The new E.U. General Data Protection Regulation (G.D.P.R.) defines the «Right of Data Portability» in Article 20 as follows: «The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided…».
According to the above definition this right, which is closely related to «the Right of Access» (Article 15 of the G.D.P.R.), subject to certain conditions, supports user choice, user control and user empowerment.
Furthermore, there are also other types of «portability» in many areas of legislation (e.g. in the contexts of contract termination, communication services roaming and trans – border access to services) that, consequently, lead to a «personal data portability». As a result, in these cases the Article 20 of the G.D.P.R. also applies.
The basic elements of Data Portability
- «A right to receive personal data»
Data portability is the right of the data subject not only to receive a subset of the personal data in a structured, commonly used and machine-readable format processed by a data controller concerning him or her, but also to store those data for further personal use. Such storage can be on a private device or on a private cloud, without necessarily transmitting the data to another data controller (e.g. banks’ ability to provide additional services, using personal data, under the user’s control, and initially collected as part of an energy supply service).
- «A right to transmit personal data from one data controller to another data controller»
Data can be transmitted directly from one data controller to another on request of the data subject and where it is technically feasible. Additionally, personal data can be transmitted to another service provider within the same business sector or in a different one.
- «Controllership»
Data portability guarantees the right to receive personal data and to process them, according to the data subject’s wishes. However, data controllers are not responsible for the processing handled by the data subject or by another company receiving personal data and they have no specific obligation to check and verify the quality of the data before transmitting it. Of course, these data should already be accurate, and up to date (Article 5 of the G.D.P.R.) but not retained for longer than is necessary.
The data controller should implement specific procedures in cooperation with its data processors to answer data portability requests. In addition, a receiving data controller is responsible for ensuring that the portable data provided are relevant and not excessive with regard to the new data processing. In any case, receiving data controllers are not obliged to accept and process personal data transmitted following a data portability request.
Data portability and the other rights of data subjects
When an individual exercises his/her right to data portability he/she does so without prejudice to any other right. As a result, a data subject can continue to use and benefit from the data controller’s service even after a data portability operation.
Applicability of Data Portability
The regulation only applies if the data processing is carried out by automated means, and therefore does not cover most paper files. In addition, in order to fall under the scope of data portability, processing operations must be based either on the data subject’s consent {pursuant to Article 6(1) (a), or pursuant to Article 9(2) (a) when it comes to special categories of personal data} or on a contract to which the data subject is a party pursuant to Article 6(1) (b).
Personal data that are included
Data must be personal concerning the subject and be provided to a data controller by the subject itself. Thus there are two conditions that shall not adversely affect the rights and freedoms of others {Article 20(4) of the G.D.P.R.}:
First condition: personal data concerning the data subject and
Second condition: data provided by the data subject itself
Security of the portable data
On the one hand, data controllers should guarantee the «appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures» {Article 5(1) (f) of the G.D.P.R. – principle of integrity and confidentiality}. As a result, data controllers shall ensure that personal data are securely delivered to the right person by taking all the security measures needed to make certain that personal data are securely transmitted (by the use of end-to-end or data encryption) to the right destination (by the use of strong authentication measures) and by continuing to protect the personal data that remain in their systems with procedures that are able to deal with data breaches.
On the other hand, the subjects that are requesting the data are responsible for identifying the right measures in order to secure personal data in their own system.
In any case, it is worth to be noted that the «Right of Data Portability» represents an opportunity to re-balance the relationship between the data subjects and the data controllers.
Edited by Dimitra Panagidi