Practical guidance on how to process mixed datasets
The European Commission has published guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR.
One year after the GDPR started to apply, most controllers are (or at least they should) well aware of the security and privacy requirements that should govern the datasets which contain personal data. However, what happens when those datasets include not only personal data but also non-personal information?
There is a new Regulation(Regulation 2018/1807 on a framework for the free flow of non-personal data in the European Union), applicable as of 28 May 2019, that sets up the conditions for the processing and transfer of non-personal data in the European Union and aims at removing obstacles to the free movement of non-personal data across Member States and IT systems in Europe. Accordingly, when it comes to mixed datasets, one should consider not only the GDPR, but also this new one.
The European Commission has published guidancein order to clarify the interaction between the Free Flow of Non-Personal Data regulation and the GDPR.
For the purposes of the Free Flow of Non-Personal Data Regulation, non-personal data means:
- data which originally did not relate to an identified or identifiable natural person, such as data on weather conditions generated by sensors.
- data which were initially personal data but were later made anonymous.
It is defined just as the opposite of the personal data concept of the GDPR.
The Free Flow of Non-Personal Data Regulation has three notable features:
- It prohibits, as a rule, Member States imposing requirements on where data should be localised.
- It establishes a cooperation mechanism to make sure that competent authorities continue to be able to exercise any rights they have to access data that are being processed in another Member State.
- It provides incentives for industry, with the support of the Commission, to develop self-regulatory codes of conduct on the switching of service providers and the porting of data. ´
Datasets containing the names and contact details of legal persons are in principle non-personal data, except for some cases, as for when the name of the legal person is the same as that of a natural person who owns it or if the information relates to an identified or identifiable natural person.
In the case of a dataset composed of both personal and non-personal data:
- The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the dataset;
- The GDPR free flow provision applies to the personal data part of the dataset; and
- If the non-personal data part and the personal data parts are ‘inextricably linked’, the data protection rights and obligations stemming from the GDPR fully apply to the whole mixed dataset, also when personal data represent only a small part of the dataset.
What does ‘inextricably linked’ mean?
The concept of ‘inextricably linked’ is not defined by either of the two Regulations. For practical purposes, it can refer to a situation whereby a dataset contains personal data as well as non-personal data and separating the two would either be impossible or considered by the controller to be economically inefficient or not technically feasible. For example, when buying CRM and sales reporting systems, the company would have to duplicate its cost on software by purchasing separate software for CRM (personal data) and sales reporting systems (aggregated/non-personal data) based on the CRM data. Separating the dataset is also likely to decrease the value of the dataset significantly. In addition, the changing nature of data makes it more difficult to clearly differentiate and thus separate between different categories of data.
What is the conclusion then?
Whenever personal data is involved, GDPR applies. However, the Free Flow of Non-Personal Data Regulation provides the controllers with a chance of managing personal and non-personal data different where they are suitable separated.
This new Regulation, combined with the GDPR, provides the EU with the most stable legal framework for the free movement of all data within the European Union.
Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.
Latest posts by Cristina Contero Almagro (see all)
- Practical guidance on how to process mixed datasets - June 5, 2019
- What data should a controller disclose under a data subject access request? - May 31, 2019
- Aphaia delivers its first data protection workshop in Madrid - May 29, 2019