Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)
Section 5.4 What does ‘regular and systematic monitoring’ mean?
The notion of regular and systematic monitoring of data subjects is not defined in the GDPR, but clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.
Examplesof activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.
WP29 interprets ‘regular’ as meaning one or more of the following:
-
ongoing or occurring at particular intervals for a particular period
-
recurring or repeated at fixed times
-
constantly or periodically taking place
WP29 interprets ‘systematic’ as meaning one or more of the following:
-
occurring according to a system
-
pre-arranged, organised or methodical
-
taking place as part of a general plan for data collection
-
carried out as part of a strategy