January 16, 2017
The Working Party explains that Article 20 of the GDPR creates a new right to data portability, which is closely related to, but differs from, the right of access. It allows data subjects to receive personal data that they have provided to a data controller in a structured, commonly used and machine-readable format, and to transmit it to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over his/her personal data.
Since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool to support the free flow of personal data in the EU and to foster competition between controllers. The Working Party says that it will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the Digital Single Market Strategy.
The Working Party’s Guidelines provide advice on the way to interpret and implement the right to data portability as introduced by the GDPR. The document discusses the right to data portability and its scope. It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject. The document also provides concrete examples and criteria to explain the circumstances in which the right applies. In this regard, the Working Party considers that the right to data portability covers data provided knowingly and actively by the data subject as well as personal data generated by his or her activity. This new right cannot be undermined and limited to personal information communicated directly by the data subject, for example, on an online form.
The Working Party advises that data controllers should start developing the means to answering data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data is transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.
The Guidelines also aim to help data controllers clearly understand their respective obligations, and recommends best practices and tools that support compliance with the data portability right. Finally, the document recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. For a link to the Guidelines, click here.