The European Working Party 29 issued a series of guidelines on how certain aspects of GDPR should be interpreted. In the first newsflash, we bring you the highlights of the guidelines on data portability. Stay tuned for the next newsflashes to come.
The European Working Party 29 (“WP29”) issued guidelines on four different aspects of the GDPR: (1) the right to data portability, (2) how to identify a controller or processor’s lead supervisory authority, (3) data protection officers (DPO’s) and (4) data protection impact assessments. The full texts can be found here.
In this newsflash we take a closer look at data portability. In order to be able to answer to this new right for data subjects, organisations need to understand what data portability will mean for their business and develop an approach to tackle it. Let’s get you started!
Data portability: a double right for data subjects
The primary aim of data portability is to enhance the individuals’ control over their own personal data, facilitating their ability to move, copy or transmit personal data easily from one IT environment to another.
The right to data portability may also enhance competition between services (by facilitating service switching). However, the portability right is not limited to those transfers which are necessary or useful for switching services (e.g. individuals may ask their energy provider to transfer their personal data to their bank).
The data portability right allows individuals to:
- receive personal data themselves from a controller in a structured, commonly-used and machine readable format: enabling them (i) to store and re-use it for further personal use or (ii) to provide it to another data controller
- transmit such data directly from an existing data controller to a new controller without hindrance.
An organisation will need to facilitate these rights of the data subject and inform data subjects about their rights in clear and plain language (e.g. the existence of the right of data portability must be mentioned in your privacy policy).
When do you need to answer to requests on data portability?
As a data controller, you are only obliged to answer to requests on data portability when you are processing personal data based upon (i) the data subject’s consent or (ii) in order to perform a contract. When processing is based on other legal grounds (e.g. legitimate interest), there is no obligation to ensure data portability, but the WP29 considers it as good practice.
Furthermore, data portability only relates to personal data:
- processed by automated means: thus excluding personal data only kept in paper files
- relating to the data subject himself: thus excluding personal data relating to other individuals
- provided by the data subject: being only the data which is knowingly and actively provided by him (e.g. by filling in an online form) or generated by and collected from his activity (e.g. the collection of localisation data by an application, browser or device fingerprinting, raw data from a smart meter or wearable device, etc.), thus excluding inferred data or derived data created by the data controller (e.g. the outcome of a health assessment, a profile created, etc.).
Finally, personal data only needs to be transmitted from one data controller to another where this is technically feasible. In this respect, the GDPR encourages data controllers to develop interoperable formats that enable data portability. Establishing barriers to the transmission is prohibited. However, there is no legal obligation for controllers to adopt or maintain processing systems which are technically compatible.
In case a direct transmission is not technically feasible, special attention should be paid to the format in which the personal data are provided to the data subjects themselves. This to guarantee that the data can be easily re-used by the data subject or by the data controller the data subject provides the data to.
Aspects to consider when setting up your data portability response plan?
In order to anticipate to data subjects’ requests with respect to data portability, it will be important to reflect on certain aspects.
Firstly of course, reflect on the elements referred to above. Do we need to answer the data subject’s request, how will we respond, which personal data do we need to provide, can we facilitate data portability (e.g. sector agreements), which machine readable format can we use, what prior information shall we give to the individual, etc.
Other aspects to consider might be: how shall we identify the individual before answering his request (avoiding to send personal data to imposters), how will we securely transmit the personal data, shall we give the opportunity to the individuals to extract the data themselves, is it relevant to provide the individuals with all the information we have about them (is this really what they are asking?), how can our data processors help us with the process, etc.