Free flow of non-personal data
You - as an individual, business or organisation - have the right to use, collect, store, transfer or manage non-personal data, and to use data centres or cloud services anywhere in the EU (In this case, the 27 EU member states).
This can help you avoid any potential duplication of costs; for example, you can centralise your IT infrastructure in one EU country, even if you operate in multiple countries.
Personal data, non-personal data and mixed datasets
Personal data is any information about an identified or identifiable person and follows GDPR rules.
Non-personal datasets refer to:
- data which does not relate to an identified or identifiable natural person, such as data on weather conditions
- data which was initially personal data, but was later made anonymous and cannot be attributed in any way to a specific person
Mixed datasets are collections of personal and non-personal data such as a company’s tax record, mentioning the name and telephone number of the managing director of the company. In most cases, the personal and non-personal data in mixed datasets are inextricably linked. If you handle such mixed datasets, you must follow GDPR rules.
You can store your data anywhere in the EU, including on cloud servers
Apart from the exceptional cases explained below, you can choose the location where data is stored or processed.
If you use a cloud service to store your data, you should be able to easily change cloud service providers, or port the data back in-house to your own IT system. Several cloud service providers have a signed a code of conduct to guarantee this. You can access the list of service providers and the code of conduct on the website of the Cloud switching and porting data association (SWIPO).
Data localisation requirements in the EU
In exceptional cases, EU countries may be able to restrict the movement of certain data, but only if justified on the grounds of public security. Such a justification could be, for example, when data relates to ongoing counter-terrorism investigations, or when loss of data could risk a major traffic accident (such as for air traffic control data). These exceptions depend on national legislation. The EU regulation on the free flow of non-personal data gives access to information about such data localisations restrictions.
National information and contact points
The EU regulation on the free flow of non-personal data outlines two information points that EU countries must provide:
- “Single information point” refers to an official website with national information about the data localisation restrictions and requirements.
- “Single point of contact” refers to a physical address and/or an email that you can contact for further information.
In the Ask national administrations section below you will find the single information point and single point of contact at each national level.
Sharing data with competent authorities
You must make data available if a competent authority makes a legitimate request to access your data, even if the data is managed or stored in another EU country. Penalties may be issued for non-compliance in accordance with national law.