Using, storing and transferring data
Affected by Brexit?
You - as an individual, business or organisation - have the right to use, collect, store, transfer or manage non-personal data, and to use data centres or cloud services anywhere in the EU (In this case, the 28 EU member states + Iceland, Norway and Liechtenstein).
This can help you avoid any potential duplication of costs; for example, you can centralise your IT infrastructure in one EU country, even if you operate in multiple countries.
What is non-personal data?
Non-personal data is information that cannot be linked to an identified or identifiable person, such as data:
- generated as part of business processes (for example, business to business invoices)
- generated by connected industrial devices (sensors communicating recorded data, such as for weather apps)
- recorded for maintenance requirements (for example, industrial robots, streets, bridges etc.)
Personal data and mixed data sets
The rules for dealing with personal data differ from those for non-personal data. You can read more about personal data and the data protection rules on the GDPR page.
Personal and non-personal data are often collected and stored together; this is known as mixed data. If you handle mixed datasets, the same level of protection as personal data applies. Find out more about mixed data sets and how to manage them.
You can store your data anywhere in the EU, including on cloud servers
Apart from the exceptional cases explained below, you can choose the location where data is stored or processed.
If you use a cloud service to store your data, you should be able to easily change cloud service providers, or port the data back in-house to your own IT system.
To ensure this, several cloud service providers have joined the Cloud Switching and Porting Data (SWIPO) code of conduct. Find out more about this here.
Restrictions on free movement of data in the EU
In exceptional cases, EU countries may be able to restrict the location of certain data, but only if justified on the grounds of public security, for example, when data relates to ongoing counter-terrorism investigations, or when loss of data could risk a major traffic accident (such as for air traffic control data).
Check if the country you are based in, or where you intend to expand your business to, has any restrictions on storing data abroad.
- United Kingdom*uk
If you need more information on other rules for using, storing and transferring data in a specific country or on the Regulation you can ask the national contact points.
Sharing data with competent authorities
You must make data available if a competent authority makes a legitimate request to access your data, even if the data is managed or stored in another EU country. Penalties may be issued for non-compliance in accordance with national law.