According to the GDPR, data subjects have a right to portability(see the “Right to Portability” subsection in the “Data Subjects’ Rights” section of the General Part of these Guidelines). In order to face this requirement, controllers should store the data in standardized formats that allows the data subjects to transmit those data, which they have provided, from one automated application, such as a social network, to another one.
Anyway, it is necessary to highlight that the right to data portability only applies to data ‘concerning’ the data subject and data they ‘provided to’ the controller. As a consequence, both anonymized and inferred or derived data are not included in the right to portability, since anonymized data do not concern the data subject, and inferred or derived data have not been provided by the data subject.
|Checklist: data subjects’ rights
☐ The controllers have introduced the necessary procedures to ensure that the data subject rights are adequately satisfied, no matter if they are the end-users or third parties.
☐ The controllers have introduced the necessary procedures to ensure that the data subject rights are satisfied in time (maximum one month after request, extendable by two additional months with regard to the complexity of the task and the number of requests).
☐ The controllers have introduced efficient tools to ensure that data subjects are able to exercise their rights in a practical manner, for instance by introducing data interoperability standards.
☐ Data subjects are in a position to have access to all their personal data, including observed, obtained, derived and inferred data.
☐ The controllers have provided the data subjects with remote access to their personal data. Particularly, controllers which provide online services based on personal data have provided an online tool for this purpose.
☐ The controllers have introduced tools able to communicate rectified data to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
☐ The controllers have introduced tools able to ensure that all data are efficiently deleted at the data subjects’ request if there are no lawful reasons to oppose that request.
☐ Controllers have introduced user-friendly interfaces for users who want to obtain both aggregated data and/or raw data that they still store. These tools enable data subjects to easily export their data in a structured and commonly-used format.
☐ The controllers have documented all the information regarding these issues.
1See I. GRAEF, Mandating Portability and Interoperability in Online Social Networks: Regulatory and Competition Law Issues in the European Union (22 July 2013). Telecommunications Policy 2015, Vol. 39, No. 6, p. 502–514. ↑