The right to data portability
The GDPR introduces the notion of data portability and contains rules on when data subjects are entitled to exercise such a right.
The Article 29 Data Protection Working Party (WP29) issued guidelines on the right to data portability on 13 December 2016 (WP242) (revised on 5 April 2017), which interpreted the respective provisions of the GDPR (Article 20 and Recital 68).
1. Is data portability an absolute right?
No. Data subjects are only entitled to exercise the right to data portability if certain conditions apply. For details, please see question 3 below.
2. Is a controller required to inform the data subjects of their right to data portability?
Yes. Also, the Working Party recommends that controllers always provide information to data subjects about the right to data portability before they close their accounts.
3. When does the right to data portability apply?
The right applies if
(i) the processing is based on the data subject’s consent or on a contract concluded with him/her
(ii) the processing is carried out by automated means.
For example, data portability does not apply to the contact details processed in a B2B relationship since the legal basis for processing such contact details is not the consent of the data subject, nor is it a contract concluded with him/her. It is worth noting, however, that the fact that data portability does not apply does not mean that the data subject may not exercise his/her other rights, for example, the right of access.
Under the guidelines, “the right to data portability only applies if the data processing is “carried out by automated means”, and therefore does not cover most paper files.”
4. Does data portability apply in an employment context?
In an employment context, the right to data portability may only apply if the processing is based on a contract with the data subject because, in an employment context, consent will not be considered freely given due to the dependency of the relationship between an employer and an employee. Also, many HR processings are based on either a legal obligation of the controller or on the legitimate interest of the employer, in which case data portability does not apply.
5. What does data portability mean? What are the elements of such a right?
The right to data portability is comprised of the following rights:
(i) the right to receive personal data in a “structured, commonly used and machine-readable format” (for example, data subjects have the right to receive their contact list from a webmail application or the history of music listened to from a music streaming service provider) and
(ii) the right to transmit personal data from one controller to another without hindrance (this right is to facilitate the transmission of personal data among different service providers at the data subject’s request).
6. What personal data are included in the right to data portability?
The right applies to personal data concerning the data subject, which he or she has provided to the controller.
Thus, any data that is anonymous or does not relate to the data subject is not covered by this right. Pseudonymous data is, however, within the reach of this right since, on the basis of such data, the individual can be identified.
It is worth noting that the personal data provided by the data subject does not only include the data actually provided by the data subject (for example, through an online form) but also the data that he/she has “provided” through his/her activity being observed (e.g. transaction history, activity logs, history of website usage, browsing activities, location data, heartbeat tracked by a device). The Working Party adds that any data generated by the controller is, however, not covered by the right to data portability (e.g. a user profile created by the controller).
As the WP29 puts it, “the term “provided by” includes personal data that relate to the data subject activity or result from the observation of an individual’s behaviour, but does not include data resulting from subsequent analysis of that behaviour.”
7. Is a controller allowed to retain the personal data beyond the applicable retention period just to be able to serve any data portability requests?
No. The controller is not required to and may not retain the data beyond the applicable retention period with a view to being able to serve any potential data portability requests. In other words, data portability is no argument for retaining data beyond the respective retention periods.
8. Should a data processing agreement contain any provision concerning the right to data portability?
Yes. When it comes to concluding a data processing agreement, it is recommended to include a provision pursuant to which the processor is required to also assist the controller with any data portability request.
9. May the receiving controller (i.e. the entity to which the data are transmitted) keep all the data received?
The recipient of the data may only keep those data that are relevant for the purposes of providing its services. Personal data which are not necessary for achieving the purposes of data processing have to be deleted as soon as possible.
10. Is the controller which transmits data to another controller required to delete all data after the transmission?
The right to data portability does not automatically mean that the controller that transmits the personal data to another controller is required to erase all data. The right to data portability or the exercise of such a right does not have an effect on the retention periods otherwise applicable. Of course, if the data subject exercising his/her right to data portability also wishes to exercise his/her right of erasure, the controller must handle such a request in accordance with Article 17 (right of erasure, “right to be forgotten”).
11. Is the controller required to identify the data subject before fulfillment of the portability request?
Yes. The controller must duly authenticate the person requesting portability. As per the guidelines, for example, when processing is linked to a user account, providing the login and password “might be sufficient”.
12. What if the desired data to be ported is huge in size?
The GDPR does not specifically address such an issue and the rules on data portability still apply. The controller needs to find the most appropriate way to handle the request, thus, controllers are advised to also prepare for such a scenario. The Working Party recommends the use of Application Programming Interfaces (APIs) as much as possible or to save the data to, for example, a CD or DVD.
13. Is there a time limit to answer a portability request?
Yes. The request has to be fulfilled without undue delay and within one month of the receipt of the request. If the case is too complex, this can be extended to a maximum of three months. In the case of an extension, the data subject must be informed of the reason for the delay within one month of the receipt of the original request.1
14. Is the controller required to fulfill the portability request free of charge?
As a general rule, yes. However, if the controller can prove that the request is manifestly unfounded or excessive, the controller may charge a fee for fulfilling the request.
15. How must the data be provided?
The controller is required to provide the data without any hindrance. This means that controllers have to refrain from, for example, slowing down the process, or ask for a fee without due justification. Of course, there may be some legitimate obstacles. For example, the security of the controller’s system or the rights and freedoms of others may serve as such obstacles.
The data controller is required to transmit the data in a “structured, commonly-used and machine-readable format”. The format has to be interoperable, meaning that it has to be in a format which the recipient is able to read.
The Working Party encourages industry stakeholders and trade associations to prepare a common set of interoperable formats.
The guidelines also contain that controllers are urged to first provide data subjects with information as to the set of data they wish to port. This is necessary to make sure that only such data will be transmitted which the data subject indeed wishes to port.
Zoltán Balázs Kovács, J.D. (LL.M.), Partner, Szecskay Attoneys at Law, Budapest, Hungary (firstname.lastname@example.org)
The contents of this post are intended to provide only a general overview of the subject matter and do not qualify as legal advice.