The GDPR right to data portability focuses on protecting the data privacy rights of the citizens of the European Union. Article 20’s Right to Data Portability focuses on one aspect of the rights and freedom an individual has under the GDPR law.
Are you finding it challenging to differentiate Article 20’s service requests from the other standard service requests? For example, are you erasing user data when processing portability requests?
Do not get overwhelmed. We’ve answered all your doubts on data portability in jargon-free English to help you understand this requirement.
Understanding the GDPR Right to Data Portability
Article 20 discusses the GDPR right to data portability – one of several GDPR data subject rights that empower individuals to receive their processed personal data from their Controller in a structured format. The Controller must transmit structured personal data in a machine-readable format.
A comprehensive GDPR compliance checklist helps organizations ensure their data portability processes meet all technical and procedural requirements. Suppose an individual provides their data to a Controller for data processing. In that case, they can request to receive the Controller’s structured personal data. The Controller must abide by the service request and share all the structured data in a machine-readable format.
Individuals generally use the right to information to get structured data sets of their data for personal use or to share it with a new Controller.
To get access to the said data, individuals can either raise a direct request with the Controller or ask the Controller to enable them to access automated tools that help extract their structured data sets from the Controller’s records.
However, providing access to the Controller’s system is the discretion of the Controller based on the risk assessment and risk level they’ve defined. In such instances, Controllers can directly send the data to the individual via secure electronic channels.
Controllers must make data transfers seamless when transmitting personal data to another controller. Compliance automation software helps organizations build repeatable portability workflows that meet Article 20’s technical and procedural requirements. In this context, a seamless data transfer would be when the controller is not using technical, financial, and legal nuances to delay or prohibit the data transfer.
Controllers can refuse data transmission if it impacts other users’ rights. However, unjustified refusals expose organizations to enforcement action, so understanding the GDPR fines and penalty structure is critical before denying any portability request. However, the controller is required to justify why the transmission is not recommended.
What is Data Portability GDPR?
The right to data portability GDPR applies to data sets that can be classified in any of the below-mentioned categories.
- Personal data that an individual shares with a controller
- When automated methods are used to process data
- When the data is processed on an individual’s consent or contracts, or performance.
Points two and three are simple; they explain the condition themselves. However, Point one still holds scope for ambiguity.
For example:
When an individual is creating an account online (mail, website, social network etc), they hand over the email ID, name, Social Security Number(SSN), address, and telephone number based on the form they fill out.
However, when the same individual uses the GDPR right to data portability to receive a copy of their information, they are entitled to receive the information they’ve submitted during the account creation process and the information the controller has collected about them.
Generally, a data controller collects information such as:
- Location
- Browser history
- Traffic
- Raw data extracted from wearables and connected devices.
If you are a controller, it is good to know that you are not obligated by Article 20 to give the user profile you've created based on the information collected.
Article 20 does not apply when controllers process pseudonymized data or data in the public interest. In such cases, GDPR Article 32 security of processing requirements still govern how that data must be protected.
How do other rights fit in GDPR Data Portability?
The right to GDPR Data Portability in Article 20 does not impact the other GDPR data rights the individual is entitled to when exercised. This means that just because an individual requests a copy of their data from a controller, it does not mean that the controller is automatically expected to erase the individual’s data from their records.
Even after a service request, the individual making the request can continue to benefit from the controller. A data portability request does not change the controller’s rights or obligations.
Individuals can exercise their right to GDPR data portability as long as controllers use their data.
When does the GDPR right to data portability arise?
The right to data portability GDPR is applicable when either one or more of the following conditions are satisfied.
- The data processing of an individual’s personal data is carried out by automated tools/measures.
- When the individual has given the controller their cookie consent for processing their data
- When the data controller and the individual draft a contract to process data.
Even if the conditions as mentioned earlier are satisfied, if the data transfer poses a risk to the data rights to freedom and privacy of other users, and the risk is justified, the transfer can be terminated.
The problem with GDPR right of data portability and its future
GDPR, at its core, aims to protect the data privacy rights of the members of the EU. But, with Article 20’s right to GDPR data portability, one could argue that an individual’s personal data never really leaves the controller’s records. At best, the data sets get processed with a different controller.
Adding to that, the right to data portability GDPR applies to personal data. While the name, email ID, address, telephone number etc., can be attributed as personal data, multiple other attributes get collected by automated systems for analysis and user behavioural analysis, and those attributes are never transferred to or sent back to the individual when they exercise their right to data portability.
Is this the best way to ensure data privacy?
It is imperative that you remain on the right side of GDPR compliance as a controller. Understanding GDPR compliance costs helps organizations weigh the financial logic of investing in a proper data portability process versus the fines that follow non-compliance.
At Sprinto, we have helped organizations of all sizes become GDPR compliant and maintain compliant status. In our experience, we’ve seen that the organization looking to become/remain compliant often does not have measures to identify and process a service request of this nature. It becomes even more complicated when an oral request for personal data does not get logged. There have been instances where organizations have been penalized heavily by administrative fines for not responding to data portability requests.
Why Choose Sprinto for Data Portability Compliance?
GDPR compliance software keeps you on the right side of GDPR by automating data portability service requests and tracking the progress of each one through to completion. Furthermore, in instances where a specific request is about to violate the service level agreement, an automated notification is sent to the stakeholders to prioritize this activity to avoid non-compliance.
A compliance automation platform handles the GDPR data portability workflow in the background so your team can focus on business development rather than manually tracking each service request through to resolution. With Sprinto, you can now enable your team with the training required to be on top of your compliance posture while automating tasks to minimize human intervention where needed.
Controllers must educate employees on identifying portability requests and logging oral requests. Enrolling your team in GDPR training courses ensures they can distinguish Article 20 portability requests from other data subject rights.
Need help with setting up GDPR Data Portability guidelines within your organization? Talk to us today.
FAQ
With the right to data portability, users can now move their existing data from one service provider to another at no extra cost, and they can also use it to be updated on the information processors have about them by requesting a copy of their processing information.
The three benefits of data portability are:
* Increasing consumer control
*Unlocking more value from data
*And fostering competition
Under GDPR Article 20, individuals have the right to receive their personal data in a structured, commonly used, machine-readable format and transfer it to another service where technically feasible. This applies to data they provided to a controller when processing is based on consent or contract and carried out by automated means.
Under GDPR Article 20, data portability applies when processing is automated and based on consent or a contract. Personal data must be provided in a structured, commonly used, machine-readable format and, where technically feasible, transferred directly to another controller without hindrance.
Author
Vimal Mohan
Vimal is a Content Lead at Sprinto who masterfully simplifies the world of compliance for every day folks. When not decoding complex framework requirements and compliance speak, you can find him at the local MMA dojo, exploring trails on his cycle, or hiking. He blends regulatory wisdom with an adventurous spirit, navigating both worlds with effortless expertiseGo beyond the surface and uncover the governance, risk, and compliance insights that actually matter.
Win digital goodies for boardroom success
Explore more
research & insights curated to help you earn a seat at the table.
