Any risk assessment required under the GDPR must also take into account the "scope of processing". When determining which measures are appropriate to achieve the lawfulness of the processing, there are several weighting parameters. The "scope of processing" is one of them. In addition, other GDPR provisions for assessing the risk of data processing are also based on the "scope of processing":
Art. 23 II f: Any legislative measure that restricts the data subjects‘ rights, shall contain specific provisions concerning storage periods and safeguards taking into account the “scope of processing”.
Art. 24 I 1: The "scope of processing" is a criterion for assessing which measures ensure that the processing is carried out in accordance with the GDPR.
Art. 25 I: The "scope of processing" is a criterion for assessing which measures are necessary to ensure data protection by design.
Art. 25 II 2: Measures that, by default, have to ensure purpose limitation, must apply to the “extent of their processing”.
Art. 27 II a: The “scope of processing” shall be taken into account when determining whether a controller or processor not established in the Union must designate a representative.
Art. 32 I: The "scope of processing" must be taken into account when considering what measures will ensure an appropriate level of data security.
Art. 35 I: Whether a data processing poses a high risk to the data subject and therefore requires a data protection impact assessment depends, among other things, on the "scope of processing".
Art. 35 III: A data protection impact assessment shall in particular be required in case of “extensive evaluation of personal aspects” (lit. a), processing “on a large scale” of sensitive data (lit. b) and monitoring of a publicly accessible area “on a large scale” (lit. c).
Art. 37 I: The “scale” of a monitoring (lit. b) or a processing of sensitive data (lit. c.) is a criterion to be taken into account when considering whether to appoint a data protection officer. (See also Rec. 97).
Art. 39 II: The data protection officer shall take into account the "scope of processing" in the performance of his/her duties. [see also § 7 III German Federal Data Protection Act: „have due account“]
Art. 83 II a: The "scope of processing" also plays a role as a criterion in the decision of a supervisory authority on the imposition of an administrative fine and its amount.
Rec. 75: Potentially risky, according to Recital 75, is when the processing involves "a large amount of personal data" or "a large number of data subjects".
Recitals 74, 76, 80, 89, 90, 91, 94 and 97 GDPR also focus on the "scope” or the “scale” of the processing.
There is also one provision in German Law that refers to the "scope of processing":
§ 22 II BDSG (German Data Protection Act): The controller must take into account, among other things, the "scope of processing" in the measures he must take if he processes data on the basis of § 22 I BDSG in derogation of Art. 9 I GDPR.