information required under Articles 13, 14 and 21(4) of the GDPR. The information provided under Articles 13 and 14 of the GDPR, as well as Article 4(11) of the GDPR, has been prepared and is updated based on the Article 29 Work Group's Guidelines on transparency under Regulation 2016/679.
3.2 Collected for specific, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes ("purpose limitation").
3.2.1 The purposes for which GGS processes personal data are described in the Register. 3.2.2 In the case of personal data obtained by GGS not from the persons to whom it pertains (data of relatives of employees for social security, as well as data of representatives and employees of contractors, clients and suppliers) - in accordance with Article 6(4) of the GDPR GGS, has determined that the processing of personal data of these recipients is carried out for the same purpose for which they were originally collected. Therefore, there is no need for an assessment under Article 6(4) of the GDPR. 3.2.3 The information provided to recipients pursuant to Article 14 of the GDPR includes, among other things, the contents of paragraph 3.2.2 above. 3.2.4 In the case of processing of personal data by the Controller as a processor, the Controller shall act only within the scope of the purposes and means specified by the Controller of personal data.
3.3 Adequate, appropriate and limited to what is necessary for the purposes for which they are processed ("data minimization").
3.3.1 To the extent that personal data are processed for purposes other than the fulfillment of obligations imposed by law, GGS shall review such data on a regular basis (at least once every 12 months) and, if possible, minimize such data (by discontinuing collection, deletion, or anonymization). 3.3.2 GGS shall not perform any operations on personal data and shall not process any personal data that are not necessary for the purposes intended and in a fundamentally unfair manner, even on the basis of the data subject's consent (in accordance with the Article 29 Work Group's guidelines in paragraph 1 of the Guidelines on Consent under Regulation 2016/679 and Opinion 15/2011 on the definition of consent).
3.4 Correct and updated as necessary; take all reasonable activities to ensure that personal data that are inaccurate in light of the purposes of their processing are promptly deleted or rectified ("correctness").
3.4.1 GGS processes personal data on a regular basis, so they are updated and corrected on a regular basis.
3.5 Stored in a form that allows identification of the data subject for no longer than necessary for the purposes for which the data are processed ("retention limitation").
3.5.1 The retention periods for personal data are described in the Register. 3.5.2 The retention of a significant portion of the personal data of contractors and GGS employees is due to legal regulations. The remaining data concerning these persons are processed for the period (and to the extent) necessary for the performance of the contract, including claims arising therefrom, remaining in force even after the expiration of the contract itself (e.g., for payment of remuneration, recourse claims, liquidated damages, related to the concluded confidentiality agreement), until the expiration of the statute of limitations for these claims.
3.6 Processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organizational measures ("integrity and confidentiality").
3.6.1 A description of the technical and organizational measures necessary to ensure confidentiality, integrity and accountability of the processed data is included in the Register.
GGS implements the following procedures to allow for the lawful and transparent realization of data subjects' rights:
4.1 Responding to a request for providing access to personal data made pursuant to Article 15 of the GDPR.
4.2 Response to a request for rectification of personal data made pursuant to Article 16 of the GDPR.
4.3 Responding to a request to cease data processing (including the exercise of the right to be forgotten) made pursuant to Article 17 of the GDPR.
4.4 Response to a request for restriction of data processing made pursuant to Article 18 of the GDPR.
4.5 Responding to a data transfer request made pursuant to Article 20 of the GDPR.
4.6 Responding to an objection to data processing raised pursuant to Article 21 of the GDPR.
4.7 GGS shall notify rectification or deletion of personal data, or restriction of processing, to each recipient to whom personal data have been disclosed, unless this proves impossible or will require disproportionate effort. At the same time, due to the fact that GGS knows the recipients of the personal data, the above information obligation should not be problematic. In addition, GGS shall inform the data subject of these recipients if the data subject so requests.
4.8 GGS shall provide support to the person tasked with ensuring compliance with the principles and requirements of personal data protection, including the fulfillment of the obligations referred to in para. 4.1.-4.6. above. This person shall have adequate knowledge of personal data protection and shall be properly trained in this area.
4.9 The person referred to in para. 4.8. above, shall ensure on an ongoing basis that the requests of authorized persons are verified and executed in accordance with the law and internal policies.
4.10. The software used to process personal data at GGS shall have tools to meet the requirements of the GDPR, in particular with regard to searching for personal data, changing it, generating information for authorized persons and effective deletion.
