Scanrail - Fotolia

Which rules apply to protection of non-personal data?

The European Commission provides practical examples of applying the regulations on the free flow of non-personal data.

SJS/AD – 06/2019

The Regulations On The Free Flow Of Non-Personal Data have been in force in the European Union since 28 May. They are part of the strategy for a Digital Single Market and allow data to be stored and processed anywhere in the EU without any undue restrictions.


‘By 2025 the data economy of the EU27 is likely to provide 5.4% of its GDP, equivalent to €544 billion. However, that huge potential is limited if data cannot move freely. By removing forced data localisation restrictions, we give more people and businesses the chance to make the most out of data and its opportunities,’ said Andrus Ansip, Vice-President for the Digital Single Market.

Differentiation from personal data

In Regulation (EU) 2018/1807, the term ‘data’ means ‘data other than personal data as defined in point (1) of Article 4 of Regulation (EU) 2016/679’. These data, here also referred to as ‘non-personal data’, are distinguished from personal data within the meaning of the General Data Protection Regulation.


Data that were originally personal data but were later rendered anonymous are also non-personal data. The ‘anonymisation’ of personal data differs from pseudonymisation because properly anonymised data cannot be attributed to a specific individual, even through the use of additional data, and are therefore non-personal data.

Impact on German Social Security

In the German social security system, there is also a large amount of operational and statistical non-personal data, especially anonymised data. If the self-governing committees, institutions or federal associations of the German social insurance system award contracts for the storage or processing of this data, it is currently possible to impose data localisation restrictions. This reflects the high demands that the legislator places on the German social security system for the collection, processing or use of social security data.

Practical examples provide help

In order to facilitate the practical application of these new provisions in the context of the EU data regulations, the Commission issued a guidance document (COM/2019/250) on 29 May 2019. The aim of these guidelines is to provide assistance with applying data protection rules, especially for small and medium-sized enterprises. In addition to practical examples, the guidance also deals with self-regulation.