Right to data portability
Home » IoT » Data subjects rights » Right to data portability

According to Article 20 GDPR, data subjects have a right to portability. This means a right to obtain their data from a data controller in a structured, commonly used, and machine-readable format, but also a right to move data between data controllers without hindrance, or where technically feasible. However, it only applies to data ‘concerning’ the data subject and data they ‘provided to’ the data controller. As a consequence, neither anonymized, inferred or otherwise “created” data are included in the right to portability (anonymized data is not covered since they do not concern the data subject anymore; and inferred data since they have not been provided by the data subject but are the result of a technical process developed by the controller). Thus, it seems data subject to not hold a right to have their full profiled information transferred to another provider. The rationale behind this is the protection of the know-how of the controller.

Data subjects “should be provided with tools enabling them to easily export their data in a structured and commonly-used format. Therefore, data interoperability is a key technical component to fully deploy this right and device manufacturers should provide a user-friendly interface for users who want to obtain data that they still store.”[1]

Checklist: data subjects’ rights

☐ The controllers have introduced the necessary procedures to ensure that the data subject rights are adequately satisfied, no matter if they are the end-users or third parties.

☐ The controllers have introduced the necessary procedures to ensure that the data subject rights are satisfied in time (maximum one month after request).

☐ The controllers have introduced efficient tools to ensure that data subjects are able to exercise their rights in a practical manner, for instance by introducing data interoperability standards.

☐ Data subjects are in a position to have access to all their personal data, including the raw data that are registered by IoT devices.

☐ The IoT developers have implemented tools to locally read, edit and modify the data before they are transferred to any data controller. Furthermore, personal data processed by a device is stored in a format allowing data portability.

☐ The controllers have introduced tools able to communicate rectified data to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

☐ The controllers have introduced tools able to ensure that all data are efficiently deleted at the data subjects’ request if there are no lawful reasons to oppose to that request.

☐ IoT developers have introduced user-friendly interface for users who want to obtain the raw and observed personal data that they still store. These tools enable data subjects to easily export their data in a structured and commonly-used format.

 

References

1Art 29 Data Protection Working Party Opinion 8/2014 on the on Recent Developments on the Internet of Things (SEP 16, 2014) https://www.dataprotection.ro/servlet/ViewDocument?id=1088

Skip to content