The GDPR provides that in certain circumstances a “data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance”.
The purpose of the right to data portability is to make it easier for data subjects to move between service providers without any loss of data and without having to re-input information. This in turn should encourage competition by enabling new service providers to enter the market more easily.
The right to data portability only applies:
- to personal data an individual has provided to a data controller
- where the processing is based on the individual’s consent or for the performance of a contract
- when the processing is carried out by automated means.
Guidelines produced by the EU’s data protection working party state that data controllers should provide a range of tools for individuals to receive their data, including a direct download option and an option to automatically transmit data to another data controller. While businesses are not required to adopt or maintain processing systems that are technically compatible with other organisations in their industry, they are encouraged to work together to develop a common set of standards and formats for delivering information.
The information must be provided free of charge and the data controller must respond to a request for data to be ported without undue delay, and in any event within one month. This can be extended by two months where the request is complex or where multiple requests are received but the data controller must respond within one month explaining why the extension is necessary.
It is important to note that if the personal data requested by a data subject concerns information relating to more than one individual, the data controller must consider whether providing the data would prejudice the rights of any other individual.