Monitoring (Regular and Systematic)

Under GDPR, tracking or observing individuals' behavior in a regular and systematic way, which triggers certain obligations including mandatory DPO appointment for controllers whose core activities involve such monitoring at large scale. Regular means occurring continuously or at particular intervals, while systematic means organized according to a plan or system. Examples include behavioral advertising tracking users across websites, location tracking through apps or devices, health or fitness tracking, CCTV surveillance with facial recognition, and profiling for risk assessment or personalized content. The monitoring doesn't need to be continuous—regular patterns suffice. Large scale considers the number of individuals, volume of data, duration, and geographic extent. Organizations should assess whether their activities constitute regular and systematic monitoring, appoint DPOs if required, conduct data protection impact assessments, implement appropriate safeguards, and provide clear information to individuals about monitoring.