The right to data portability is one of eight rights enforced by the EU General Data Protection Regulation (GDPR). It allows data subjects to obtain data that a data controller holds on them and to reuse it for their own purposes. Individuals are free to either store the data for personal use or to transmit it to another data controller.
The data must be received “in a structured, commonly used and machine-readable format”.
According to the Article 29 Working Party (WP29), an advisory body made up of representatives from each EU member state, this right “support[s] the free flow of personal data in the EU and foster[s] competition between controllers”.
What data does this apply to?
The right to data portability applies:
- To personal data that an individual has given to a data controller;
- When the processing is carried out by automated means; and
- Where the processing is based on the individual’s consent or for the performance or a contract.
The second and third conditions are relatively self-explanatory, but it’s less clear exactly what personal data is ‘given to’ a data controller. The WP29 clarifies that this refers to information that “relate[s] to the data subject activity or result[s] from the observation of an individual’s behaviour”.
This includes “[d]ata actively and knowingly provided by the data subject […] (for example, mailing address, user name, age, etc.)” and “observed data [such as] a person’s search history, traffic data and location data [or] other raw data such as the heartbeat tracked by fitness or health trackers”.
However, inferred or “subsequent analysis of that data”, such as the outcome of a health assessment, is out of scope.
How do other rights fit in?
As with all data subject rights under the GDPR, when an individual exercises their right to data portability, they do so “without prejudice to any other right”. A data subject can continue to benefit from the data controller’s service after the right to data portability has been exercised, but doing so doesn’t alter the data controller’s rights or obligations. Data portability doesn’t automatically trigger the right to erasure and it doesn’t affect the original retention period of the data.
The data subject can exercise their rights as long as the data controller is still processing the data.
There’s much more to learn
The GDPR is a complex law, and data subject rights are just one part. Those who want to learn more about how the Regulation will affect them should read EU General Data Protection Regulation – A Compliance Guide.
This free green paper provides an overview of the key changes introduced by the GDPR and how you can prepare for them.