Privacy Notification Policy & Procedure

1. Objectives

1.1. The objective of this policy is to ensure that ServeSoul Limited considers the potential data protection and GDPR implications of any new processes or systems it introduces, or of any changes that impact on its processing of personal data.

1.2. By reviewing and utilising the form set out in this policy, ServeSoul Limited will be able to provide evidence of the decisions it has taken and changes it has made that may impact on the processing it carries out.

2. Policy

2.1. ServeSoul Limited understands that a PIA will enable it to identify and minimise the risks of any project it wishes to carry out.

2.2. ServeSoul Limited understands that PIAs must be conducted for specified types of processing (listed in the Procedure section below) as well as for processing that may result in a high risk for affected individuals.

2.3. ServeSoul Limited understands that a PIA should:

• Describe the nature, scope, context and purposes of the processing
• Assess whether the processing is necessary and proportionate and in compliance with GDPR
• Identify and assess risks to affected Data Subjects
• Identify the measures it will take to mitigate those risks

2.4. ServeSoul Limited understands that if a PIA identifies that processing may be high risk and it is unable to take steps to mitigate those risks, it should notify the ICO and seek advice from the ICO as to whether it should carry out the processing.

3. Procedure

3.1. ServeSoul Limited will implement a process for deciding whether a PIA is necessary and, if so, the steps that it will take to conduct the PIA. ServeSoul Limited will use the form attached to this policy when conducting a PIA.

3.2. ServeSoul Limited will provide training to its employees about when a PIA is necessary and how to conduct a PIA.

3.3. ServeSoul Limited will conduct PIAs in the following scenarios:

• Where ServeSoul Limited intends to use systematic and extensive profiling or automated decision-making to make significant decisions about Data Subjects
• Where personal data relating to children will be processed for profiling or automated decision making, for marketing or to offer online services directly to the children
• Where ServeSoul Limited will process special categories of data or criminal offence data on a large scale
• Where ServeSoul Limited intends to monitor a publicly accessible place on a large scale
• Where new technologies are introduced by ServeSoul Limited that may impact on its processing activities
• Where ServeSoul Limited intends to process biometric or genetic data
• Where ServeSoul Limited intends to combine, compare or match personal data from multiple sources
• Where ServeSoul Limited processes personal data without providing a privacy policy directly to the affected Data Subject
• Where the processing will involve tracking individuals' behaviour (whether online or offline)
• Where the processing could result in a physical harm if there is a breach of security

3.4. ServeSoul Limited will consider carrying out PIAs in the following circumstances, as well as in any other circumstances which ServeSoul Limited considers to be potentially high risk:

• Where ServeSoul Limited processes special categories of data or personal data of a highly personal nature
• Where ServeSoul Limited conducts large-scale processing
• Where the processing concerns vulnerable Data Subjects

ServeSoul Limited acknowledges that because of the types of services it provides, it may need to conduct PIAs on a regular basis to ensure that Data Subjects, including Service Users, are protected.

3.5. ServeSoul Limited will also conduct a PIA if the nature or purpose of the processing it carries out changes.

3.6. ServeSoul Limited will document the steps taken as part of the PIA and the outcomes in line with the form attached to this policy.

3.7. ServeSoul Limited will take any steps it identifies as being necessary to mitigate risks associated with the processing and will document the steps taken and the outcome of those steps.

Updated: 27/04/2025