The Regulation on the free flow of non-personal data went into effect on May 28, 2019.

In a new guidance, the European Commission clarifies how to deal with mixed data sets containing both personal data and non-personal data.

Key takeaways:

  • Non-personal data is (1) data which originally did not relate to an identified or identifiable natural person, OR (2) data which were initially personal data, but were later made anonymous.
  • If non-personal data can be related to an individual in any way, the data must be considered as personal data. e.g: if a quality control report on a production line makes it possible to relate the data to specific factory workers (e.g. those who set the production parameters), then the data would qualify as personal data.
  • A mixed dataset consists of both personal and non-personal data. e.g: a research institution’s anonymized statistical data and the raw data initially collected.
  • GDPR applies to the personal data part of the mixed data set. If the non-personal data part and the personal data parts are ‘inextricably linked’, GDPR protection will fully apply to the whole mixed dataset.
  • Read the full text of the guidance.