Apr 6, 2017
This is the first blog post of a two-part series focusing on the newly-introduced right to data portability under the GDPR. Part 1 explains what this new right covers and when it applies, and Part 2 suggests how to comply with the right and what to consider in practise.
The newly-introduced right to data portability complements the data subject’s right of access allowing individuals to obtain and reuse their personal data for their own purposes across different services. It is an extension to (albeit slightly more limited than) the already existing right of access, and it can have considerable consequences on businesses.
Data portability will have an impact on all data controllers as it enhances competition between services by making it easier for individuals to switch between different providers, whilst also granting them access to more information than they previously had. Particularly, the right will have the greatest impact on data driven organisations (e.g. banks, cloud storage providers, insurance companies) for which the processing of personal data is the core business.
Right to data portability contains two related rights for data subjects:
Its ultimate aim is to support user choice, user control and consumer empowerment and to facilitate switching from one service provider to another. It allows individuals not only to obtain and reuse their personal data for their own purposes, but also to transmit the data they have provided to another service provider. Thus, individuals can move, copy and transmit their personal data with ease from one service provider to another in a safe and secure way, without hindrance to its usability.
When does the right to data portability apply?
It is crucial to understand that the right to data portability is not exhaustive and it only applies:
Thus, the right to the data portability only applies to personal data and, therefore, any anonymous information or information that does not concern the data subject would not fall in the scope. Pseudonymous data, however, when it can be clearly link to the data subject, is in the scope of the data portability.
Data portability is also limited to the personal data an individual has provided to the data controller and therefore covers only data provided knowingly and actively by the data subject, as well as the personal data generated by his or her activity, but not subsequent analysis of that activity.
Further, the right to data portability is limited to situations where the automated data processing is based on a consent or a contractual agreement. Therefore, the right to data portability does not apply to personal data processed based on legal obligations (e.g. information processed by a bank based on the requirements of anti-money laundering laws). It’s also important to bear in mind that in principle, it does not cover paper records and files, and only applies to data that is automated.
In short, the introduction of the data portability right gives individuals greater access to and control over information they have provided to a data controller. In turn, data controllers must be aware of their obligations in relation to this.
The second part of this blog series will consider how data controllers can comply with the data portability right and what to consider in practice.
Read the second part of this blog series from here.
Saija Saarinen, Privacy Specialist