Data has become the core of new digital technologies and most business processes. A huge amount of data is created, stored and processed every day. It is not always easy to know which rules that apply when processing personal and non-personal data in a ‘mixed dataset’. This occurs very often when businesses store and process various types of data in databases and IT systems. This guidance illustrates with practical examples the rules to follow in these situations, to ensure your business complies with European law.

GDPR or EUdataFF? Background networks and woman's profile

The Regulation on the free flow of non-personal data, which applies from 28 May 2019, creates legal certainty for businesses to process their data wherever they want in the EU. It raises trust in data processing services and counters ‘vendor lock-in’ practices, that prevent users to port their data to other service providers or IT-systems. Together with the General Data Protection Regulation (GDPR), the EU has set a stable legal environment for the free movement of all data within the European Union.

The focus of the present guidance is the interaction between the free flow of non-personal data regulation and the GDPR. It particularly addresses:

  • The concepts of personal and non-personal data, and their combination in so-called ‘mixed datasets’
  • The principles of free movement of data and the prohibition of data localisation requirements
  • Data portability.

The guidance also covers self-regulatory requirements set out in the two Regulations.

Details of any data localisation requirement that currently applies in any of the EU Member States can be found on their national websites (online single information points), links to which are available on the Your Europe portal.