Article 20 and Recital 68 of the Applied GDPR relate to this right.
This right is limited in its application and can only be exercised in respect of personal data:
- Provided by the individual to the controller; and
- Processed with the consent of the individual or under the terms of a contract; and
- Processed by automated means.
Data 'provided' by the individual, is not limited to information that has been typed in, such as a username or email address. It may include data the controller has gathered from monitoring the individual's activities when a device or service has been used. This may include:
- website or search usage history
- traffic and location data, or
- ‘raw’ data processed by connected objects such as smart meters and wearable devices. An example of this could be data recorded on a fitness app.
The right does not apply in circumstances where:
- the processing is based on any legal ground other than consent or contract; or
- the personal data is processed by a public authority in the exercise of its public duties.
Action to be taken by controllers
- respond to the individual without undue delay and within one month to communicate the action, or inaction, taken;
- provide the individual with that personal data in a structured and commonly used and machine readable format; and/or
- transmit those data directly to another controller (where technically feasible).
The exercise of this right does not
- prejudice the other rights of the individual
- require controllers to adopt or maintain systems which are technically compatible
- imply that the data should be erased by the controller, in particular to the extent that it is still required for the purposes of the performance of the contract with the individual.
Refusing a request
Controllers may refuse to comply with a data portability request, but must be able to justify its decision.
Requests may be refused in cases where:
- Article 20(1) is not met;
- the request is manifestly unfounded or excessive, in particular if it is repetitive;
- a restriction on the right can justified in the particular circumstances (Article 23).
Non-compliance with requests to exercise rights
If the controller is not taking action on the request of the individual to exercise any right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about:
- the reasons for not taking action; and
- their remedies, in particular the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
Guidance on the right to data portability has been endorsed by the European Data Protection Board, which should be referred to for further information.
This is available at: https://edpb.europa.eu/our-work-tools/our-documents/guideline/right-data-portability_en