This article is related to the General Data Protection Regulation. For more information, see Introduction to the General Data Protection Regulation.
Article 20 of the General Data Protection Regulation introduces a new right of data portability.
This right allows a person to receive their personal data from a data controller in a structured, commonly used and machine-readable format. The person can then decide to store the data for own use, or move it to another service.
In practice this means that if your service collects personal data in any type of automated fashion, you need to allow a user of your service to export all of their personal information.
This right represents an opportunity to ”re-balance” the relationship with individuals and service providers, through the affirmation of an individual’s rights to control their personal data. In addition to preventing ”lock-in”, the right to data portability is expected to foster innovation and sharing of personal data in a safe, secure and controlled manner.
Users of a service are expected to be informed about the existence of the right to data portability “in a concise, transparent, intelligible, and easily assessable form, using clear and plain language”.
A data controller is required to provide personal data upon request, ”without undue delay” and in any case ”within one month of receipt of the request”. For complex cases you may have up to three months to comply with a request, provided the person is informed about the reasons for the delay within a month of the original request.
Refusals to answer a portability request should clearly indicate “the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy”, within a month of the request.
A data controller is prohibited from charging a fee for provision of personal data, unless they can demonstrate the requests are unfounded or excessive due to their repetitive character. There should be very few cases, though, where you’d be able to justify a refusal to deliver information – even for multiple requests. It is assumed that as a technical service provider you can implement systems for generating a data export automatically, and therefore answering multiple requests should not be considered to impose an excessive burden.
The overall cost of the process created to export personal data can not be taken into account and justify a refusal or determine excessiveness of a portability request.
Data controllers must have an authentication procedure in place in order to ascertain the identity of the person requesting data.
First, the right to data portability applies under three cumulative conditions:
Personal data can be considered as provided by the data subject either when they are knowingly and actively provided – such as account data submitted via online forms – or when the data is generated by, and collected from, a user’s activities. This right cannot be limited to the personal information that is directly communicated by a user.
By contrast, personal data that are inferred from the provided ”raw” data, such as a report or a credit score, are excluded from the scope of data portability rights. This is because the data is not considered to be provided by the data subject, but created by the data controller.
Data that is considered to be anonymous is not included in the scope of portability requests.
Ideally, data controllers should offer both a direct download of the data and expose it via an API, so it can be directly transmitted to another data controller.
GDPR states that personal data should be transmitted in a structured, commonly used and machine-readable format. The exact format is not specified and therefore open for interpretation – as long as all three requirements are fulfilled.
In addition, as much metadata as possible should be provided and ”at the best level of precision and granularity” – in order to preserve the exact meaning of the exchanged information.
The desired outcome is interoperability between data controllers, but controllers are not actually required to maintain compatible systems.
Data portability does not automatically trigger erasure of the data from a system. The user has the right to continue to use and benefit from a service, while still getting a full export of their personal data.
The rights to data portability can be exercised as long as the data controller is still processing the data. If a user requests to be erased (which is also within their rights), data portability cannot be used as an argument for delaying or refusing such erasure.
As a data controller receiving data from another data controller, you must take care not to infringe on a third party’s rights and freedoms.
It means that even if a data package contains information about third parties due to their relationship with the data subject, you may not store and process that information unless there is an appropriate legal ground to do so.
It is, for example, considered acceptable to process information about third parties that is provided directly by the data subject – such as a contact list in an email application, or a bank transfer history concerning the subject and a third party.
For more information about the General Data Protection Regulation, click here.
Do you need help auditing your software for compliance with GDPR? I can help!
If you have any comments or questions, please send me an email.
Hi, I'm Christoffer Lejdborg! I believe software has tremendous potential to transform your business in amazing ways, but people are too focused on the technology instead of the business case.
I've worked with companies such as BDO, Grant Thornton, Nobina Technology, Run My Security and Whenever.
+46 70-218 17 24