Article 20 GDPR Right to Data Portability

Article 20 GDPR Right to Data Portability

The General Data Protection Regulation (GDPR) focuses on protecting the data privacy rights of the citizens of the European Union. Article 20’s Right to Data Portability focuses on one aspect of the rights and freedom an individual has under the GDPR law.

Are you finding it challenging to differentiate Article 20’s service requests from the other standard service requests? For example, are you erasing user data when processing portability requests?

Do not get overwhelmed. We’ve answered all your doubts on data portability in jargon-free English to help you understand this requirement.

Article 20 of the General Data Protection Regulation (GDPR) discusses the right to data portability. It states that individuals under the purview of GDPR have the right to receive their processed personal data from their Controller. The Controller must transmit the structured personal data in a machine-readable format. Suppose an individual provides their data to a Controller for data processing. In that case, they can request to receive the Controller’s structured personal data. The Controller must abide by the service request and share all the structured data in a machine-readable format.

Understanding the Right to Data Portability GDPR

Individuals generally use the right to information to get structured data sets of their data for personal use or to share it with a new Controller.

To get access to the said data, individuals can either raise a direct request with the Controller or ask the Controller to enable them to access automated tools that help extract their structured data sets from the Controller’s records.

However, providing access to the Controller’s system is the discretion of the Controller based on the risk assessment and risk level they’ve defined. In such instances, Controllers can directly send the data to the individual via secure electronic channels.

When a controller is asked to transmit structured personal data of an individual to another controller, they are obligated to make the transfer a seamless process. In this context, a seamless data transfer would be when the controller is not using technical, financial, and legal nuances to delay or prohibit the data transfer.

In instances where a specific request could impact the rights of other users in the controller’s database, the controller can refuse to process the data transmission. However, the controller is required to justify why the transmission is not recommended. 

What is Data Portability GDPR?

The right to data portability applies to data sets that can be classified in any of the below-mentioned categories.

  • Personal data that an individual shares with a controller
  • When automated methods are used to process data
  • When the data is processed on an individual’s consent or contracts, or performance.

Points two and three are simple; they explain the condition themselves. However, Point one still holds scope for ambiguity.

For example:

When an individual is creating an account online (mail, website, social network etc), they hand over the email ID, name, Social Security Number(SSN), address, and telephone number based on the form they fill out.

However, when the same individual uses the right to data portability to receive a copy of their information, they are entitled to receive the information they’ve submitted during the account creation process and the information the controller has collected about them.

Generally, a data controller collects information such as:

  • Location
  • Browser history
  • Traffic
  • Raw data extracted from wearables and connected devices.
If you are a controller, it is good to know that you are not obligated by Article 20 to give the user profile you've created based on the information collected.

Also, Article 20 is not applicable if the controller uses public interests or pseudonymized data.

How do other rights fit in GDPR Data Portability?

The right to Data Portability in Article 20 does not impact any other right the individual is entitled under GDPR, when exercised. This means that just because an individual requests a copy of their data from a controller, it does not mean that the controller is automatically expected to erase the individual’s data from their records.

Even after a service request, the individual making the request can continue to benefit from the controller. A data portability request does not change the controller’s rights or obligations.

Individuals can exercise their right to data portability as long as controllers use their data.

When does the GDPR right to data portability arise?

The right to data portability is applicable when either one or more of the following conditions are satisfied.

  • The data processing of an individual’s personal data is carried out by automated tools/measures.
  • When the individual has given the controller their cookie consent for processing their data
  • When the data controller and the individual draft a contract to process data.

Even if the conditions as mentioned earlier are satisfied, if the data transfer poses a risk to the data rights to freedom and privacy of other users, and the risk is justified, the transfer can be terminated.

The problem with GDPR right of data portability and its future

GDPR, at its core, aims to protect the data privacy rights of the members of the EU. But, with Article 20’s right to data portability, one could argue that an individual’s personal data never really leaves the controller’s records. At best, the data sets get processed with a different controller.

Adding to that, the right to data portability applies to personal data. While the name, email ID, address, telephone number etc., can be attributed as personal data, multiple other attributes get collected by automated systems for analysis and user behavioural analysis and those attributes are never transferred to or sent back to the individual when they exercise their right to data portability. 

Is this the best way to ensure data privacy? 

While the world debates the nuances of Article 20 and comes up with another iteration of this right, it is imperative that you remain on the right side of GDPR compliance as a controller. 

At Sprinto, we have helped organizations of all sizes become GDPR compliant and maintain compliant status. In our experience, we’ve seen that the organization looking to become/remain compliant often does not have measures to identify and process a service request of this nature. It becomes even more complicated when an oral request for personal data does not get logged. There have been instances where organizations have been penalized heavily by administrative fines for not responding to data portability requests.

Why Sprinto?

Sprinto ensures that you are always on the right side of GDPR compliance by automating the service requests and tracking the progress of each request. Furthermore, in instances where a specific request is about to violate the service level agreement, an automated notification is sent to the stakeholders to prioritize this activity to avoid non-compliance.

Sprinto automates the compliance process to help you focus on business development. With Sprinto, you can now enable your team with the training required to be on top of your compliance posture while automating tasks to minimize human intervention where needed. 

Our training modules are designed to educate your employees on identifying a request, logging an oral service request, or operating the automated tools for instances where manual intervention is required. 

Need help with setting up GDPR Data Portability guidelines within your organization? Talk to us today.

Posted in: