August 6, 2019 –
Let’s analyse this Regulation and see what needs to be done in order to stay compliant!
While personal data is defined in the GDPR, non-personal data is defined in the Free Flow of Non-Personal Data Regulation as “data other than personal data as defined in point 1 of Article 4” of the GDPR.
And what about mixed data that contains both personal and non-personal information? The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), became applicable from 28 May 2019.
The data localization requirements shall no longer apply: under the Regulation, the location of non-personal data for storage or processing within the EU shall not be restricted to the territory of a member state. As such, the free movement of data should be established.
Non-personal data is categorised by origin as: With respect to the portability of data, the European Commission will encourage and facilitate the development of self-regulatory codes of conduct at EU level in order to build a more competitive data economy. This new Regulation will certainly generate fewer headlines than its more famous cousin, the GDPR, and its impact will be much less significant.
Personal, Non-personal or Mixed Data? Here’s How to Process Each.
The Regulation provides that where a data set is composed of both personal and non-personal data, this Regulation will apply to the non-personal data but it also states that where the personal and non-personal data in a data set are inextricably linked, this Regulation “shall not prejudice the application” of the GDPR.
The Commission’s guidance addresses the concepts of personal and non-personal data covered by each of the regulations.
The Regulation does not affect the powers of the regulatory authorities to request, obtain or access data for the performance of their official duties in compliance with EU and national law.
- Data that originally did not relate to an identified or identifiable natural person, or
- Data that were initially personal data, but were later made anonymous. Note that anonymisation of personal data is different to pseudonymisation, the latter being processing of data that can ultimately be attributed to a person with the use of additional information.
The aim of the new rules is to increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.
- The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the set;
- The GDPR applies to the personal data part of the set;
- If the non-personal data and the personal data are “inextricably linked”, the data protection rights and obligations arising under the GDPR will apply fully to the whole mixed dataset, even if the personal data represents a small part of the set.
The New EU Regulation About Free Flow of Non-Personal Data Says:
No Data Localisation Requirements
Convert is ready and prepared for this law. Are you?
While the aim of the Regulation is to be welcomed, its interaction with the GDPR could create difficulties.
Data Still Needs to Be Available for Regulatory Authorities
You might not use personal data in your business but did you know that you need to follow specific rules even for non-personal data?
Businesses that have already implemented processes and procedures such as data mapping, data inventory and the maintenance of records of processing activities as part of GDPR readiness will have a head start in getting ready for the new law.
Self-Regulation of Non-Personal Data for Healthy Competition
In most everyday situations, a data set is likely to be a mixed data set consisting of both personal and non-personal data. In case of a mixed data set, the guidance sets the approach as follows:
Get a Head Start on Compliance
The new Regulation prevents EU countries from putting laws in place that unjustifiably force data to be held solely inside national territory.
To clarify further, the European Commission has published practical guidance which aims to help users, in particular small and medium-sized enterprises, understand the interaction between the new Regulation and the GDPR, especially when datasets are composed of both personal and non-personal data.
Together with the General Data Protection Regulation (GDPR), the two regulations now aim to provide for a stable legal and business environment on data processing.
In practice, this means that a cloud service provider in the EU may decide for itself where it stores non-personal data.
Access to data may not be refused to the regulatory authorities on the basis that the data are processed in another Member State.