In December 2016, the European Article 29 Working Party (WP29) published guidelines and FAQ on the right to data portability. The guidelines clarify a number of key areas, including when the right applies and to what data, and what practical measures can be used to protect the right.
The scope of data portability
Having a right to data portability means that individuals must be able to obtain their personal data from a service provider and/or move it to another service provider without hindrance.
According to the guidelines, however, “the GDPR does not establish a general right of data portability”. The right applies only:
- to personal data an individual has provided to an organisation (excluding personal data that is derived from or inferred through analytics)
- where the processing is based on the individual’s consent or for the performance of a contract
- when processing is carried out by automated means (which excludes paper records).
Obligations and recommendations
The guidelines further clarify a number of the obligations on organisations when supporting the right to data portability.
Inform – organisations must inform individuals about the availability of the new right to portability “in a concise, transparent, intelligible, and easily accessible form, using clear and plain language”.
Identification – appropriate procedures enabling an individual to make a data portability request need to be put in place, including an authentication procedure to ascertain the identity of the individual.
Response time – organisations need to respond “within one month of receipt of the request”, or within a maximum of three months for complex cases.
Technical tools – technical mechanisms need to be put in place for individuals to not only download the requested personal data, but also allow them to directly transmit the data to another service provider. This could be implemented by making data available via an Application Programming Interface (API).
Data format – the requested personal data must be made available in a format that supports reuse. The GDPR does not impose specific recommendations on the format; the minimum requirement is that it is “structured, commonly used and machine readable”, and should include as much metadata as possible.
For example, providing an individual with a PDF version of an email inbox would not be sufficiently structured to meet the requirements. Given the wide range of potential data types, WP29 strongly encourages cooperation between industry stakeholders and trade associations to work on a common set of interoperable standards and formats.
Free of charge – a fee for making data available may not be charged unless the request can be shown to be “manifestly unfounded or excessive”.
For more advice and guidance on implementing the GDPR, including data portability, take a look at our products and services: