The Right to Data Portability stems from Article 20 of the General Data Protection Regulation (GDPR). This right allows data subjects to receive personal data, which they have provided to a data controller, in a structured, commonly-used and machine-readable format, and to transmit that data to another data controller without hindrance. This right, which applies subject to certain conditions, supports user choice, user control and consumer empowerment.
Although data portability can be considered as a “new right”, other types of portability already exist or are being discussed (e.g. in the context of contract termination, communication services roaming and trans-border access to services). Some synergies and even benefits to individuals may emerge between these types of portability if they are provided in a combined approach, even though analogies should be treated cautiously.
1. Main elements of data portability
(a) A right to receive personal data processed by a data controller, and to store it for further personal use on a private device, without transmitting it to another data controller. In this regard, data portability complements the right of access and offers an easy way for data subjects to manage and reuse personal data themselves.
(b) A right to transmit personal data from one data controller to another. In essence, this provides the ability for data subjects not just to obtain and reuse, but also to transmit the data they have provided to another service provider. This right facilitates the ability of data subjects to move, copy or transmit personal data easily. In addition to providing consumer empowerment by preventing “lock-in”, the right to data portability is expected to foster opportunities for innovation and sharing of personal data between data controllers in a safe and secure manner, under the control of the data subject.
(c) Data portability tools, since on a technical level, data controllers should offer different implementations of the right to data portability.
(d) Data controllers answering data portability requests, under the conditions set, are not responsible for the processing handled by the data subject or by another company receiving personal data. Data portability does not impose an obligation on the data controller to retain personal data for longer than is necessary or beyond any specified retention period. Importantly, there is no additional requirement to commence retention of such data simply to service a potential data portability request. A “receiving” organisation becomes a new data controller for this personal data and must respect the principles stated in Article 5 of the GDPR. Thus, the “new” data controller must clearly and directly state the purpose of the new processing before any request for transmission.
(e) When an individual exercises his right to data portability he does so without prejudice to any other right. A data subject can continue to use and benefit from the data controller’s service even after a data portability operation. Equally, if the data subject wants to exercise his right to erasure, data portability cannot be used by a data controller as a way of delaying or refusing such erasure. It does not automatically trigger the erasure of the data from the data controller’s systems and does not affect the original retention period applying to the data which has been transmitted, according to the right to data portability. The data subject can exercise his rights as long as the data controller is still processing the data.
2. Application of data portability
According to Article 20(1)(a) of the GDPR, in order to fall under the scope of data portability, processing operations must be based:
To be within the scope of the right to data portability, data must be:
Article 20(4) also states that compliance with this right must not adversely affect the rights and freedoms of others.
In order to comply with the new right to data portability, data controllers must inform the data subjects of the availability of this new right. In providing the necessary, clear and comprehensive information, data controllers must ensure that they distinguish the right to data portability from other rights.
There are no prescriptive requirements on how to authenticate the data subject. Nevertheless, Article 12(2) of the GDPR states that the data controller may not refuse to act on the request of a data subject for exercising his rights (including the right to data portability) unless it is processing personal data for a purpose that does not require the identification of a data subject and it can demonstrate that it is not able to identify the data subject.
If the size of data requested by the data subject makes transmission via the internet problematic, rather than potentially allowing for an extended time period of a maximum of 3 months to comply with the request, the data controller may also consider alternative means of providing the data such as using streaming or saving to a CD, DVD or other physical media or allowing for the personal data to be transmitted directly to another data controller, where technically feasible.
The data controller must provide the personal data to the data subject ‘without undue delay’ and in any case ‘within 1 month of receipt of the request’, or within a maximum of 3 months for complex cases, provided that the data subject has been informed about the reasons for such delay within 1 month of the original request.
The data controller may not charge a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, ‘in particular because of their repetitive character’.
For more information or if you have any questions on Data Protection Regulation in Malta, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.