Apr 12, 2017
As discussed in the previous blog post Part 1: What does the right cover and when does it apply?, the introduction of the data portability right gives individuals greater access to and control over information they have provided to a data controller. When the conditions laid down in GDPR are met, the data subjects have the right to receive their personal data in a structured, commonly used and machine readable form, and to transfer such data to another data controller without hindrance.
In terms of compliance with the right, the GDPR does not impose specific recommendations on the format in which the personal data should be provided. This is because the potential data types that could be processed by a data controller are wide-ranging, and the most appropriate format of presenting the personal data will differ across sectors. However, the GDPR does prohibit controllers from establishing barriers to the transmission.
While adequate formats may already exist, the format chosen should be that which most achieves the purpose of being interpretable and easy to understand. In particular, the format in which the data is transmitted should allow the data to be re-used, with little effort, by the data subject or another data controller.
If the data subject requests so, the data controller may be required to transmit the data directly to another organisation provided this is technically feasible. However, the data controller is not required to adopt or maintain processing systems that are technically compatible with other organisations. With that in mind, industry stakeholders and trade associations are encouraged to cooperate and work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability according to the EU’s WP29.
If the personal data concerns more than one individual, the data controllers must consider whether providing the information would prejudice the rights of any other individual.
In terms of the transmission costs, the information must be provided free of charge to the data subject, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, in particular because of their repetitive character. There should be very few cases where the data controller would be able to justify a refusal to deliver the requested information, even regarding multiple data portability requests.
The data controller must respond to the requests of data portability without undue delay, and within one month. This can be extended by two months where the request is complex or the data controller receives a number of requests. The data controller must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Where the data controller is not taking action in response to a request, they must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
Finally, it is important to understand that the data portability does not trigger the deletion of the data from the systems of the data controller nor does it affect the original retention periods that apply to the transmitted data.
What does this mean in practice?
To be ready for the right of data portability, data controllers should (among other considerations):
Saija Saarinen, Privacy Specialist