Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 5.3 What does ‘large scale’ mean?
The GDPR does not define what constitutes large-scaleprocessing. The WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
-
the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
-
the volume of data and/or the range of different data items being processed
-
the duration, or permanence, of the data processing activity
-
the geographical extent of the processing activity
Examples of largescale processing include:
-
processing of patient data in the regular course of business by a hospital
-
processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
-
processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
-
processing of customer data in the regular course of business by an insurance company or a bank
-
processing of personal data for behavioural advertising by a search engine
-
processing of data (content, traffic, location) by telephone or internet service providers
Examples that do not constitute large-scale processing include:
-
processing of patient data by an individual physician
-
processing of personal data relating to criminal convictions and offences by an individual lawyer