The European Commission has published a guidance to help to clarify the interaction between two sets of rules for free flow of personal and non-personal data as well as mixed data sets.
Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (thereinafter GDPR) and the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy), as well as the relevant Cypriot Law (i.e. The protection of individuals with regard to the processing of personal data and on the free movement of such data Law (L.125(I)/2018) and The Electronic Communications and Postal Services Law (L. 112(I)/2004) fundamentally changed the way personal data is handled by regulating the processing of personal data relating to individuals in the European Union by an individual, a company or an organisation.
As in most real-life situations, it is very likely that data sets in Member States are composed of both personal and non-personal data, it was crucial to adopt a new regulation for the protection of data other than personal data (as defined in point (1) of Article 4 of GDPR). Therefore, Regulation (EU) 2018/1807 on a Framework for the Free Flow of Non-personal Data in the European Union (thereinafter FFD Regulation) is adopted to regulate and safeguard the free movement of non-personal data across Member States in Europe.
Under FFD Regulation, the European Commission was to publish a guidance to help users understand the interaction between these new rules and GDPR particularly when datasets are composed of both personal and non-personal data by 29 May 2019. The European Commission has published the abovementioned guidance and this article examines its purpose, topics and its main users/beneficiaries.
Purpose of the Guidance
The European Commission was required by FFD Regulation to publish an informative guidance on how to handle data sets composed of both personal and non-personal data in order that companies, including in particular small and medium-sized enterprises, better understand the interaction between FFD Regulation and GDPR. In line with the existing GDPR documents and guidance, this guidance document aims to clarify which rules apply when processing personal and non-personal data while explaining the relation between the two Regulations in practical terms and with concrete examples.
Main Topics and Beneficiaries of FFD Regulation
As free flow of non-personal data is a pre-condition for a competitive data economy within the Digital Single Market, FFD Regulation allows data to be stored and processed everywhere in the European Union without unjustified restrictions.
Generally, the guidance analyzes the scope of GDPR and FFD Regulation and sheds light on the interaction between these regulations. It displays the concepts of personal and non-personal data as well as explaining which rules apply to data sets composed of both personal and non-personal data (Article 2(2) of FFD Regulation).
The guidance explains the concepts of data portability and data localisation to reinforce free flow of data other than personal data along with offering an overview to businesses on the switching of data processing service providers. It also describes the role of self-regulatory work, such as codes of conduct and certification mechanisms to demonstrate compliance with data protection rules.
With regards to beneficiaries of FFD Regulation, the guidance is of particular relevance for private businesses, notably small and medium-sized enterprises, organisations and other entities, which process data in the course of their professional activities. This covers producing, collecting, storing, transmitting or other processing operations with data, both personal and non-personal. Companies which process only non-personal data might also find the guidance useful as the document refers to situations when the data might be subject to localisation requirements or, under certain conditions, to data protection rules which are prohibited by FFD Regulation with an exception of public security.
Furthermore, the guidance also provides useful information for public authorities, which regularly process data and are directly involved in the creation of legislative and administrative rules concerning the processing of data.
The guidance explains concepts of personal, non-personal data and mixed datasets. Often, a dataset is very likely to be composed of both personal and non-personal data, i.e. mixed dataset. Examples of mixed datasets include a company's tax records, mentioning the name and telephone number of the managing director of the company. This can also include a company's knowledge of IT problems and solutions based on individual incident reports, or a research institution's anonymized statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions. The guidance explains which rules apply to such mixed datasets in order to ensure better understanding of FFD Regulation.
The guidance points out that there are no contradictory obligations under GDPR and FFD Regulation. While GDPR ensures a high level of data protection rules and provides for the free flow of personal data, FFD Regulation provides for the free flow of non-personal data. Both regulations enable the free movement of all data within the EU.
The guidance also provides reassurance that the rights of citizens to the protection of their personal data are always respected, including when their data are mixed with other types of data, or that their data are properly anonymized.
For further information, guidance of the European Commission can be found in the below link:
Back to News