Article 20 of the GDPR
Right to data portability under the GDPR
Right to data portability is a right that data subjects have under the GDPR. It means that in some cases, data subjects have the right to have their personal data transferred to another company. However, it must be technically possible for the company to carry out the transfer, in order for data subjects to be able to have this right fulfilled.
The data subjects right to data portability in GDPR
Article 20 of the GDPR governs this right to data portability. However, this right only applies in certain specific situations provided that specific conditions are met. Below you can read more about the data subject’s right to data portability. This right is one of the eight fundamental rights that data subjects have under the GDPR.
Purpose of the right to data portability
The purpose of this right is to give data subjects greater influence over their own personal data. This right allows them to more easily copy, transfer or move the personal data from one IT environment to another. The idea is that this should be possible regardless of whether the transfer is to the data subjects own systems, third-party systems or others’ systems. The intention of this right is also to make it easy for data subjects to change IT service and service provider.
The other rights do not cease when a data subject requests data portability
When a data subject requests to have his or her personal data transferred, such as from one social media service to another, this does not mean that the other rights in the GDPR cease. As long as the company processes the personal data, the data subjects retain their rights under the GDPR.
In addition, a transfer of personal data under the right to data portability does not mean that the company has to delete the personal data directly. The transfer does not affect the original storage duration of the personal data.
Where a data subject has the right to move his or her personal data through data portability
The data subject has the right to data portability only if:
The processing of personal data is automatic.
It refers to personal data that the data subject has provided to the company.
The legal basis for the processing is consent or performance of a contract with the data subject.
The transfer of personal data does not adversely affect the rights and freedoms of third parties.
The right to data portability does not apply if:
The processing of personal data takes place for archiving purposes of research material, cultural heritage material and description tasks with a general interest in mind and the rights of data subjects. In addition, the processing must be proportionate and necessary.
A company got reprimand because the user could not transfer their messages
In Finland, the supervisory authority issued a reprimand, i.e. a remark, to a company that had not complied with the right to data portability. The user had a free account on an email service, but could not transfer their messages automatically unless the user paid for the service. The supervisory authority did not consider this to be in compliance with the rules of the GDPR. According to the GDPR, data subjects should have the right to have their personal data transferred free of charge. This applies if they meet the requirements for the right in question.
How the company should act when data subjects request to have their personal data moved
It is important to have knowledge of how the company should act, when a data subject requests data portability. Below is a summary of some important points to consider.
Verify the identity
Identify the data subject requesting the exercise of this right. It is allowed to prove the identity when data subjects request to have their personal data transmitted if the company is not sure of the identity.
Reply to the request
Companies must respond to the data subject's request to have their personal data transferred in accordance with the GDPR. The retention shall take place without undue delay and at the latest within one month of receipt of the request by the company. However, in some cases it may be permissible to extend the time limit. For example, if the request concerns a complex case or if the company received many requests at the same time. In such cases, the company may extend the deadline for a further two months, but the company must justify the decision to the data subject within the first month.
Refusal of the transfer
In some cases, it may be permissible for the company to refuse to transfer personal data according to a request from a data subject. In such cases, the company must inform the data subject of the decision. This shall be done within one month and shall include a justification for the decision.
Form of access
When a company transfers and provides access to personal data, it must do so in machine-readable form. In addition, it should be structured and in a generally usable format. Note that the company should also transmit metadata if possible. The most appropriate form of transferring personal data differs from case to case. For example, it is affected by the area in question and the type of personal data that the transfer covers. Therefore, the company should analyse each case on a case-by-case basis.
Guidelines on the right to data portability
If you want to deepen your understanding of the right to data portability, you can visit the European Commission’s website.
From there, you can download a document with guidelines on the right to data portability (click here):
Other data subjects' rights under the GDPR
Automated decisions
Automated decisions mean, for example, that a machine makes a decision instead of a human being. Data subjects have the right to request that the decision is not based solely on automated decisions. Examples of automated decisions are if a company performs a credit check on a potential customer through technical algorithms. If a company uses automated decision-making, the company is obliged to inform the data subject accordingly.