Article 20 of the GDPR creates a new right to data portability. This allows for data subjects to receive the personal data that they have provided to a controller in a structured, commonly used and machine-readable format and to transmit such data to another data controller. The aim is to facilitate the ability of data subjects to move, copy or transmit personal data easily from one IT platform to another and to avoid ‘lock-in’, thus enhancing competition between services. The WP29 guidelines provide guidance on the interpretation and implementation of the right to data portability.
The main elements of data portability
A right to receive personal data – The data should be transferred in such a way that it is easy for data subjects to manage and reuse their personal data. For this reason, the data should be in a structured, commonly used and machine-readable format.
A right to transmit personal data from one data controller to another – This element of data portability provides the ability for data subjects not just to obtain and reuse data, but also to transmit such data to another service provider.
Data portability tools – Data controllers should offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. Data controllers should start developing means that will contribute to answering data portability requests, such as download tools and Application Programming Interfaces (API). Industry stakeholders and trade associations are encouraged to develop a common set of interoperable standards and formats to meet the requirements of the right to data portability.
Controllership – Data controllers answering data portability requests are not responsible for the processing handled by the data subject or the new data controller. A receiving data controller is, however, responsible for ensuring that the data provided is relevant and not excessive with regard to the new data processing (e.g. in the case of a request applying to a webmail service where the data subject decides to send it to a storage platform, the new controller does not need to process the contact details of the data subject’s correspondents).
Data portability vs. other rights of the data subjects – The right to data portability does not affect any other rights of the data subject. In the event that a data subject exercises his/her right to erasure, data portability cannot be used by a data controller as a way of delaying or refusing such erasure.
Scope of application
The GDPR does not establish a general right to data portability for cases where the processing of personal data is not based on either consent or contract.
Furthermore, for the right to data portability to apply, three conditions must be met:
- The right to data portability only applies to personal data concerning the data subject. This excludes anonymous data as well as data that does not concern the data subject. Data concerning the data subject may nevertheless include details of third parties (e.g. telephone records may include details of callers and call recipients).
- The right to data portability only applies to data provided by the data subject. The data controller must however also include so-called ‘observed data’, i.e. personal data generated by and collected from the activities of the data subject (e.g. a person’s search history, traffic data and location data). In contrast, ‘inferred data’ and ‘derived data’ (e.g. a credit score or the outcome of an assessment) do not fall within the scope of data portability.
- The right to data portability may not adversely affect the rights and freedoms of third parties. For example, if the data transferred contains personal data relating to another data subject, the new data controller should process this data only if there is an appropriate legal ground for doing so.
Provision of data
Format – Data must be provided in a format which supports reuse and which is structured, commonly used and machine readable. These are minimum requirements, interoperability being the desired outcome. The appropriate format will however differ across sectors.
Large or complex personal data collection – Individuals should be in a position to fully understand the definition, scheme and structure of the personal data. The data controller should then provide data in a summarised form allowing the data subject to port subsets of the personal data. Data controllers can also answer requests by offering an appropriately secured and documented Application Programming Interface (API), thus offering a more sophisticated access system (e.g., enabling individuals to chose between full downloads and incremental data downloads or to select subsets of data).
Security – The data controller is responsible for taking all security measures needed to ensure that personal data is securely transmitted (e.g. by use of encryption) to the right destination (e.g. by use of additional authentication information). The data subject should be made aware of the risks linked to the storage of the data he/she received in order for him to take steps to protect the information received. As a best practice, data controllers should recommend appropriate format(s) and encryption measures to help the data subject to achieve this goal.
General rules governing the exercise of data subject rights
Transparency – Data controllers must inform the data subjects regarding the availability of the new right to data portability. The WP29 recommends doing so before any account closure. The WP29 also recommends that data controllers clearly explain the difference between the types of data that a data subject can receive using the data portability right or the access right.
Authentication – Data controllers can implement appropriate procedures enabling an individual to make a data portability request. In many cases, such authentication procedures are already in place. (e.g., username and password).
Response time – Pursuant to the GDPR, the data controller must provide the personal data to the data subject without undue delay and in any case within one month of receipt of the request or within a maximum of three months for complex cases.
Refusal – A request for data portability may be rejected – or a fee may be charged – when the request is manifestly unfounded or excessive, in particular because of its repetitive character.