The General Data Protection Regulation (GDPR) provides that companies are obliged to appoint a Data Protection Officer (DPO) if the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale. This requirement can be particularly applicable for online gaming companies, e-commerce, telecommunications companies and the information society.
Article 37(1) of the GDPR requires the designation of a DPO in three (3) specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
Local legislation may also add to these instances.
Companies involved in electronic communications, electronic commerce, online gaming, as well as credit and financial institutions should analyse whether they fall under the requirement to appoint a DPO. Article 37(1)(b) requires two (2) elements to kick in:
- The processing of personal data be carried out on a large scale; and
- Regular and systematic monitoring.
Large Scale Processing of Personal Data
The GDPR does not define what constitutes “large scale”; however in its latest Guidance on DPOs, WP29 recommended that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
Examples of large-scale processing according to WP29 would include:
- Processing of patient data in the regular course of business by a hospital
- Processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)
- Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services
- Processing of customer data in the regular course of business by an insurance company or a bank
- Processing of personal data for behavioural advertising by a search engine
- Processing of data (content, traffic, location) by telephone or internet service providers on the geographical extent of the processing activity
Regular and Systematic Monitoring
The Guidance then amplifies on this point by interpreting both the term “regular” and “systematic”.
WP29 interprets “regular” as meaning one or more of the following:
- Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place
The term “systematic” on the other hand is interpreted as one or more of the following:
- Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy
Potentially affected companies should thus plan ahead and have the required meetings with their respective Data Protection Authority. This is very important as if applicable, there is a whole process which both the Company concerned and its DPO need to comply with at inception, as well as on a continuous basis. This is also very important as the obligation to appoint a DPO may apply even when the Company is acting as a processor for a controller and not solely as controller of the data.
For more information or if you have any questions, please feel free to contact Dr Ian Gauci on firstname.lastname@example.org
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.