Right to Data Portability Under the GDPR – Part 2: How to comply with the right and what to consider in practice?

Apr 12, 2017

As discussed in the previous blog post Part 1: What does the right cover and when does it apply?, the introduction of the data portability right gives individuals greater access to and control over information they have provided to a data controller. When the conditions laid down in GDPR are met, the data subjects have the right to receive their personal data in a structured, commonly used and machine readable form, and to transfer such data to another data controller without hindrance.

In terms of compliance with the right, the GDPR does not impose specific recommendations on the format in which the personal data should be provided. This is because the potential data types that could be processed by a data controller are wide-ranging, and the most appropriate format of presenting the personal data will differ across sectors. However, the GDPR does prohibit controllers from establishing barriers to the transmission.

While adequate formats may already exist, the format chosen should be that which most achieves the purpose of being interpretable and easy to understand. In particular, the format in which the data is transmitted should allow the data to be re-used, with little effort, by the data subject or another data controller.

If the data subject requests so, the data controller may be required to transmit the data directly to another organisation provided this is technically feasible. However, the data controller is not required to adopt or maintain processing systems that are technically compatible with other organisations. With that in mind, industry stakeholders and trade associations are encouraged to cooperate and work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability according to the EU’s WP29.

If the personal data concerns more than one individual, the data controllers must consider whether providing the information would prejudice the rights of any other individual.

In terms of the transmission costs, the information must be provided free of charge to the data subject, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, in particular because of their repetitive character. There should be very few cases where the data controller would be able to justify a refusal to deliver the requested information, even regarding multiple data portability requests.

The data controller must respond to the requests of data portability without undue delay, and within one month. This can be extended by two months where the request is complex or the data controller receives a number of requests. The data controller must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where the data controller is not taking action in response to a request, they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

Finally, it is important to understand that the data portability does not trigger the deletion of the data from the systems of the data controller nor does it affect the original retention periods that apply to the transmitted data.

 

What does this mean in practice?

To be ready for the right of data portability, data controllers should (among other considerations):

  • Inform the data subjects about their rights in clear and plain language (e.g. explain the difference between the types of data that a data subject can receive using the portability right or the access right in their privacy policy);
  • Develop means and adopt procedures to deal with the possible data portability requests (e.g. download tools and Application Programming Interfaces) including authentication procedures;
  • Have processes in place that ensure the transmission of personal data in a structured, commonly used machine-readable format;
  • Have clear standard processes that enable the transfer of personal data in a safe and secure manner (e.g. data encryption) to the right destination;
  • Implement tools/processes to enable data subjects to select the relevant data they want to receive or transmit (e.g. by obtaining confirmation from the data subject either before transmission or in advance when the original consent for processing is given or the contract is finalised);
  • Adopt measures that allow the removal/exclusion of any third party data, confidential information or trade secrets from the transferred data;
  • Implement specific procedures in cooperation with their data processors to answer data portability requests; and
  • Have systems that will be able to monitor the amount and types of data portability requests so as to limit the risks of abuses by competitors.

 

Writer

Saija Saarinen, Privacy Specialist
saija.saarinen@privaon.com
www.privaon.com