On the basis of Article 20 GDPR, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. In providing so, the data subjectsare empowered, as they have better control over their personal data and so move, copy, or transfer them as desired.According to Article 20.1 GDPR the right to data portability, however, can be exercised only when personal data are processed by automated means, on grounds of consent or for the performance of a contract.
As stressed in the Guidelines on the right to data portability developed by the Article 29 Data Protection Working Party (2017), the right to data portability is not limited to the possibility to transmit the data subject’s personal data to one controller to another, but it also encompasses the data subject’s right to receive a subset of the processed personal data and store them for personal use.To put it differently, the data transmission to another controller is not a mandatory constitutive element of the right to data portability, given that one of its specificities lies in the fact that it offers an easy way for the data subject to manage and reusepersonal data themselves. All in all, data portability deals with personal data concerning the sole data subject, either be they actively provided by the data subject or be they provided by virtue of the use of the service of the device. In the latter case, the Article 29 Data Protection Working Party highlights that the controller should not take an overly restrictive interpretation of what counts as ‘personal data concerning the data subject’.
The right to portability is satisfied, insofar as the controllers directly transmits the requested information to the data subjects or provides access to an automated tool, allowing them to extract the requested information on their own. The latter method does not involve that the controllers must provide a more general and routine access to their own system; rather, it must be limited to the extraction of the information following the portability request.
The transferal of the personal data from a controller to another depends on its legal, technical and financial feasibility. Amongst potential obstacles, the Article 29 Data Protection Working Party identifies: fees asked for delivering data, lack of interoperability or access to a data format or API or the provided format, excessive delay or complexity to retrieve the full dataset, deliberate obfuscation of the dataset, or specific and undue or excessive sectorial standardization or accreditation demand. To this end, Recital 68 GDPR provides that the controller should develop interoperable formats; namely, the information’s system ability to exchange data and to enable information sharing. Yet, there is no obligation on the controller to support these formats, with the consequence that the direct transmission can occur, insofar as the communication between the two systems is possible and safe. Examples of interoperable formats are: an SFTP server, a secured WebAPI or WebPortal.
In addition, the data should be in a structured, commonly used and machine-readable format. So as to understand this feature, the Open Data Handbook published by Open Knowledge International can be a useful source. Specifically, structured data can be defined as data where the structural relation between elements is explicit in the way the data is stored on a computer disk.This means that the software can extract specific elements of the data. An example of a structured format is a spreadsheet file, where the data is organised into rows and columns. Instead, machine-readable data are those data that can be automatically read and processed by a computer. Machine-readable data can be made directly available to applications that request that data over the web. This is undertaken by means of an application programming interface (“API”).Finally, it is important to stress that, although’the commonly used’ requirement could be satisfied by using common software applications, such applications must also meet the structured and machine-readable standards to comply with the right to portability. In any event, open formats such as CSV, XML, JSON and RDF are a good illustration of ways to answer a portability request.
Considering that data portability involves the transferral of personal data, such act could become a potential source of risk for the personal data as such. Consequently, the controller is required to take all the necessary measures to guarantee a safe transferal to the right recipient. This objective could be reached through data encryption, one-time passwords, and so on.
It is also noted that when a controller responds to a data portability request, it acts on the data subject’s instructions and, consequently, is not responsible for the recipient’s compliance with the data protection framework. Besides, the controller who transfers the data is not required to check the accuracy of the personal data; nevertheless, data portability neither automatically involve the erasure of the personal data from the system, nor affect the original retention period.
If the data subject’s request involves information about other individuals, the controller must consider whether there will be an adverse effect on their rights and freedoms. By contrast, if theportability request is made by several data subjects, the controller must make sure that all of them agree on the request.
Finally, it must be highlighted that there is not a right to access to inferred data, since these are NOT provided by the data subjects. Nevertheless, the data subjects can still use their “right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” as well as information about “the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject”, according to Article 15 of the GDPR (which refers to the right of access).
Moving to the realm of research, data portability could allow the development of “more and more user-centric platforms for the management of personal data”, while also providing data subjects with effective control over their personal information. Particularly, data portability could be useful for the establishment of a broad research network, the facilitation of secondary use, and the fulfilment of citizen science (namely, that individuals should be able to transfer their data from various resources to research institutions).
Checklist for complying with a portability request
Is the exercise of the right to data portability compliant with GDPR?
☐ Did you receive a request for data portability from an individual? If not, please indicate that the request was not lodged by an individual and indicate that the request should be made following the relevant legislation;
☐ Is the portability request made by several data subjects? If yes, make sure that all of them agree on the request;
☐ Have the data subjects correctly identified themselves? If not, please ask for further information to confirm identity;
☐ Are data processed on one of the lawful bases provided in Article 20.1 GDPR? If not, please inform the data subject that the request shall be denied;
☐ Is the data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller? If yes, please inform the data subject that the request shall be denied;
☐ Can the request be fulfilled within one month? If no, please inform why and how long will it take to process the request?
☐ The request needs to be fulfilled.
How to further comply with all the GDPR obligations:
☐ If the information intertwines with the one from other individuals, please carry out a balancing test;
☐ Transmit data in structured, commonly used and machine-readable formats;
☐ Transmit data in a secure way.
1Article 29 Data Protection Working Party (ed.), ‘Guidelines on the Right to Data Portability’, 2017, WP 242 rev.01, pp. 4-5. At: https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611233 ↑
2For further example see: ibid., p. 9 ↑
3Information Commissioner’s Office (ed.), op. cit., p. 140 ↑
4Article 29 Data Protection Working Party (ed.), ‘Guidelines on the Right to Data Portability’,op. cit., p. 15 ↑
6The term is defined in Recital 21 of the Directive 2013/37/EU17 as (…) a file format structured so that software applications can easily identify, recognize and extract specific data, including individual statements offact, and their internal structure. Data encoded in files that are structured in a machine-readable format are machine-readable data. Machine-readable formats can be open or proprietary; they can be formal standards or not. Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be extracted from them, should not be considered to be in a machine-readable format. Member States should where appropriate encourage the use of open, machine-readable formats. ↑
7Article 29 Data Protection Working Party, ‘Guidelines on the Right to Data Portability’,op. cit., p. 6 ↑
8Ibid., p. 7 ↑
9Information Commissioner’s Office (ed.),op. cit., p. 139 ↑
10Article 29 Data Protection Working Party (ed.), ‘Guidelines on the Right to Data Portability’,op. cit., p. 15. ↑
11P. De Hert, V. Papakonstantinou, G. Malgieri, L. Beslay, I. Sanchez, “The Right to Data Portability in the GDPR: Towards User-Centric Interoperability of Digital Services”, Computer Law and Security Review, Vol. 34, No. 2, 2018, p. 203. ↑
12P. Quinn P., “Is the GDPR and its Right to Data Portability a Major Enabler of Citizen Science?”, Global Jurist, June 2018, pp. 8-9 ↑