What is the right to data portability? Is it about a data subject taking their IDs and laptops containing their personal data with them on the road? The answer is: Not really. Data portability is about more than just that. It’s about moving or copying personal data from one place to another, whether it be from one data controller to another or one IT system to another. So who does it apply to – just data subjects, or both data subjects and data controllers? The answer is: It applies to both, but is for the benefit of data subjects. The right gives data subjects a chance to participate, to have access and control over what happens to personal data concerning them.
Irrespective of whether you are a data subject or a data controller, this new right raises some serious questions. One of those is: What does data portability mean for you exactly? In fact, what does it even mean for data subjects other than the ones exercising their right to data portability?
If you are a data controller, the right means that you are going to have to provide data subjects with their data (or possibly port it to one of your competitors) if the data subjects ask you to.
If you are a data subject, you will want to know more about your right and we can help you answer an important question: How do I port my data?
When do you have to comply with Data Portability?
This depends on when the data subject asks you to port their personal data. Data subjects have a choice whether or not to request the porting of their personal data from you to another controller. But they cannot exercise that right in respect of all the personal data that you hold for them.
A data subject has the right to port their data where:
- the data subject has provided the data to the controller,
- processing was based on the data subject’s consent (like with special personal information) or for the performance of a contract, and
- the processing is by automated means.
The personal data must also be data that the data subjects, for example, provided you via an online form that they filled in, or in some other way by which they actively provided you with the data. This can also include personal data that you got from their online search history.
What obligations does Data Portability impose on controllers?
You must ensure that you:
- clearly inform data subjects of their right to data portability, especially if you are planning to cancel a contract or close an account they have with you;
- are not responsible for the data once you’ve given it over because the data subject or the new controller is then responsible;
- provide it in a structured, commonly-used and machine-readable format that encourages interoperability;
- only send the data of the data subject who requested that you port their data, and not the data of other data subjects; and
- send the data to the data subject without any unnecessary delay and, in any case, within one month of receiving the request. If complying with the request is complicated, you are allowed an additional two months within which to provide the data, but you must’ve informed the data subject about the reasons for the delay within one month after they’d initially made the request for data porting.
If you are receiving data from another controller you must ensure that:
- you clearly inform a data subject of the exact data you need in order to carry out the purpose for processing their data;
- the data you’ve received is not in excess of the data you need in order to carry out the purpose for processing their data; and
- you have a tool that will allow the data subject to choose which data they want to port or allow you to choose which data is necessary to carry out the purpose for processing their data.
Actions you can take
- Empower yourself with practical knowledge by attending a webinar or GDPR workshop.
- Understand how a data subject’s exercising of the right to data portability affects you by asking us to answer your questions.
- Understand your responsibilities, those of the data subject that wants to port, and those of the new controller, by joining the Michalsons Data Protection Programme.
- Find out more on this subject from the Article 29 Working Party Guidelines on the right to data portability.
- Read more about it on the ICO website.