A29WP Issues Guidance Addressing GDPR Woes: Data Portability Right
In December 2016, the EU’s Article 29 Working Party (A29WP)—a group comprised of EU national data protection authorities (DPAs) that advises the EU Commission on EU data protection law—issued a number of GDPR guidance documents, including explanations for the mandatory DPO role, new individual right to data portability, and how to identify a “lead authority” for the GDPR’s one-stop shop enforcement mechanism.
Why Should You Care?
Organizations that are subject to the GDPR’s broad scope and grappling with how to comply with the regulation finally have some guidance to refer to in implementing the GDPR’s provisions on data portability, the DPO’s role, and identifying the lead supervisory authority.
The New Data Portability Right
The Data Portability Guidelines clarify the main elements of the new data portability right, when the right applies, the general rules governing the exercise of the right, and how portable data must be provided. The new data portability right allows individuals to obtain and reuse their personal data across different organizations. The main elements of data portability include: (1) a right to receive personal data; (2) a right to transmit personal data from one controller—the entity determining the purposes and means of the processing of personal data—to another controller; (3) having different tools/means to transmit data; and (4) controllership over data, which means that organizations answering data portability requests must be the controller responsible for processing the requesting individual’s personal data.
*This alert was originally posted on Arent Fox's Behind the Scenes blog. To read this alert in its entirety, please click here.