Hi, In order to better understand what you'd like to get out of our website, we track the URLs you visit in a session. This information is only used to customize future communications with you. Do you consent to allow this tracking?
I Agree I Disagree. Disable Tracking
5 Ways Digital Marketers Use Call Tracking to Grow Their Business
Dionysia Kontotasiou
Convert's Head of Integration and Privacy, helping customers with technical queries.
Read More About Dionysia

Non-Personal Data: How to Handle It & the Opportunities for Businesses

August 6, 2019 –

You might not use personal data in your business but did you know that you need to follow specific rules even for non-personal data?

And what about mixed data that contains both personal and non-personal information? The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), became applicable from 28 May 2019.

Together with the General Data Protection Regulation (GDPR), the two regulations now aim to provide for a stable legal and business environment on data processing.

The new Regulation prevents EU countries from putting laws in place that unjustifiably force data to be held solely inside national territory.

The aim of the new rules is to increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.

To clarify further, the European Commission has published practical guidance which aims to help users, in particular small and medium-sized enterprises, understand the interaction between the new Regulation and the GDPR, especially when datasets are composed of both personal and non-personal data.

Let’s analyse this Regulation and see what needs to be done in order to stay compliant!

Personal, Non-personal or Mixed Data? Here’s How to Process Each.

The Commission’s guidance addresses the concepts of personal and non-personal data covered by each of the regulations.

While personal data is defined in the GDPR, non-personal data is defined in the Free Flow of Non-Personal Data Regulation as “data other than personal data as defined in point 1 of Article 4” of the GDPR.

Non-personal data is categorised by origin as:

  1. Data that originally did not relate to an identified or identifiable natural person, or
  2. Data that were initially personal data, but were later made anonymous. Note that anonymisation of personal data is different to pseudonymisation, the latter being processing of data that can ultimately be attributed to a person with the use of additional information.

In most everyday situations, a data set is likely to be a mixed data set consisting of both personal and non-personal data. In case of a mixed data set, the guidance sets the approach as follows:

  1. The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the set;
  2. The GDPR applies to the personal data part of the set;
  3. If the non-personal data and the personal data are “inextricably linked”, the data protection rights and obligations arising under the GDPR will apply fully to the whole mixed dataset, even if the personal data represents a small part of the set.

The New EU Regulation About Free Flow of Non-Personal Data Says:

No Data Localisation Requirements

The data localization requirements shall no longer apply: under the Regulation, the location of non-personal data for storage or processing within the EU shall not be restricted to the territory of a member state. As such, the free movement of data should be established.

In practice, this means that a cloud service provider in the EU may decide for itself where it stores non-personal data.

Data Still Needs to Be Available for Regulatory Authorities

The Regulation does not affect the powers of the regulatory authorities to request, obtain or access data for the performance of their official duties in compliance with EU and national law.

Access to data may not be refused to the regulatory authorities on the basis that the data are processed in another Member State.

Self-Regulation of Non-Personal Data for Healthy Competition

With respect to the portability of data, the European Commission will encourage and facilitate the development of self-regulatory codes of conduct at EU level in order to build a more competitive data economy.

Get a Head Start on Compliance

This new Regulation will certainly generate fewer headlines than its more famous cousin, the GDPR, and its impact will be much less significant.

While the aim of the Regulation is to be welcomed, its interaction with the GDPR could create difficulties.

The Regulation provides that where a data set is composed of both personal and non-personal data, this Regulation will apply to the non-personal data but it also states that where the personal and non-personal data in a data set are inextricably linked, this Regulation “shall not prejudice the application” of the GDPR.

Businesses that have already implemented processes and procedures such as data mapping, data inventory and the maintenance of records of processing activities as part of GDPR readiness will have a head start in getting ready for the new law.

Convert is ready and prepared for this law. Are you?

Originally published August 06, 2019 - Updated August 14, 2020

15-Day, Full-Access Free Trial of Convert Experiences.

Watch Icon
Quick form submission.
Credit Card Icon
No credit card needed.
Headphones Icon
Support available.
Your email ID is used to send you the registration and login details for the app, (up to 7) suggestions to use the application, and 1:1 emails from buyer journey experts who help you choose the right plans.
You also give Convert consent to send you top CRO content in a monthly newsletter*
You can always change your preferences later.

We've Improved Conversions for
5000+ Leading Brands

Check Icon
You're Almost Done.
Managing Marketing Team
Managing Tech Team
Hypothesizing Experiments
Coding and QA of Experiments
Convert is committed to protecting your privacy and sees GDPR, CCPA and other Privacy Laws as an opportunity to strengthen our commitment even further. We don’t collect & process users’ personal information beyond what is required for the functioning of our services, and this will never change.

You're successfully signed up for the 15-day
Convert Experiences free trial.

You'll be re-directed to the app in a few seconds.
You will also receive a welcome message to your registered email with your login access.