In GDPR law, every EU resident has the right to Data Portability. But what does this actually mean for data controllers? In this post, we answer some of the most frequently asked questions concerning EU residents’ right to Data Portability.
FAQ #1 ~ What does ‘the Right to Data Portability’ mean?
Under GDPR, every individual within the European Union has the legal right to obtain Personal Data concerning them in a commonly used machine-readable format. The individual also has the right to transmit that data, or to request that the data be transmitted to another Data Controller without hindrance.
FAQ #2 ~ How do I know if I have received a Portability Request?
At the time of publishing this post, there is no specific form that must be used, in order to to make a Portability Request. An individual could write to your company, or email you, make a phone call, or even make a request via social media. The term “Portability” may not be explicitly used – the individual could simply request that you send their Personal Data to them directly, or to a third party such as their solicitor. The bottom line is that whenever an individual requests that you send them (or their nominated third party) their Personal Data, you must regard this as a Portability Request and facilitate the request as such.
FAQ #3 ~ What kind of data does this Right to Portability relate to?
The Right to Data Portability is similar to the Right of Access. However, it only applies to:
- Personal Data that is held electronically and;
- is data that was provided to you by the individual.
Data that was “provided to you” does not simply mean data entered into a web form, such as a username or email address. It could also include data you have created as a result of your observations of their online activities. For example:
- website or search usage history.
- traffic and location data, or;
- ‘raw’ data processed by connected wearable devices. e.g. data recorded on a fitness app.
FAQ #4 ~ How much time do I have to respond?
When processing a Portability Request it is vital that you act promptly and without undue delay. Your response must be within 1 month of the date you received the request. If you cannot repond within one calendar month due to the complexity of a request, or you are having to process several requests from the same individual, you can take an additional two months to respond if you send a letter to the requestor explaining the delay within one month of the date on which you received the Portability Request.
FAQ #5 ~ How should we respond to a Portability Request?
When you decide to comply with a Portability Request, you should send the requestor a letter along with the Personal Data covered by the request. Not all of the requestor’s Personal Data is relevant here, so you should only send them the Personal Data that:
was provided to you by the individual
you process by Automated Means*; and you are Processing using the lawful basis of consent – or to facilitate the performance of a contract.
* Automated Means = Processing the Personal Data electronically e.g. on a computer or other electronic device. However, if the Personal Data is held only in hard copy format, then it is not being Processed by Automated Means and therefore does not fall within the scope of the Right to Data Portability.
FAQ #6 ~ Must I always comply with a Portability Request?
Basically, yes. You must comply with the request, unless:
- the request is obviously unfounded.
- the request is excessive, insomuch as you have received repeated requests from the same individual.
- data protection legislation in your Member State provides an exemption from the need to comply.
- it could adversley affect the rights or freedoms of others, incl. intellectual property or trade secrets.
FAQ #7 ~ What format must I provide the Personal Data in?
To fully comply with a Data Portability request, you must provide the Personal Data in a format that is:
- structured – so that it enables easy transfer and usability;
- a commonly used format that is widely used and well established; and
- ‘machine-readable’ – meaning that it can be automatically read and processed by a computer.
FAQ #8 ~ Are we allowed to charge a fee for processing a Data Portability Request?
You are permitted to charge a fee for facilitating a Poartability Request, as long as it is:
- obviously unfounded; or
- excessive, insomuch as you have received repeated requests from the same individual.
In these situations, it is permissible to charge an appropriate fee, which takes into account the costs of facilitating the response. However, you must alsoi inform the requestor in writing, that you will be applying an administration charge. IMPORTANT: The answers given to the above questions are not conclusive and do not constitute legal advice. Individual circumstances may differ significantly. Contact The GDPR Guys for more information.