Data portability
Article 20 of the GDPR creates a new right to data portability, which is closely related to the right of access but differs from it in many ways. It allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.
The GDPR defines the right of data portability in Article 20 (1) as follows:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided
The right to receive personal data
Firstly, data portability is a right of the data subject to receive a subset of the personal data processed by a data controller concerning him or her, and to store those data for further personal use. Such storage can be on a private device or on a private cloud, without necessarily transmitting the data to another data controller.
The right to transmit personal data from one data controller to another data controller
Secondly, Article 20(1) provides data subjects with the right to transmit personal data from one data controller to another data controller “without hindrance”. Data can also be transmitted directly from one data controller to another on request of the data subject and where it is technically feasible (Article 20(2)).
In order to fall under the scope of data portability, processing operations must be based:
- either on the data subject’s consent (pursuant to Article 6(1)(a), or pursuant to Article 9(2)(a) when it comes to special categories of personal data);
- or, on a contract to which the data subject is a party pursuant to Article 6(1)(b).
Time limit imposed to answer a portability request
Article 12(3) requires that the data controller provides “information on action taken” to the data subject “without undue delay” and in any event “within one month of receipt of the request”. This one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.
Data controllers must respect the obligation to respond within the given terms, even if it concerns a refusal. In other words, the data controller cannot remain silent when it is asked to answer a data portability request.
Data controllers should inform data subjects about the existence of the right to data portability “in a concise, transparent, intelligible, and easily assessable form, using clear and plain language”. In this regard, data controllers shall clearly explain the difference between the types of data that a data subject can receive using the portability right or the access right, as well as to provide specific information about the right to data portability before any account closure, to enable the data subject to retrieve and store his or her personal data.
In addition, data controllers receiving portable data on the data subject request can, as a best practice, provide data subjects with complete information about the nature of personal data which are relevant for the performance of their services.
Given the wide range of potential data types that could be processed by a data controller, the GDPR does not impose specific recommendations on the format of the personal data to be provided. The most appropriate format will differ across sectors and adequate formats may already exist, but should always be chosen to achieve the purpose of being interpretable.
(Sastavljeno i objavljeno 21.11.2017.)