The regulation does not define what “large-scale” processing represents. The Working Party recommends taking into account, in particular, the factors listed here in order to determine whether a treatment is carried out on a large scale:
· The number of subjects involved in the treatment, in absolute terms or expressed as a percentage of the reference population;
The volume of data and / or the different types of data being processed;
· The duration, or the persistence, of the processing activity;
· The geographical scope of the processing activity.

Some examples of large-scale treatment are as follows:
· Treatment of data relating to patients carried out by a hospital in the context of ordinary activities;
Processing of data relating to the movements of users of a city public transport service (for example, their tracking through travel documents);
Processing of geolocation data collected in real time for statistical purposes by a manager specialized in the provision of services of this type with respect to customers of an international fast food chain;
· Processing of customer data by an insurance company or a bank in the context of ordinary activities;
Processing of personal data by a search engine for behavioral advertising purposes;
Processing of data (metadata, contents, location) by telephone or telematic service providers.

Some examples of non-large-scale treatment are as follows:
Processing of patient data carried out by a single healthcare professional;
Processing of personal data relating to criminal convictions and offenses carried out by a single lawyer.

The concept of regular and systematic monitoring of data subjects is not defined within the RGPD; however, it undoubtedly includes all forms of tracking and profiling on the Internet also for behavioral advertising purposes. However, this is not a concept referring exclusively to the online environment.
Some examples of activities that can configure a regular and systematic monitoring of interested parties: looking after the functioning of a telecommunications network; the provision of telecommunications services; e-mail redirection; marketing activities based on the analysis of the collected data; profiling and scoring for risk assessment purposes (for example, for credit risk assessment, definition of insurance premiums, fraud prevention, assessment of forms of money laundering); location tracking, for example by apps on mobile devices; loyalty programs; behavioral advertising; monitoring of data relating to the state of psychophysical well-being, physical fitness and health through wearable devices; use of CCTV cameras; connected devices such as smart meters, smart cars, home automation devices, etc.

The adjective “regular” has at least one of the following meanings in the opinion of the Working Group:
That occurs continuously or at defined intervals for a defined period of time;
· Recurrent or repeated at constant intervals;
Which occurs constantly or at periodic intervals.

The adjective “systematic” has at least one of the following meanings in the opinion of the Working Group:
· Which occurs per system;
· Predetermined, organized or methodical;
· Which takes place as part of an overall data collection project;
· Carried out as part of a strategy.

With “main activities” we can mean the essential operations that are necessary to achieve the objectives pursued by the data controller or the data processor, including all those activities for which the processing of data is inseparably connected to the activity of the data controller or the data controller. For example, the processing of health-related data (such as patient medical records) is one of the main activities of any hospital; it follows that all hospitals will have to designate a DPO.
On the other hand, all bodies (public and private) carry out certain activities such as the payment of salaries to staff or have standard IT support structures. These are examples of support functions necessary for the purposes of the main activity or the main object of the individual body, but although necessary or even essential, they are usually considered to be of an ancillary nature and are not counted among the main activities.

a) a systematic and comprehensive assessment of the personal aspects concerning natural persons based on automated processing, including profiling, and on which the decisions that produce legal effects on the natural person or which similarly significantly affect the natural person are based ;
b) large-scale processing of particular categories of data referred to in Article 9, paragraph 1, or of personal data relating to criminal offenses and offenses referred to in Article 10; or
c) systematic monitoring of an area accessible to the public on a large scale.

As the words “in particular” in the introductory sentence of Article 35 (3) of the Regulation indicate, this list is not intended to be exhaustive. There may be “high risk” processing operations that are not listed on this list but nevertheless present equally high risks. These processing operations should also be subject to DPIAs.

For this reason, the holder will normally have to carry out the DPIA if a treatment satisfies at least two of the criteria below.
However, in some cases, the data controller may consider that a processing that meets even one of these criteria requires the DPIA.

