Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Paragraph 2.1.3 Large Scale
Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes large-scaleprocessing, though recital 91 provides some guidance.
Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. This does not exclude the possibility, however, that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes ‘large scale’ in respect of certain types of common processing activities. The WP29 also plans to contribute to this development, by way of sharing and publicising examples of the relevant thresholds for the designation of a DPO.
In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
-
The number of data subjects concerned -either as a specific number or as a proportion of the relevantpopulation
-
The volume of data and/or the range of different data items being processed
-
The duration,or permanence,of thedata processing activity
-
The geographical extent of the processing activity
Examples of large-scale processing include:
-
processing of patient data in the regular course of business by a hospital
-
processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
-
processing of real time geo-location data of customers ofan international fast food chain for statistical purposes by a processor specialised in providing these services
-
processing of customer data in the regular course of business by an insurance company or a bank
-
processing of personal data for behavioural advertising by a search engine
-
processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
-
processing of patient data by an individual physician
-
processing of personal data relating to criminal convictions and offences by an individual lawyer