European Commission publishes guidance on free flow of non-personal data
On 29 May 2019 the EU Commission published a guidance on the interaction between the Regulation on the free flow of non-personal data (FFD Regulation) and the General Data Protection Regulation (GDPR). In particular, private businesses, notably small and medium-sized enterprises and other entities which process data in the course of their professional activities, will benefit from the guidance.
According to the GDPR Regulation, non-personal data are distinct from personal data. The non-personal data can be categorised in terms of origin, namely (i) data which originally did not relate to an identified or identifiable natural person; or (ii) data which was initially personal data, but was later made anonymous. However, in most real-life situations, a dataset is very likely to be composed of both personal and non-personal data. This is often referred to as a “mixed dataset”. Examples of mixed datasets include a company’s tax records, mentioning the name and telephone number of the managing director of the company; or a company’s knowledge of IT problems and solutions based on individual incident reports.
Neither the FFD Regulation, nor the GDPR imposes an obligation on data processors to split the mixed datasets or to process personal and non-personal data separately. In the case of mixed datasets (i) the FFD Regulation applies to the non-personal data part of the dataset; while (ii) the GDPR’s free flow provision applies to the personal data part of the dataset.
If the non-personal data part and the personal data parts are “inextricably linked”, the data protection rights and obligations stemming from the GDPR fully apply to the entire mixed dataset, including in cases where personal data represents only a small part of the dataset.