What is considered to be “large-scale personal data processing” and is there any legal guidance that can be used to identify it?

Large-scale data processing” is not defined in the current regulation, so it is not possible to give an exact figure that corresponds to ‘large scale’. 

We will have to keep an eye out for it since it’s possible that in due course we may have a specific explanation. However, the GDPR’s Recital 91 states:

“Those which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and are likely to involve a high risk, for example, due to their sensitivity, where, depending on the level of technical expertise achieved, new technology has been used on a large scale and other processing operations which involve a high risk to the rights and freedoms of data subjects, in particular where these operations make it more difficult for data subjects to exercise their rights”.

Article 29 Working Party recommended that the following factors be taken into account:

  • the number of data subjects concerned, either as a specific number or as a proportion of the population;
  • the volume of data or the variety of data elements undergoing processing;
  • the duration, or permanence, of the data processing activity;
  • the geographical scope of the processing activity. 

Examples of large-scale processing include:

  • Patients data in the normal course of business of a hospital;
  • Travel data of people using the public transport system of a city (tracking via transport card);
  • Real-time geolocation data of customers of an international fast food chain for statistical purposes by a data controller specialised in the provision of these services;
  • Customer data in the ordinary course of business of an insurance company or a bank;
  • Behavioral advertising by a search engine;
  • Content, traffic, and location by telephone or internet service providers.

Cases that do NOT constitute large-scale processing include:

  • Patients data by a single doctor;
  • Data relating to criminal convictions and offenses by a lawyer.

Share this article


The PDPL was published in the Saudi Arabian Official Gazette on 24 September 2021 and was scheduled to enter into force on 23 March 2022. However, the Saudi Data and Artificial Intelligence Authority (“SDAIA”) announced that the full implementation of the PDPL would be postponed until 17 March 2023 in order to make “necessary changes”, which was confirmed by the publication of Royal Order No. 51627, which states that the implementation of the PDPL will be postponed for a period of 540 days from the date of its publication in the KSA Official Gazette (published on 24 September 2021). Therefore, it is expected that the published version of the PDPL will be replaced by an amended version of the law.

Created by:

Picture of Eva Estévez

Eva Estévez

Registered lawyer at the ICAB, specialising in the law of new technologies, privacy and information security. She has a degree in Law and a Master's Degree in Access to the Legal Profession (Universitat de Barcelona). She has extensive experience advising national and international companies in data protection and has helped numerous companies as an external DPO at Borneo.

Related articles



Subscribe to our legal newsletter and you will be the first to receive our new blog articles, webinar information, ebooks, and more.

Free Webinars