Questions and examples, Lecture 2

What does ‘large scale’ mean?

The GDPR does not define what constitutes large-scale processing. According to the Guidelines of the WP29, following factors, in particular, should be considered when determining whether the processing is carried out on a large scale:

• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population
• the volume of data and/or the range of different data items being processed
• the duration, or permanence, of the data processing activity
• the geographical extent of the processing activity Examples of large scale processing include:
• processing of patient data in the regular course of business by a hospital
• processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
• processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities
• processing of customer data in the regular course of business by an insurance company or a bank
• processing of personal data for behavioural advertising by a search engine
• processing of data (content, traffic, location) by telephone or internet service providers

Processing of patient data by an individual physician or processing of personal data relating to criminal convictions and offences by an individual lawyer should not constitute large-scale processing.