Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Paragraph 2.1.3   Large Scale

Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes large-scaleprocessing, though recital 91 provides some guidance.

Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. This does not exclude the possibility, however, that over time, a standard practice may develop for identifying in more specific and/or quantitative terms what constitutes ‘large scale’ in respect of certain types of common processing activities. The WP29 also plans to contribute to this development, by way of sharing and publicising examples of the relevant thresholds for the designation of a DPO.

In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:     

  • The number of data subjects concerned -either as a specific  number or as a  proportion of the relevantpopulation

  • The volume of data and/or the range of different data items being processed

  • The duration,or permanence,of thedata processing activity

  • The geographical extent of the processing activity

Examples of large-scale processing include:

  • processing of patient data in the regular course of  business by a hospital

  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)

  • processing of real time geo-location data of customers ofan international fast food chain for statistical purposes by a processor specialised in providing these services

  • processing of customer data in the regular course of business by an insurance company or a bank

  • processing of personal data for behavioural advertising by a search engine

  • processing of data (content, traffic, location) by telephone or internet service providers

Examples that do not constitute large-scale processing include:

  • processing of patient data by an individual physician

  • processing of personal data relating to criminal convictions and offences by an individual lawyer

author avatar
Richard V

You may also like

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.3  Risks to free flow of personal data within the Union 44. Where the objection will refer to this particular risk, the CSA will need to clarify why it …

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.2  Risks to fundamental rights and freedoms of data subjects 39. The issue at stake concerns the impact the draft decision as a whole would have on the data …

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679
29 November, 2020

Guidelines 9/2020 on relevant and reasoned objection under Regulation 2016/679 Paragraph 3.2.1  Meaning of “significance of the risks” 35. It is important to bear in mind that the goal of the work carried out by SAs is that of protecting …