GDPR’s Most Frequently Asked Questions: What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary

The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question: What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary

Answer: The term “large scale” is not defined in the GDPR, however the European Union’s Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has issued some guidance in this respect. The Working Party recommends looking at the following factors, when determining whether the processing is carried out on a “large scale:”

The number of data subjects concerned - either as a specific number or as a proportion of the relevant population.
The volume of data and/or the range of different data items being processed.
The duration, or permanence, of the data processing activity.
The geographical extent of the processing activity.

Thus, processing may be on a large scale where it involves a wide range or large volume of personal data, where it occurs over a large geographical area, where a large number of individuals are affected, or where it is extensive or has long-lasting effects.

Furthermore, the Article 29 Working Party has provided the following examples of large-scale processing:

processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in these activities;
processing of customer data in the regular course of business by an insurance company or a bank;
processing of personal data for behavioral advertising by a search engine; and
processing of data (content, traffic, location) by telephone or internet service providers.

Register now for your free, tailored, daily legal newsfeed service.

GDPR’s Most Frequently Asked Questions: What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary

Filed under

Laws

Popular articles from this firm

GDPR's Most Frequently Asked Questions: Are Work Email Addresses and Business Contact Information Considered "Personal Data?" *

GDPR’s Most Frequently Asked Questions: Does Personal Data, Personal Information, and Personally Identifiable Information Mean the Same Thing? *

GDPR HR Series: Employee Information Notices About Personal Data - Your Key Questions Answered *

GDPR’s Most Frequently Asked Questions: What Does It Mean To Be “Established” In The EU? *

GDPR's Most Frequently Asked Questions: If I receive a right to be forgotten request from an employee do I have to honor it? *

Related practical resources PRO

Related research hubs