What is the right to data portability? Is it about a data subject taking their IDs and laptops containing their personal data with them on the road? The answer is: Not really. Data portability is about more than just that. It’s about moving or copying personal data from one place to another, whether it be from one data controller to another (or one IT system to another). So who does it apply to – just data subjects, or both data subjects and data controllers? The answer is: It applies to both, but is for the benefit of data subjects. The right gives data subjects a chance to participate, to have access and control over what happens to personal data concerning them.
Irrespective of whether you are a data subject or a data controller, this new right raises some serious questions. One of those is: What does data portability mean for you exactly? In fact, what does it even mean for data subjects other than the ones exercising their right to data portability?
If you are a data controller, the right means that you are going to have to provide data subjects with their data (or possibly port it to one of your competitors) if the data subjects ask you to.
If you are a data subject, you will want to know more about your right and we can help you answer an important question: How do I port my data?
When do you have to comply with Data Portability?
This depends on when the data subject asks you to port their personal data. Data subjects have a choice whether or not to request the porting of their personal data from you to another controller. But they cannot exercise that right in respect of all the personal data that you hold for them. They only have a right to data portability for personal data that:
- you processed with their consent;
- you processed in terms of a contract that the data subject was a party to; and
- you processed by automated means.
The personal data must also be data that the data subjects, for example, provided you via an online form that they filled in, or in some other way by which they actively provided you with the data. This can also include personal data that you got from their online search history.
Find out more on this subject from the Article 29 Working Party on Data Protection.
What obligations does Data Portability impose on you?
If you are the data controller sending the data to another controller you must ensure that you:
- clearly inform data subjects of their right to data portability, especially if you are planning to cancel a contract or close an account they have with you;
- you are not responsible for the data once you’ve given it over, because the data subject or the new controller is;
- provide it in a structured, commonly-used and machine-readable format that encourages interoperability;
- only send the data of the data subject who requested that you port their data, and not the data of other data subjects; and
- send the data to the data subject without any unnecessary delay and, in any case, within one month of receiving the request. If complying with the request is complicated, you are allowed an additional two months within which to provide the data, but you must’ve informed the data subject about the reasons for the delay within one month after they’d initially made the request for data porting.
If you are receiving data from another controller you must ensure that:
- you clearly inform a data subject of the exact data you need in order to carry out the purpose for processing their data;
- the data you’ve received is not in excess of the data you need in order to carry out the purpose for processing their data;
- you are not responsible for the data once you’ve given it over, because the data subject or the new controller is.
- you have a tool that will allow the data subject to choose which data they want to port or allow you to choose which data is necessary to carry out the purpose for processing their data.
Actions you can take
- Empower yourself with practical knowledge by attending a webinar or GDPR workshop.
- Understand how a data subject’s exercising of the right to data portability affects you by asking us to answer your questions.
- Understand your responsibilities, those of the data subject that wants to port, and those of the new controller, by obtaining a guide from us setting it all out.