A29WP Issues Guidance Addressing GDPR Woes: Data Portability Right

What’s New?

In December 2016, the EU’s Article 29 Working Party (A29WP)—a group comprised of EU national data protection authorities (DPAs) that advises the EU Commission on EU data protection law—issued a number of GDPR guidance documents, including explanations for the mandatory DPO role, new individual right to data portability, and how to identify a “lead authority” for the GDPR’s one-stop shop enforcement mechanism.

Why Should You Care?

Organizations that are subject to the GDPR’s broad scope and grappling with how to comply with the regulation finally have some guidance to refer to in implementing the GDPR’s provisions on data portability, the DPO’s role, and identifying the lead supervisory authority.

The New Data Portability Right

The Data Portability Guidelines clarify the main elements of the new data portability right, when the right applies, the general rules governing the exercise of the right, and how portable data must be provided. The new data portability right allows individuals to obtain and reuse their personal data across different organizations. The main elements of data portability include: (1) a right to receive personal data; (2) a right to transmit personal data from one controller—the entity determining the purposes and means of the processing of personal data—to another controller; (3) having different tools/means to transmit data; and (4) controllership over data, which means that organizations answering data portability requests must be the controller responsible for processing the requesting individual’s personal data.

The data portability right applies under the following scenarios:

• only where the processing is based on the data subject’s consent or on a contract to which the data subject is a party
• only to personal data, not to anonymous data
• to personal data actively and knowingly provided by the data subject and observed data which are “provided” by the data subject by virtue of their use of the service or the device
• so long as the exercise of the data portability right does not adversely affect the rights and freedoms of others

Organizations that collect and process EEA individual data must follow the below general rules relating to the new data portability right:

• inform data subjects about the new right
• not refuse to act on a data subject’s data portability request, unless its processing of personal data does not require the identification of a data subject and it can demonstrate that it is not able to identify the data subject
• provide the personal data to the data subject “without undue delay” and in any case “within one month of receipt of the request” or within a maximum of three months for complex cases
• not charge a fee for the provision of the personal data, unless it can demonstrate that the requests are unfounded, or excessive (e.g. repetitive)

Where an EEA individual appropriately exercises their new data portability right, an organization must provide the data the following ways:

• in a format that supports re-use                 
• with as much metadata with the data as possible at the best possible level of granularity, to preserve the precise meaning of the information
• for large or complex personal data collection, one of the ways in which an organization can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API), that would enable individuals to make requests for their personal data via their own or third party software or grant permission for others to so do on their behalf
• securely transmitted (e.g. using encryption) to the right destination (e.g. using additional authentication information)