Data portability refers to the ability to move data from one platform or service provider to another. The GDPR, in Article 20, gives all data subjects the right to data portability. This right is echoed in POPIA and PAIA in South Africa.
Lets unpack this right
What is the purpose of this right?
- This right aims to empower data subjects to participate in how their personal information is handled. It gives them access to and control over what happens to their personal data.
- This right helps facilitate the free flow of data. This is important for a host of reasons.
Who is impacted?
- You, as an individual, are a data subject, and with this right, you can request that your data controller or responsible party help you access and move the personal information that you have given them.
- The data controller or responsible party, as the service provider or platform that has collected and stored the personal information you provided to them.
- The new data controller or responsible party that you are moving your personal information to, if you are switching platforms or service providers.
- The original data controller is no longer responsible for the data once the data has been given over to the new controller.
- The new controller is now responsible for the data that it has received.
What is expected of data controllers?
- Data controllers ought to inform their data subjects of their right to port their data.
- If a data subject requests that their data be ported, data controllers ought to provide the personal information of that specific data subject only.
- The data controller should without any unnecessary delay, send the personal information to the data subject. This should be done within one month of the data controller receiving the request to port data. If complying with the request is complicated, the data controller is allowed an additional two months within which to provide the data, but they must inform the data subject and provide a reason for the delay within the initial one month period after receiving the request.
- Data controllers should provide this data in a ‘structured, commonly used, machine-readable and interoperable format.’
- If it is technically feasible, data controllers can be requested to port data directly to another data controller.
What are the limits to this right?
There are three main limitations to the right to data portability.
- The porting of data should not infringe on the rights and entitlements of other data subjects. This means that if it is not technically possible to split a data subject’s personal information from the personal information of other data subjects, data controllers may decline the request to port the data.
- Data portability is limited to personal data, data that is processed automatically and data provided by data subjects for the performance of a contract or delivery of a service. This means that data subjects cannot exercise their right in respect of all the personal data that you hold for them. The personal data must also be data that the data subjects, for example, provided to data controllers via an online form that they filled in, or in some other way by which they actively provided the data controller with the data. This can also include personal data that was received from their online search history.
- Data controllers are not obligated to develop or use interoperable formats or to maintain technically compatible systems. This means that a data controller may port the data but they do not have to make sure that other systems can read said data. They should make the data interoperable but don’t have to do so.
If you are receiving data from another controller you must ensure that:
- you clearly inform the data subject of the exact data that you need in order to carry out the purpose for processing their data;
- the data you’ve received is not in excess of the data you need in order to carry out the purpose for processing their data; and
- you have a tool that will allow the data subject to choose which data they want to port or allow you to choose which data is necessary to carry out the purpose for processing their data.
Actions you can take
- Empower yourself with the knowledge you need to enable data subjects to port their data by joining the Michalsons data protection programme.
- Find out more on this subject from the Board’s Guidelines on the right to data portability.
- Understand how a data subject’s exercising of the right to data portability affects you by asking us to answer your questions.