Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0.

2.1.3.3 “nature, scope, context and purpose of processing”

28. In short, the concept of nature can be understood as the inherent[11] characteristics of the processing. The scope refers to the size and range of the processing. The context relates to the circumstances of the processing, which may influence the expectations of the data subject, while the purpose pertains to the aims of the processing.

_{[11] Examples are special categories personal data, automatic decision-making, skewed power relations, unpredictable processing, difficulties for the data subject to exercise the rights, etc.}

Article 9 GDPR. Processing of special categories of personal data

1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

[…]

Article 10 GDPR. Processing of personal data relating to criminal convictions and offences

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Guidelines on Data Protection Officers (‘DPOs’)

2.1.3 ‘LARGE SCALE’

In any event, the WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:

• the number of data subjects concerned – either as a specific number or as a proportion of the relevant population

• the volume of data and/or the range of different data items being processed

• the duration, or permanence, of the data processing activity

• the geographical extent of the processing activity.

Examples of large-scale processing include:

• processing of patient data in the regular course of business by a hospital

• processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards)

• processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services

• processing of customer data in the regular course of business by an insurance company or a bank

• processing of personal data for behavioural advertising by a search engine

• processing of data (content, traffic, location) by telephone or internet service providers.

Examples that do not constitute large-scale processing include:

• processing of patient data by an individual physician

• processing of personal data relating to criminal convictions and offences by an individual lawyer.

Article 68 GDPR. European Data Protection Board

1. The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.

2. The Board shall be represented by its Chair.

3. The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

4. Where in a Member State more than one supervisory authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State’s law.

5. The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.

6. In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

Article 63 GDPR. Consistency mechanism

Article 4 GDPR. Definitions

In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the Union

The first activity triggering the application of Article 3(2) is the “offering of goods or services”, a concept which has been further addressed by EU law and case law, which should be taken into account when applying the targeting criterion. The offering of services also includes the offering of information society services, defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 [23] as “any Information Society service, that is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”.

_{[23] Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services.}

Another key element to be assessed in determining whether the Article 3(2)(a) targeting criterion can be met is whether the offer of goods or services is directed at a person in the Union, or in other words, whether the conduct on the part of the controller, which determines the means and purposes of processing, demonstrates its intention to offer goods or a services to a data subject located in the Union. Recital 23 of the GDPR indeed clarifies that “in order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”

Article 40 GDPR. Codes of conduct

Article 6 GDPR. Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

[…]

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

[…]

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;