Guidelines on Data Protection Officers (‘DPOs’) (wp243rev.01)

Paragraph 2.1.4  Regular and systemic monitoring

The notion of regular and systematic monitoring of data subjects isnot defined in the GDPR, but the concept of ‘monitoring of the behaviour of data subjects’is mentioned in recital 2415and clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.However, the notion of monitoring is not restricted to the online environmentandonline tracking should only be considered as one example of monitoring the behaviour of data subjects.

WP29 interprets ‘regular’ as meaning one or more of the following:

• Ongoing or occurring at particular intervals for a particular period

• Recurring or repeated at fixed times

• Constantly or periodically taking place

WP29 interprets ‘systematic’ as meaning one or more of the following:

• Occurring according to a system

• Pre-arranged, organised or methodical

• Taking place as part of a general plan for data collection

• Carried out as part of a strategy

Examplesof activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraudprevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.