The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary
Answer: The term “large scale” is not defined in the GDPR, however the European Union’s Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has issued some guidance in this respect. The Working Party recommends looking at the following factors, when determining whether the processing is carried out on a “large scale:”
- The number of data subjects concerned - either as a specific number or as a proportion of the relevant population.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
Thus, processing may be on a large scale where it involves a wide range or large volume of personal data, where it occurs over a large geographical area, where a large number of individuals are affected, or where it is extensive or has long-lasting effects.
Furthermore, the Article 29 Working Party has provided the following examples of large-scale processing:
- processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
- processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in these activities;
- processing of customer data in the regular course of business by an insurance company or a bank;
- processing of personal data for behavioral advertising by a search engine; and
- processing of data (content, traffic, location) by telephone or internet service providers.