The right to data portability is one of eight rights enforced by the GDPR (General Data Protection Regulation).
It allows data subjects to obtain data that a data controller holds on them and to reuse it for their own purposes. Individuals are free to either store the data for personal use or to transmit it to another data controller.
The data must be received “in a structured, commonly used and machine-readable format”.
What data does this apply to?
The right to data portability applies:
- To personal data that an individual has provided to a data controller;
- When the processing is carried out by automated means; and
- Where the processing is based on the individual’s consent or for the performance or a contract.
The second and third conditions are relatively self-explanatory, but it’s less clear exactly what personal data is ‘provided to’ a data controller.
This doesn’t simply refer to things such as names and addresses, which users hand over to create an account. It also refers to personal data that organisations gather while observing an individual’s activities. This includes things such as:
- Browsing history;
- Traffic and location data; and
- Raw data processed by connected objects, such as smart meters and wearable devices.
However, it doesn’t include any additional information that the organisation has created based on the information provided – such as a user profile.
One important caveat is that the right to data portability doesn’t apply if the organisation uses legitimate interests or public interest to process personal data – or if the data is pseudonymised.
How do other rights fit in?
As with all data subject rights under the GDPR, when an individual exercises their right to data portability, they do so “without prejudice to any other right”.
A data subject can continue to benefit from the data controller’s service after the right to data portability has been exercised, but doing so doesn’t alter the data controller’s rights or obligations.
Data portability doesn’t automatically trigger the right to erasure and it doesn’t affect the original retention period of the data.
The data subject can exercise their rights as long as the data controller is still processing the data.
Want to become a GDPR expert?
You can find out more about the right to data portability and the Regulation’s other requirements by enrolling on our Certified GDPR Foundation Live Online Training Course.
This one-day course is the perfect introduction to the GDPR and the requirements you need to meet.
Delivered by an experienced data protection practitioner, the course is suitable for directors or managers who want to understand how the Regulation affects their organisation, employees who are responsible for GDPR compliance and those with a basic knowledge of data protection who want to develop their career.
It’s available in a variety of forms, including online and self-paced, meaning you can take the training from the comfort of your own home.
A version of this blog was originally published on 25 January 2018.