4.11 All activities referred to in para. 4.1.-4.6. above shall be applied to all data carriers - both electronic (including data backups) and in the form of hard copies, processed by GGS and entities processing data for GGS (pursuant to Article 28 GDPR). Relevant contracts with entities processing personal data for GGS pursuant to Article 28 of GDPR entitle GGS to request analogous activities by these entities as well.
4.12 To personal data for which GGS is only a processor (pursuant to Article 28 GDPR), this section shall not apply. In the event of any of the requests described above, GGS shall promptly notify the Controller of personal data of the request, and shall follow the procedure provided for in the relevant contract with the controller in question. In addition, where GGS acts as a processor, GGS shall, in accordance with Article 28(3)(e) of the GDPR, as far as possible, assist the controller through appropriate technical and organizational measures to fulfill its obligation to respond to data subjects' requests for the exercise of their rights.
5.1 In applying this chapter of the Data Protection Policy, the protection of data subjects whose data is processed by GGS should always come first. For the purposes of this chapter, "employee" means a person employed by GGS, regardless of the legal basis of employment.
5.2 In accordance with the Article 29 Work Group's guidelines in the introduction to the Guidelines on Personal data breach notification under Regulation 2016/679, the chapter is divided into subsections discussing the detection, mitigation, risk assessment of a breach of the rights and freedoms of individuals, decision-making on breach notification to the supervisory authority and notification of data subjects, and the procedure for notification and notification.
5.3 Detection of violation.
5.3.1 Chapter I(B)(2) of the Guidelines on personal data breach notification under Regulation 2016/679 provides a general classification of types of data protection breaches. Thus, the Article 29 Work Group distinguishes:
5.3.2 GGS shall endeavor to detect a personal data breach as soon as possible after the breach. Thus:
5.4 Limitation of the scope of the breach.
5.4.1 Any GGS employee who detects a data breach shall inform his/her immediate supervisor. 5.4.2 If a data breach is detected by an employee outside of working hours (including, for example, on vacation), the obligation to immediately inform the supervisor shall apply without change. 5.4.3 GGS shall immediately, but no later than within 24 hours, convene a Data Breach Investigation Team. The team shall, at all times, consist of a member of the management board of GGS Sp. z o.o. and, if possible, a representative of the law firm serving GGS. 5.4.4 GGS identifies an incident as falling into one of three categories:
5.4.5 GGS shall collect all information regarding the incident and provide it immediately to the Data Protection Breach Team. In particular, the following information shall be collected:
5.4.6 GGS shall ensure that as few persons as possible within GGS have access to the information collected in accordance with paragraph 5.4.5 above. 5.4.7 Limiting the scope of a data breach shall include immediately ending the duration of the incident and minimizing its scope and impact on data subjects as soon as possible. To this end, the Data Breach Team shall make decisions binding on GGS as soon as possible and proceed to implement them.
5.5 Assessment of the risk of violation of data subjects' rights and freedoms.
5.5.1 The Data Breach Team shall issue an opinion as to whether an event constitutes a data breach. For this purpose, the Data Breach Team shall primarily rely on the guidelines of the Article 29 Work Group contained, inter alia, in Annex B to the Guidelines on Personal data breach notification under Regulation 2016/679. The opinion shall be in writing. 5.5.2 If an event is classified as a personal data breach, the Data Breach Team shall conduct an investigation to determine:
5.5.3 The investigation shall be completed no later than 36 (thirty-six) hours after the discovery of the breach. The results of the investigation shall be documented in writing. 5.5.4 Taking into account the results of the investigation, the Data Breach Investigation Team shall issue an opinion within 60 (sixty) hours of the discovery of the breach as to whether the personal data breach requires notification to the supervisory authority competent under Article 55 of the GDPR or notification to data subjects. The opinion shall be in writing. 5.5.5. In giving its opinion, the Data Protection Breach Panel shall be guided primarily by whether the breach that has occurred is likely to result in physical harm, property damage or non-property damage to individuals, such as loss of control over their own personal data or restriction of rights, discrimination, identity theft or falsification, financial loss, unauthorized reversal of pseudonymization, damage to reputation, breach of confidentiality of personal data protected by professional secrecy, or any other significant economic or social damage (in accordance with recital 85 of the GDPR). In addition, the Data Breach Team is guided by the Article 29 Work Group's guidelines in Chapter II(A) and (D), as well as Chapter III(A) and Chapter IV(A) and (B), and Annex B to the Guidelines on Personal data breach notification under Regulation 2016/679. 5.5.6 Whenever the Data Breach Team becomes doubtful as to whether a data breach requires notification to the supervisory authority, or if it is not unanimous in this regard - it shall be assumed that notification is required. In case of doubt as to whether a data protection breach requires notification of the affected persons - GGS will absolutely follow the recommendation of the supervisory authority in this regard. 5.5.7 To the extent that the identified breach relates to personal data for which GGS is only a processor (in accordance with Article 28 of the GDPR), points. 5.5.4.-5.5.6. above as well as points. 5.6. and 5.7. do not apply. In such case, GGS shall promptly notify the controller of the breach and follow the procedure provided for in the relevant contract with the controller.
