The General Data Protection Regulation (2016/679 GDPR) introduces a new right of data portability (Art 20). This right provides for data subjects (individuals) to ‘receive the personal data that they have provided to a data controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller without hindrance’. The primary aim of the data portability provision is to strengthen an individual’s control over their personal data and allow increased empowerment of them having an active role in the ‘data ecosystem’. In essence, the new right to data portability facilitates the ability to move, copy or transmit personal data easily from one IT environment to another and is seen as a re-balancing of the relationship between data subjects and data controllers. The legislators hope that this provision will serve to enhance competition between services (e.g. facilitating service switching)
The GDPR defines the right of data portability in Article 20 (1) as follows:
‘The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided’
- Data portability provides for a right of the data subject to receive a subset of personal data processed by a data controller, and to store those data for further personal use and therefore, complements the existing ‘right of access’.
- Data portability provides data subjects with the right to transmit personal data from one data controller to another data controller “without hindrance”
- Data portability provides for consumer empowerment by preventing “lock-in” by a controller service provider
The right to data portability, as set out, is ‘expected to foster opportunities for innovation and sharing of personal data between data controllers in a safe and secure manner, under the data subject’s control’.
The sending data controllers are not responsible for the processing handled by the data subject or by another company receiving personal data.
However, sending controllers are wise to establish procedures to ensure that the type of personal data transmitted are indeed those that the data subject wants to transmit. Of course, these data should already be accurate, and up to date, according to the principles stated in Art 5(1) of the GDPR. Worthy of mention here is that is no additional requirement to retain data beyond the otherwise applicable retention periods, simply to serve any potential future data portability request!
The receiving controllers are responsible for ensuring that the portable data provided are relevant and not excessive with regard to the new data processing. Further, the data accepted and retained should only be that which is necessary and relevant to the service being provided by the receiving data controller. A “receiving” organization becomes a new data controller regarding these personal data and must respect the principles stated in Article 5 of the GDPR such as lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, integrity and confidentiality, storage limitation and accountability.
Businesses and organisations currently looking towards data portability solutions can begin by answering the following questions:
- When does data portability apply?
- What personal data must be included?
- Responsibilities with respect to personal data concerning other data subjects?
- Responsibilities with respect to data covered by intellectual property and trade secrets?
- What prior information should be provided to the data subject?
- How can the data controller identify the data subject before answering his request?
- What is the time limit imposed to answer a portability request?
- In which cases can a data portability request be rejected or a fee charged?
- How must the portable data be provided (including format)?
Recital 68 clarifies that “The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.” Thus, portability aims to produce interoperable systems, not compatible systems
This article seeks to provide introductory information surrounding the topic of data portability. If you have questions or require more detailed advice or guidance please contact:
Carter Anhold Solicitors
Sligo Office, 1 Wine Street, Sligo Co Sligo F91 X58H or
Dublin Office, 212A, The Capel Building, Mary’s Abbey, Dublin 7 D07 FXF8
00353 71 916 2211