Article 20

Right to data portability

1.   The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a)

the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b)

the processing is carried out by automated means.

2.   In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3.   The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4.   The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

What does it mean?

The right to data portability allows individuals to obtain a copy of their personal data and reuse it for their purposes across different services. It enables them to move, copy, or transfer their data easily from one IT environment to another safely and securely, without hindering usability.

The right to data portability applies when one of the following conditions are met:

  • The processing of personal data is carried out by automated means, which basically means ‘digitally’.
  • The processing is based on the data subject’s consent or is necessary for the performance of a contract involving the data subject.
  • The data subject must have provided the personal data directly to the controller. This would be the case if, for example, the data subject assembled a playlist on a streaming service of their favorite songs.

Data controllers must respond to data portability requests without undue delay and within one month of receipt, according to Article 12 of the GDPR. They should also ensure the data is transferred securely and as requested.

Personal data should be provided in a structured, commonly used, and machine-readable format, such as JSON, XML, or CSV. The format must be easily understandable and reusable by the individual.

You should avoid actions that hinder an individual’s right to data portability, such as charging a fee for the data transfer, using complicated or proprietary formats that are difficult to use, delaying the data transfer unnecessarily, or refusing it without good reason.

A data controller can refuse a request if it is unfounded or excessive, particularly if it is repetitive. However, the data controller must inform the individual of the reasons for the refusal and their right to complain to a supervisory authority.

If it’s not possible to transfer data to the data controller requested by the data subject, inform the individual of the obstacles. Offer them the option to receive the data directly so they can transfer it themselves.

Make sure you correctly understand the individual’s request for data portability. Don’t send the wrong data or send it to the wrong data controller. Verify that the data being transferred is secure and not accessible to unauthorized parties during the transfer process.

Receiving data controllers must ensure the transferred data is processed lawfully. They should assess the relevance of the data for their processing purposes and not retain more data than necessary. If they receive more data than needed, they should not keep it unless specifically requested by the individual.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.

Discover

About

Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!