GDPR’s Most Frequently Asked Questions: What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary

April 20, 2018

The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world.  As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Question:  What Does “Large Scale” Mean When Determining Whether A Data Protection Officer Is Necessary

Answer:  The term “large scale” is not defined in the GDPR, however the European Union’s Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has issued some guidance in this respect.  The Working Party recommends looking at the following factors, when determining whether the processing is carried out on a “large scale:”

  • The number of data subjects concerned - either as a specific number or as a proportion of the relevant population.
  • The volume of data and/or the range of different data items being processed.
  • The duration, or permanence, of the data processing activity.
  • The geographical extent of the processing activity.

Thus, processing may be on a large scale where it involves a wide range or large volume of personal data, where it occurs over a large geographical area, where a large number of individuals are affected, or where it is extensive or has long-lasting effects.

Furthermore, the Article 29 Working Party has provided the following examples of large-scale processing:

  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards);
  • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in these activities;
  • processing of customer data in the regular course of business by an insurance company or a bank;
  • processing of personal data for behavioral advertising by a search engine; and
  • processing of data (content, traffic, location) by telephone or internet service providers.

1. WP 243: Guidelines on Data Protection Officers (Apr. 5, 2017).