What is considered to be processing “on a large scale”?

The GDPR does not define what constitutes “large scale” processing but guidelines on the interpretation of the GDPR recommend that the following factors be considered when determining whether the processing is carried out on a large scale:

  • The number of individuals concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

Examples of large-scale processing include:

  • processing of patient data in the regular course of business by a hospital
  • processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
  • processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
  • processing of customer data in the regular course of business by an insurance company or a bank
  • processing of personal data for behavioural advertising by a search engine
  • processing of data (content, traffic, location) by telephone or internet service providers

Examples that do not constitute large-scale processing include:

  • processing of patient data by an individual doctor
  • processing of personal data relating to criminal convictions and offences by an individual lawyer