[kaspm]

It really comes down to the definition of "systematically monitoring". On our service we capture behavior (say in FullStory) and Google Analytics at a "large scale". How the DPO clause gets interpreted is going to be a key finding in the next few months. This is imho the most confusing and potentially difficult part of GDPR

[arianvanp]

Not that's irrelevant in this case. The question is whether you're processing sentive PII on a large scale. DPO is only necessary when processing sensitive PII. Sensitive is very clearly defined in the law as race, religion, medical records or biometric data. And IP addresses certainly do not qualify as sensitive PII (they are PII though) so I don't understand the entire discussion here. Seems to be just a political kneejerk

[kaspm]

That's fair in this case, at my company we track "pregnancy status" and "due date". It's unclear at this point whether that's considered sensitive PII.