GDPR - 'Large scale'
What does the notion of ‘large scale’ mean?
'Article 37(1)(b) and (c) General Data Protection Regulation (GDPR) requires that the processing of personal data be carried out on a large scale in order for the designation of a data protection officer (DPO) to be triggered. The GDPR does not define what constitutes large-scale, though recital 91 provides some guidance.
Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. This does not exclude the possibility, however, that over time, a standard practice may develop, for specifying in objective, quantitative terms what constitutes ‘large scale’ in respect of certain types of common processing activities. The WP29 also plans to contribute to this development, by way of sharing and publicising examples of the relevant thresholds for the designation of a DPO.
In any event, the WP 29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity.
Examples of large-scale processing include:
- processing of patient data in the regular course of business by a hospital
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- processing of customer data in the regular course of business by an insurance company or a bank
- processing of personal data for behavioural advertising by a search engine
- processing of data (content, traffic, location) by telephone or internet service providers.
Examples that do not constitute large-scale processing include:
- processing of patient data by an individual physician
- processing of personal data relating to criminal convictions and offences by an individual lawyer.'
(Guidelines on Data Protection Officers (‘DPOs’), WP 243, ARTICLE 29 DATA PROTECTION WORKING PARTY, 13 december 2016, http://ec.europa.eu/justice/data-protection/index_en.htm)