11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
Source law
General Data Protection Regulation
Chapter IV, Section 3, Article 35