5.6 Procedure for notification and notification.
5.6.1 In the event that a reportable data breach of personal data protection is determined in accordance with this Chapter, GGS shall, without undue delay - if possible, no later than 72 (seventy-two) hours after the discovery of the breach - report it to the supervisory authority having jurisdiction pursuant to Article 55 of the GDPR. A notification submitted to the supervisory authority after the expiration of 72 (seventy-two) hours shall be accompanied by an explanation of the reasons for the delay. 5.6.2 The breach notification must at least:
5.6.3 In the event that the information required under paragraph 5.6.2. first indent above is not available, GGS shall make a notification with presumptive or approximate data. In making the notification, the focus shall be on reversing or reducing the effects of the violation, rather than on investigating exact numbers. 5.6.4 If, and to the extent that, information cannot be provided at the same time, it may be provided successively without undue delay. 5.6.5 A model notification is attached as Appendix No. 1 to this Data Protection Policy. 5.6.6 In the event that it is determined in accordance with this Chapter that a personal data protection breach requiring notification of data subjects has occurred - GGS shall immediately notify such data subjects. 5.6.7 The notification shall contain at least the following information (Article 34(2) of the GDPR and Recital 86. of the GDPR):
5.6.8 The notification shall be made in clear and simple language. Information shall be provided to data subjects as soon as reasonably practicable, in close cooperation with the supervisory authority, respecting guidance provided by the supervisory authority or other relevant authorities, such as law enforcement. For example, the need to minimize the immediate risk of harm will require immediate notification of data subjects, while the implementation of appropriate measures against the same or similar data breaches may justify later notification (Recital 86 of the GDPR). 5.6.9 The GGS shall notify those affected by a data protection breach directly, unless doing so would require a disproportionate effort. In such a case, a public notice shall be issued or a similar means shall be used by which data subjects are informed in an equally effective manner. 5.6.10 If an electronic means (e.g., email or text message) is chosen for notification, such message shall be sent separately (and shall be distinctly different) from other regularly sent standard messages (e.g., newsletters). This is to ensure that the notice does not go unnoticed by the recipient. GGS may, if warranted, decide to use several methods of notification simultaneously (e.g., via email and snail mail in parallel). 5.6.11 When the findings of a given event indicate that the addressees of a notice may be persons who do not speak Polish, any such notice shall be made - in addition to Polish - at least in English.
5.7 The GGS shall document all data protection breaches, including the circumstances of the data protection breach, its consequences, and the remedial actions taken. The documentation shall also include incidents that have not been classified as personal data protection violations after the procedure provided for in this chapter, as well as such personal data protection violations that have not been reported to the supervisory authority. The documentation shall include, in particular, the results of the investigation pursuant to paragraph 5.5.3. above, as well as the opinions issued by the Data Protection Breach Investigation Team pursuant to paragraphs 5.5.1. and 5.5.4. above. The documentation allows the supervisory authority to verify GGS's compliance with Article 33 of the GDPR. The template of the data breach report is Appendix 2 to this Data Protection Policy, and the template of the data breach records is Appendix 3 to this Data Protection Policy.
Bearing in mind that personal data must be deleted in the event that they are no longer useful for the purpose of processing, as well as, inter alia, in the event of an effective objection or request to "be forgotten" by the data subject, as well as in the event that such a request is made to GGS by the controller entrusting GGS with data processing under Article 28 of the GDPR - the following procedure is implemented to ensure full and irreversible deletion of data:
6.1 There is a designated person at GGS whose task is to ensure that the principles and requirements of personal data protection are maintained, including fulfilling the obligation to amend or delete personal data. This person has adequate knowledge of personal data protection and is properly trained in this field.
