- What is the purpose of the guidance?
The guidance fulfils an obligation in the Regulation on the free flow of non-personal data (FFD Regulation), which requires the Commission to publish a guidance on the interaction between this Regulation and the General Data Protection Regulation (GDPR), especially as regards datasets composed of both personal and non-personal data. It aims to help users – in particular small and medium-sized enterprises – understand the interaction between the two regulations.
In line with the existing GDPR documents, prepared by the European Data Protection Board, this guidance document aims to clarify which rules apply when processing personal and non-personal data. It gives a useful overview of the central concepts of the free flow of personal and non-personal data within the EU, while explaining the relation between the two Regulations in practical terms and with concrete examples.
- Who will benefit from the guidance?
The guidance is of particular relevance for private businesses, notably small and medium-sized enterprises, organisations and other entities, which process data in the course of their professional activities. This covers producing, collecting, storing, transmitting or other processing operations with data, both personal and non-personal. Even businesses, which process only non-personal data, might find the guidance useful as the document refers to situations when the data might be subject to localisation requirements or, under certain conditions, to data protection rules.
The guidance also provides reassurance that the rights of citizens to the protection of their personal data are always respected, including when their data are mixed with other types of data, or that their data are properly anonymised.
Furthermore, the guidance has also informative value for public authorities, which regularly process data and are directly involved in the creation of legislative and administrative rules concerning the processing of data.
- Which topics does the guidance cover?
As well as illustrating the scope of the FFD Regulation and the GDPR, the guidance identifies the interaction between these two sets of EU rules. It explains the interplay between the two regulations regarding the free flow of data. In addition, it displays the concepts of non-personal data and personal data, and clarifies which rules to follow when processing mixed datasets, i.e. datasets composed of both personal and non-personal data. The document also explains the notion of data portability, and how this compares between the GDPR and the FFD Regulation. It offers an overview to businesses on the codes of conduct for data porting and the switching of data processing service providers, and describes the role of self-regulatory work, such as codes of conduct and certification mechanisms to demonstrate compliance with data protection rules. In order to paint a picture of how the two regulations contribute to free movement of data within the EU, the guidance explains the concepts of data localisation requirements under the FFD Regulation, as well as the free movement principle under the GDPR.
- What are non-personal data?
Non-personal data are distinct from personal data, as laid down in the GDPR Regulation. The non-personal data can be categorised in terms of origin, namely:
- data which originally did not relate to an identified or identifiable natural person, such as data on weather conditions generated by sensors installed on wind turbines, or data on maintenance needs for industrial machines; or
- data which was initially personal data, but later made anonymous.
While the guidance refers to more examples of non-personal data, it also explains the concept of personal data, anonymised and pseudonymised, to provide a better understanding as well describes the limitations between personal and non-personal data.
- What are mixed datasets?
In most real-life situations, a dataset is very likely to be composed of both personal and non-personal data. This is often referred to as a “mixed dataset”. Mixed datasets represent the majority of datasets used in the data economy and commonly gathered thanks to technological developments such as the Internet of Things (i.e. digitally connecting objects), artificial intelligence and technologies enabling big data analytics.
Examples of mixed datasets include a company's tax records, mentioning the name and telephone number of the managing director of the company. This can also include a company's knowledge of IT problems and solutions based on individual incident reports, or a research institution's anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions.
- Does personal and non-personal data have to be processed separately?
No, neither the FFD Regulation nor the GDPR one imposes an obligation to split the mixed datasets or to process personal and non-personal data separately. In most cases, this would be challenging and impractical, if not impossible. The guidance therefore explains the applicable rules in accordance with the FFD Regulation (Article 2(2) thereof), while in the case of the mixed datasets:
- the FFD Regulation applies to the non-personal data part of the dataset;
- the GDPR's free flow provision applies to the personal data part of the dataset;
If the non-personal data part and the personal data parts are “inextricably linked”, the data protection rights and obligations stemming from the GDPR fully apply to the entire mixed dataset, including in cases where personal data represents only a small part of the dataset.
The guidance also explains the concept of being inextricably linked and provides practical examples on the application of the above rules.
- Is there a conflict between the two regulations?
There are no contradictory obligations under the GDPR and the FFD Regulation. While the GDPR ensures a high level of data protection rules and provides for the free flow of personal data, the FFD Regulation provides for the free flow of non-personal data. Both regulations enable the free movement of all data within the EU.
Furthermore, the FFD Regulation contains no obligations for businesses and the practicalities of processing non-personal data are a matter of choice for the particular business. The FFD Regulation does not limit the contractual freedom of businesses enabling them to choose the location for processing their data.
- Why does the guidance cover self-regulatory work as well?
The aim of the FFD Regulation is to enable the free flow of non-personal data within the EU. Various stakeholder groups are developing codes of conduct for data porting and the switching of service providers in business relations, as well as codes of conduct on data protection under the GDPR. Work is also being carried out for the cybersecurity certification of cloud services. Therefore, self-regulation will allow market players to become more innovative and build trust in their fields, and will potentially be more responsive to changes in the market.
For more information