Right to Data Portability under GDPR Article 20
Article 20 of the EU General Data Protection Regulation (GDPR) provides a right to data portability for information provided by the data subject based on consent (or a contract) and processed through automated means by the controller. The right to data portability allows people to obtain and reuse their personal information across different services for their own purposes.
Data portability is one of the data subject access rights (DSAR). It facilitates transfers of the personal data of an individual between two businesses. If people are to have control over their personal information, then they also need to be able to extract it from the organization that has collected it.
More specifically, Article 20 eliminates lock-in by preventing businesses from restricting transfers to another provider by making it difficult to export data from their platform. It requires organizations to provide the personal data the subject has provided them, upon request, in a structured, machine-readable format for transmission to another controller. If it is technically feasible, the data subject has the right to have the data transmitted directly between controllers.
The principle of data portability is consistent with the GDPR’s effort to take control of personal data from the hands of businesses and put it into the hands of the data subject. However, it stops short of giving the person all information that a business has about them. Instead, it only requires information provided by them to be turned over. The “work product” of the organization collecting the data is not included in what has to be turned over.
The exported data should be structured and machine readable so that software by other controllers can extract specific information from it. The file should be in an open format such as a CSV file.
Many large technology platforms like Facebook and Google already provide access to some or all of the data provided to them. Organizations that have not implemented data portability can do so with Clarip’s DSAR Portal.
Other Data Subject Access Rights
California’s New Privacy Law: Get your business ready for the California Consumer Privacy Act with Clarip.