Large-scale data processing” is not defined in the current regulation, so it is not possible to give an exact figure that corresponds to ‘large scale’.
We will have to keep an eye out for it since it’s possible that in due course we may have a specific explanation. However, the GDPR’s Recital 91 states:
“Those which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and are likely to involve a high risk, for example, due to their sensitivity, where, depending on the level of technical expertise achieved, new technology has been used on a large scale and other processing operations which involve a high risk to the rights and freedoms of data subjects, in particular where these operations make it more difficult for data subjects to exercise their rights”.
Article 29 Working Party recommended that the following factors be taken into account:
- the number of data subjects concerned, either as a specific number or as a proportion of the population;
- the volume of data or the variety of data elements undergoing processing;
- the duration, or permanence, of the data processing activity;
- the geographical scope of the processing activity.
Examples of large-scale processing include:
- Patients data in the normal course of business of a hospital;
- Travel data of people using the public transport system of a city (tracking via transport card);
- Real-time geolocation data of customers of an international fast food chain for statistical purposes by a data controller specialised in the provision of these services;
- Customer data in the ordinary course of business of an insurance company or a bank;
- Behavioral advertising by a search engine;
- Content, traffic, and location by telephone or internet service providers.
Cases that do NOT constitute large-scale processing include:
- Patients data by a single doctor;
- Data relating to criminal convictions and offenses by a lawyer.