6.2 The person referred to in para. 6.1. above, shall ensure on an ongoing basis that personal data are deleted in the event that they are no longer useful for the purpose of processing, as well as, inter alia, in the event of an effective objection or request to "be forgotten" by the data subject.
6.3 All activities referred to in para. 6. shall be applied to all data carriers - both electronic (including data backups) and in the form of hard copies, processed by GGS and data processors for GGS (pursuant to Article 28 GDPR). Relevant contracts with entities processing personal data for GGS under Article 28 GDPR entitle GGS to request analogous activities from these entities as well. 6.4 The software used to process personal data at GGS shall have tools to meet the requirements of GDPR, in particular with regard to searching for personal data, changing it, generating information for authorized persons and effective deletion.
GGS considered the existence of an obligation to appoint a Data Protection Officer and decided that it was not affected by this obligation. In making this decision, it was guided by the fact that:
7.1. GGS is not a public authority or entity.
7.2. the GGS's main activity does not consist of processing operations that by their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale.
7.3 GGS's main activity does not consist of large-scale processing of special categories of personal data, as referred to in Article 9 (1) of the GDPR, and personal data relating to convictions and violations of law, as referred to in Article 10. of the GDPR.
7.4 Detailed justification is provided in a separate document entitled "Information on the lack of obligation to appoint a Data Protection Officer under Article 37. of the GDPR".
8.1 GGS has considered the creation and conduct of an impact assessment for the processing of personal data and has concluded that it is not affected by this obligation.
8.2 In making this determination as in para. 8.3. above, it has taken into account in particular that the other operations listed in this Data Protection Policy:
8.2.1. are not operations that fall within the scope indicated in Article 35.3. of the GDPR; 8.2.2. are not operations that have been indicated by the President of the Personal Data Protection Office in the "List of types of personal data processing operations requiring an assessment of the effects of processing on the protection of personal data," which list was available in October 2022 at: http://monitorpolski.gov.pl/MP/2019/666 and https://uodo.gov.pl/424 8.2.3. are not the operations identified by the Article 29 Work Group on pages 13 and 14 of the "Guidelines on data protection impact assessment and helping to determine whether processing is "likely to pose a high risk" for the purposes of Regulation 2016/679" as those for which it is likely that a processing impact assessment will be required; 8.2.4. according to the Guidelines on Data Protection Impact Assessment and Helping to Determine Whether Processing "is Likely to Cause High Risk" for the Purposes of Regulation 2016/679 prepared by the Article 29 Work Group, do not meet the criteria indicated in these guidelines, and that is: 22.214.171.124 Assessment or scoring, including profiling and forecasting based in particular on "aspects relating to work performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movement of the data subject" (recitals 71 and 91). None of the operations meet this criterion. 126.96.36.199 Automatic decision-making with legal effect or similarly significant effect: processing aimed at making decisions about data subjects that produce "legal effects on the natural person" or decisions that "similarly significantly affect the natural person" (Article 35(3)(a)). None of the operations meet this criterion. 188.8.131.52 Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected via networks or as part of "large-scale systematic monitoring of publicly accessible locations" (Article 35.3.c). None of the operations meet this criterion. 184.108.40.206 Sensitive or highly personal data: includes special categories of personal data as defined in Article 9 (e.g., information on citizens' political views) and personal data relating to criminal convictions or violations of law as defined in Art. 10 of the GDPR, as well as other sensitive data in line with the common understanding of the term, i.e., related to household and private activities or relating to the exercise of a fundamental right (e.g., location data is related to the right to freedom of movement), or data whose violation may have a clear impact on the subject's daily life (e.g., financial data that may be used for payment fraud). A portion of operations meet this criterion, including operations relating to the processing of data on the health of contractors and employees or contractors of GGS's clients, as well as GGS's employees or contractors and their family members (in the latter case, data of a highly personal nature are not processed, but only, for example, data related to health status for social security purposes on the basis of an obligation imposed on GGS by law).
