European Commission Provides Guidance on Mixed Data Sets Containing Personal and Non-Personal Data

By Odia Kagan on May 30, 2019

The Regulation on the free flow of non-personal data went into effect on May 28, 2019.

In a new guidance, the European Commission clarifies how to deal with mixed data sets containing both personal data and non-personal data.

Key takeaways:

Non-personal data is (1) data which originally did not relate to an identified or identifiable natural person, OR (2) data which were initially personal data, but were later made anonymous.
If non-personal data can be related to an individual in any way, the data must be considered as personal data. e.g: if a quality control report on a production line makes it possible to relate the data to specific factory workers (e.g. those who set the production parameters), then the data would qualify as personal data.
A mixed dataset consists of both personal and non-personal data. e.g: a research institution’s anonymized statistical data and the raw data initially collected.
GDPR applies to the personal data part of the mixed data set. If the non-personal data part and the personal data parts are ‘inextricably linked’, GDPR protection will fully apply to the whole mixed dataset.
Read the full text of the guidance.

Privacy Compliance & Data Security