🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: what is "large-scale processing"?

Home News GDPR: what is "large-scale processing"?

The European Union's General Data Protection Regulation (GDPR) establishes criteria for defining what constitutes "large-scale processing" of personal data. This qualification is of particular importance in the context of bringing companies into compliance with the GDPR. Let’s explore this concept and what it entails.

Why call a treatment "large-scale treatment"?

Designating a treatment as large-scale has several implications:

  • Obligation to appoint a Data Protection Officer (DPO) by the data controller.
  • Possibility of having to carry out a data protection impact assessment (DPIA).

The criteria defining "large-scale treatment"

According to the GDPR, large-scale processing concerns a significant volume of personal data on a regional, national or supranational scale, affecting a significant number of people and potentially creating high risks for their rights and freedoms. The text also mentions that the use of new technologies on a large scale can constitute such treatment.

Guidelines for qualifying large-scale treatment

The G29, the group of EU data protection authorities, offers guidelines to help qualify processing as large-scale. He recommends taking into account:

  • The number of people affected.
  • The categories of data processed.
  • The duration and geographic extent of the treatment.

Examples of large-scale treatments

  • Processing of patient data by a hospital.
  • Processing of passenger travel data by a means of public transport.
  • Processing of customer data by an insurance company or bank.
  • Data processing by a search engine for advertising purposes.

What European texts do not specify

European texts give general guidance on what constitutes large-scale processing but do not provide precise criteria, leaving this assessment to the discretion of the controller. The CNIL will be able to rule on concrete cases as part of its control missions.

In conclusion, qualifying a treatment as "large-scale treatment" is based on an evaluation of the general criteria defined by the GDPR and the G29 guidelines, while taking into account the specificity of each case. This is an important step in GDPR compliance and in the protection of individuals' personal data.

Estimate your GDPR score and your Risk of Fine with the free version of Data Comply One (formerly Mission RGPD)

Do the GDPR Diag online with the free version

Discover our Data Comply One offer (formerly Mission RGPD): Your GDPR compliance by subscription ✅

Make an appointment with an expert to discover Data Comply One (formerly Mission RGPD)

GDPR mission
Settle in with a coffee ☕️ or popcorn 🍿 and devour our blog to understand everything about GDPR📖

Check out our blog

Other articles
on the same subject