GDPR: Regular and systematic monitoring
What does the notion of ‘regular and systematic monitoring’ mean?
'The notion of regular and systematic monitoring of data subjects is not defined in the GDPR (General Data Protection Regulation), but the concept of ‘monitoring the behaviour of data subjects’ is mentioned in recital 24 and clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.
However, the notion of monitoring is not restricted to the online environment and online tracking should only be considered as one example of monitoring the behaviour of data subjects.
WP 29 interprets ‘regular’ as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place.
WP 29 interprets ‘systematic’ as meaning one or more of the following:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy.
Examples: operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.'
(Guidelines on Data Protection Officers (‘DPOs’), WP 243, ARTICLE 29 DATA PROTECTION WORKING PARTY, 13 december 2016, http://ec.europa.eu/justice/data-protection/index_en.htm)