220.127.116.11 Data processed on a large scale. The provisions of Regulation 2016/679 do not define the concept of large scale, but some interpretive guidance is provided by Recital 91 of the GDPR, according to which large-scale processing operations are those that process a significant number of personal data at a regional, national or supranational level and that are likely to affect a large number of data subjects and that are likely to cause high risks. The Article 29 Work Group stressed that it is not possible to indicate a specific value, be it the size of the dataset or the number of data subjects, which would determine large scale, so several elements should be taken into account when analyzing the concept of large-scale processing: the number of data subjects, the scope of personal data processed, the area in which the data are processed, or the length of time for which they are processed. As for the criterion of the number of people whose data are processed, it should be pointed out that it can refer both to a specifically defined number and also to the proportion (percentage) of the group in relation to a certain part of the population. If the data processing is purely regional, the premise of large scale will be fulfilled by the data of a smaller number of people than if it is international. The amount and scope of data that are processed by the controller or processor are important for assessing whether data processing meets the condition of large scale, as is the period for which the personal data will be processed. For assessing large scale, processing over a longer period of time will be greater than sporadic processing. A factor that should also be taken into account in assessing large scale is the area in which the processing will take place - the larger the territory, the greater the number of data will be the basis for considering that the processing is large scale. In such a view, it should be concluded that GGS activities can meet the "large scale" criterion. 18.104.22.168 Matching or combining data sets, e.g., from two or more data processing operations carried out for different purposes or by different data controllers, in a way that goes beyond the legitimate expectations of data subjects. No operation meets this criterion. 22.214.171.124 Data relating to vulnerable data subjects: processing of this type of data is one of the criteria due to the increased power imbalance between data subjects and the data controller, which means that individuals may have difficulty consenting to or objecting to the processing of their data, or may have difficulty exercising their rights. Vulnerable data subjects may include children (they may be considered incapable of consciously and thoughtfully objecting to data processing or consenting to data processing), employees, more vulnerable populations in need of special protection (the mentally ill, asylum seekers or the elderly, patients, etc.), and in any situation where an imbalance between the position of the data subject and the position of the data controller can be established. Some of the operations meet this criterion, including operations relating to the processing of health data of GGS employees and contractors, and data provided by the GGS client in connection with services provided by GGS. The processing of personal data of GGS employees is not based on consent, and most of it is required by universally applicable labor and social security laws to protect that employee, so it is processed for the benefit of that employee - so that he or she can, for example, receive social security or pension and there is no possibility of imposing anything on the employee here, because neither the employer nor the employee can change universally applicable social security requirements or universally applicable labor law standards. 126.96.36.199 Innovative use or application of new technological or organizational solutions, such as combining fingerprint and facial recognition technology to improve physical access control, etc. None of the operations meet this criterion. 188.8.131.52 When the processing itself "prevents data subjects from exercising a right or enjoying a service or contract" (Article 22 and Recital 91). This includes processing operations aimed at enabling, altering or denying data subjects' access to a service or contract.
None of the operations meet this criterion.
1.1 Although the processing operations of special categories of data on employees may meet two criteria at the same time (sensitive data and sensitive persons), after additional analysis, supported by the "Register of data processing operations" template provided by the DPA, available at: https://uodo.gov.pl/pl/123/214, the GGS considers that operations involving the processing of employees' personal data in connection with their employment, and in particular for the purpose of fulfilling the employer's obligations under the law, are not grounds for preparing an impact assessment of the processing of personal data. Similarly, some operations of processing special categories of data provided by the GGS client in connection with the services provided by GGS may meet two criteria at the same time (sensitive data and specially protected persons), then after additional analysis, GGS considers that the above operations are not the basis for preparing a personal data processing impact assessment (including due to the manner of securing such data and limited access).
8.3 In accordance with Article 35 (1) and (11) of the GDPR and the guidelines of the Article 29 Work Group and the DPA, the GGS shall analyze the risks of processing personal data on an ongoing basis and, if necessary, prepare a processing impact assessment for the relevant operations when there is a basis for doing so, in particular:
8.3.1. prior to the start of a new processing operation - in particular, with the use of new technologies - which, due to its nature, scope, context and purposes, may cause a high risk of violation of the rights or freedoms of natural persons, 8.3.2. after the occurrence of a personal data breach, 8.3.3. after a change in the law relating to the protection of personal data, as well as the issuance of guidelines by the Article 29 Work Group or a national supervisory authority on conducting a data processing impact assessment or a processing risk assessment.