Article 20
Right to data portability

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 20 keyboard_arrow_down Hide the recitals of the Regulation related to article 20 keyboard_arrow_up

(68) To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.

(156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

The GDPR

Article 20 gives the data subject a new right: the right to data portability. This appears as an improved right of access, which is associated an interoperability requirement (see G29, Opinion 06/2014 of 9 April 2014 on the concept of legitimate interest pursued by the controller, p. 54).

 

The purpose of the right is, according to the explanatory memorandum to the first proposed Regulation "to transmit data from an automated processing system to another, without the controller ". For this purpose, it allows the data subject to receive the data  provided to the controller "in a structured, commonly used and machine-readable format".  A novelty in the final version of the Regulation, it may even require that data to be transmitted directly by the first controller to the second, where technically possible.

Let’s note that the other data – that the controller could for example obtain from any third parties – are not covered by such right since these data were not communicated by the data subject to the controller.

The exercise of this right is subject to a double condition: it must necessarily come to processing carried out using automated processes, on the one hand, and based on the consent the data subject, either concerning sensitive data or a contract entered into between the data subject and the controller, on the other hand.

The ratio of this new right would allow the data subjects to recover the use made of the data and strengthen their right of access, recognizing them a more active role (see recital 68). Article 20 specifies that the right to data portability is defined without prejudice to the right to erasure, within the meaning of Article 17 of the Regulation.

Paragraph 3 specifies that the right to data portability is not applicable to the processing necessary to the performance of a task in the public interest or in the exercise of the official authority vested in the controller.

An exception to the right to portability has been added by the second proposal to the Regulation in Article 20 (4) when the data disclosure is likely to affect the rights and freedoms of third parties.

The Directive

Neither the Directive nor most national laws provide for data portability.

Potential issues

This new right is one of the major innovations of the Regulation and in general, probably expresses a very important development in the progress to recovery of control on the data by the data subject itself.

If the goal is laudable, it remains to see how it will be implemented in practice, insofar as it implies a dialogue of the controllers and doubtlessly, an agreement - at least implicit - on the means and the standards used for data recovery.

The text says nothing about the further use of the data by the first controller with which this right is exercised. It is concluded that the general principles of protection continue to apply and that the controller can keep it only to the extent strictly necessary for the announced purposes.

The text says nothing either about the fate of the data "generated" by the use of a product or service and which are not actually 'communicated' by the data subject: data related to billing, traffic data, location data, etc. Are they covered by this new right?

Group 29

Guidelines on the right to data portability (5 April 2017)

(Endorsed by the EDPB)

Article 20 of the GDPR creates a new right to data portability, which is closely related to the right of access but differs from it in many ways. It allows for data subjects to receive the personal data that they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit those data to another data controller. The purpose of this new right is to empower the data subject and give him/her more control over the personal data concerning him or her.

Since it allows the direct transmission of personal data from one data controller to another, the right to data portability is also an important tool that will support the free flow of personal data in the EU and foster competition between controllers. It will facilitate switching between different service providers, and will therefore foster the development of new services in the context of the digital single market strategy.

This opinion provides guidance on the way to interpret and implement the right to data portability as introduced by the GDPR. It aims at discussing the right to data portability and its scope. It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject. The opinion also provides concrete examples and criteria to explain the circumstances in which this right applies. In this regard, WP29 considers that the right to data portability covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity. This new right cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.

As a good practice, data controllers should start developing the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The opinion also helps data controllers to clearly understand their respective obligations and recommends best practices and tools that support compliance with the right to data portability. Finally, the opinion recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. 

Link

Regulation
1e 2e

Art. 20

1.   The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b) the processing is carried out by automated means.

2.   In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3.   The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4.   The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

1st proposal close

 Art. 18

1.           The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.

2.           Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.

3.           The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

2nd proposal close

Art. 18

1. (...)

2.

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured and commonly used and machine -readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1); and

(b) the processing is carried out by automated means.

2a. The exercise of this right shall be without prejudice to Article 17. The right referred to in paragraph 2 shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

2aa. The right referred to in paragraph 2 shall not apply if disclosing personal data would infringe intellectual property rights in relation to the processing of those personal data.

3. (...)

4. (…)

Directive close

No specific provision

No special provision under Polish law.

close