F
Fill out the form below without obligation, we will be able to send you an initial offer of intervention for adaptation to the new “Privacy Regulation”. If the information entered is not exhaustive, we will contact you for more details. We always reply within 2 working days.
The regulation does not define what “large-scale” processing represents. The Working Party recommends taking into account, in particular, the factors listed here in order to determine whether a treatment is carried out on a large scale:
· The number of subjects involved in the treatment, in absolute terms or expressed as a percentage of the reference population;
The volume of data and / or the different types of data being processed;
· The duration, or the persistence, of the processing activity;
· The geographical scope of the processing activity.
Some examples of large-scale treatment are as follows:
· Treatment of data relating to patients carried out by a hospital in the context of ordinary activities;
Processing of data relating to the movements of users of a city public transport service (for example, their tracking through travel documents);
Processing of geolocation data collected in real time for statistical purposes by a manager specialized in the provision of services of this type with respect to customers of an international fast food chain;
· Processing of customer data by an insurance company or a bank in the context of ordinary activities;
Processing of personal data by a search engine for behavioral advertising purposes;
Processing of data (metadata, contents, location) by telephone or telematic service providers.
Some examples of non-large-scale treatment are as follows:
Processing of patient data carried out by a single healthcare professional;
Processing of personal data relating to criminal convictions and offenses carried out by a single lawyer.
The concept of regular and systematic monitoring of data subjects is not defined within the RGPD; however, it undoubtedly includes all forms of tracking and profiling on the Internet also for behavioral advertising purposes. However, this is not a concept referring exclusively to the online environment.
Some examples of activities that can configure a regular and systematic monitoring of interested parties: looking after the functioning of a telecommunications network; the provision of telecommunications services; e-mail redirection; marketing activities based on the analysis of the collected data; profiling and scoring for risk assessment purposes (for example, for credit risk assessment, definition of insurance premiums, fraud prevention, assessment of forms of money laundering); location tracking, for example by apps on mobile devices; loyalty programs; behavioral advertising; monitoring of data relating to the state of psychophysical well-being, physical fitness and health through wearable devices; use of CCTV cameras; connected devices such as smart meters, smart cars, home automation devices, etc.
The adjective “regular” has at least one of the following meanings in the opinion of the Working Group:
That occurs continuously or at defined intervals for a defined period of time;
· Recurrent or repeated at constant intervals;
Which occurs constantly or at periodic intervals.
The adjective “systematic” has at least one of the following meanings in the opinion of the Working Group:
· Which occurs per system;
· Predetermined, organized or methodical;
· Which takes place as part of an overall data collection project;
· Carried out as part of a strategy.
With “main activities” we can mean the essential operations that are necessary to achieve the objectives pursued by the data controller or the data processor, including all those activities for which the processing of data is inseparably connected to the activity of the data controller or the data controller. For example, the processing of health-related data (such as patient medical records) is one of the main activities of any hospital; it follows that all hospitals will have to designate a DPO.
On the other hand, all bodies (public and private) carry out certain activities such as the payment of salaries to staff or have standard IT support structures. These are examples of support functions necessary for the purposes of the main activity or the main object of the individual body, but although necessary or even essential, they are usually considered to be of an ancillary nature and are not counted among the main activities.
a) a systematic and comprehensive assessment of the personal aspects concerning natural persons based on automated processing, including profiling, and on which the decisions that produce legal effects on the natural person or which similarly significantly affect the natural person are based ;
b) large-scale processing of particular categories of data referred to in Article 9, paragraph 1, or of personal data relating to criminal offenses and offenses referred to in Article 10; or
c) systematic monitoring of an area accessible to the public on a large scale.
As the words “in particular” in the introductory sentence of Article 35 (3) of the Regulation indicate, this list is not intended to be exhaustive. There may be “high risk” processing operations that are not listed on this list but nevertheless present equally high risks. These processing operations should also be subject to DPIAs.
For this reason, the holder will normally have to carry out the DPIA if a treatment satisfies at least two of the criteria below.
However, in some cases, the data controller may consider that a processing that meets even one of these criteria requires the DPIA.
T. +39 030 5357 143
E. info@savyng.it
VAT 04170250981
Savyng Srls
Via Lazzaretto, 2
25030 Adro (BS) Italy
Do you need Cyber Security and Privacy services to guarantee the right IT security in the company?