1. Evaluation or scoring, including profiling and forecasting, in particular of “aspects concerning the performance of the data subject at work, economic situation, health, personal preferences or interests, reliability or behavior, position or movements” (recital 71 and 91).
   An example could be a banking institution that skims its customers via a credit reference database, or a biotech company offering genetic testing directly to consumers in order to assess and predict disease / health risks, or a behavioral or marketing profiling companies based on use or browsing on websites.
2. Automated decisions with significant legal or similar effects: processing that aims to make decisions on data subjects, which produce “legal effects on the natural person” or “significantly affect the natural person” (Article 35 (3) (a)).
   For example, when the processing may lead to the exclusion or discrimination of individuals.
3. Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected via networks or “systematic monitoring of a publicly accessible area” (Article 35 (3) (c)). This type of monitoring is a criterion as personal data may be collected in circumstances where data subjects may not be aware of who collects their data and how it will be used. Additionally, it may be impossible for individuals to avoid being subjected to such processing in public (or publicly accessible) spaces.
4. Sensitive data or data of a highly personal nature: includes special categories of personal data as defined in Article 9 (for example information on the political views of individuals), as well as personal data relating to criminal sentences or offenses referred to in Article 10. An example it could be a general hospital that keeps the medical records of patients or a private investigator that keeps in mind details of the crimes committed by the people observed. Beyond these provisions of the GDPR, certain categories of data can increase the possible risk to the rights and freedoms of individuals.
5. Data processed on a large scale: the GDPR does not define what is meant by ‘large scale’, although recital 91 provides some indications. In any case, WP29 recommends considering in particular the following factors to determine whether the treatment is being performed on a large scale: the number of stakeholders involved, both as a specific number and as a percentage of the relevant population the volume of data and / o the range of different types of data being processed; the duration or permanence of the data processing activity; the geographical extent of the processing activity.
6. Correspondence or combination of data sets, for example resulting from two or more processing operations, performed for different purposes and / or by different data holders in a way that goes beyond the reasonable expectations of the subject
7. Data relating to vulnerable individuals (recital 75): The processing of this type of data falls under the criteria due to the increased power imbalance between data subjects and the controller, which means that individuals may not be in able to allow or easily oppose the processing of their data or to exercise their rights. Vulnerable individuals can include children (they may be considered unable to consciously and deliberately oppose the processing of their data), employees or even more vulnerable individuals in the population who require special protection (people with mental illness, asylum seekers , elderly, patients, etc.) and all those cases in which it is possible to identify an imbalance in the relationship between the position of the subject and that of the owner.
8. Uso innovativo o applicazione di nuove soluzioni tecnologiche o organizzative, come combinare l’uso del riconoscimento facciale e delle impronte digitali per un miglior controllo fisico degli accessi, ecc. Il GDPR chiarisce (articolo 35, paragrafo 1, e considerando 89 e 91) che l’uso di una nuova tecnologia, definita “conforme allo stato raggiunto dalla conoscenza tecnologica” (considerando 91), può comportare la necessità di eseguire una DPIA. Questo perché l’utilizzo di tale tecnologia può includere nuove forme di raccolta e utilizzo di dati, potenzialmente con un elevato rischio per i diritti e le libertà degli individui. Infatti, le conseguenze personali e sociali della diffusione di una nuova tecnologia potrebbero essere sconosciute. Una DPIA aiuterà il titolare dei dati a capire e affrontare tali rischi. Ad esempio, alcune applicazioni dell”Internet delle cose (Internet of things, IoT)” potrebbero avere un impatto significativo sulla vita quotidiana degli individui e sulla privacy; e quindi richiedono una DPIA.
9. When the processing itself “prevents data subjects from exercising a right or from using a service or a contract” (article 22 and recital 91). This includes processing operations that aim to allow, modify or refuse data subjects’ access to a service or to enter into a contract. For example, when a bank filters its customers’ data on a credit reference database to decide whether to grant them a loan.