The current legislation regarding data protection, the GDPR and LOPDGDD, introduced updates to your rights. Besides the recognised “Right to erasure”, there is the new “Right to data portability”, which we are going to explain in this article to clear up any doubts that may arise from the literal interpretation of the definition given by the GDPR.
Article 20 of the General Data Protection Regulation defines the right to transfer and recognises that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Under which circumstances? When:
- The processing is based on the consent granted by the data subject to process his or her personal data for one or more specific purposes;
- The processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Interoperable portability formats
For its part, Recital clause 68 of the GDPR stipulates as follows:
To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability.
That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties
It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation.
Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract
Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another
On the other hand, Article 17 of the LOPDGDD under the subsection “The right to data portability” stipulates as follows: “The right to data portability shall be exercised in accordance with what is set forth in Article 20 of Regulation (EU) 2016/679”.
Inferred and derived data
Having said that, it is important to highlight that data considered as “inferred” or “derived”, understood as that which derives from the application of information generated during the implementation of the service through knowledge or skills belonging to the controller, are not subject to the right to portability; namely, from the application of skills that are part of the controller’s know-how (such as mathematical skills or those resulting from applying algorithms) to data related to the product or service.
The Guidelines adopted by the Working Party created by Article 29 of Directive 95/46/EC regarding exercising the right to portability were very helpful and clear. In this sense, the aforementioned guide from the Article 29 Working Party makes reference to the tools employed for data portability.
From a technical point of view, data controllers must offer different options for putting the right to data portability in practice. For example, they must offer the data subject the option for direct download, and at the same time allow data subjects to transmit the data directly to another data controller, which could be done by supplying an API; these are application interfaces or web services providing data controllers so that other systems or applications can link up and work with their systems.
When can the portability be exercised
In conclusion, it must be clear that the right to portability may only be exercised in the cases foreseen by Article 20 of the GDPR, and certain conditions have to be met with regard to the data that can be “ported”:
- First condition: personal data concerning the data subject.
- Second condition: data supplied by the data subject.
- Third condition: the right to data portability shall not adversely affect the rights and freedoms of others.
Similarly, more information and forms for exercising the right to data portability can be found on the Spanish Data Protection Agency website.