The seventh blogpost in our series on GDPR rights is about the right to data portability. See here for the first blogpost on your right to be informed, the second on the access right, the third on the correction right, the fourth on the deletion right, the fifth on the objection right, and the sixth on the restriction right.
Part 7: The right to data portability
This is a new right under GDPR and its aim is to allow individuals to be able to easily get back certain personal information so they can do other things with it, or give it to another company. There are two aspects to the right:
- The right to get back some information.
- The right to have that information sent automatically to another organisation.
However, this right does not apply to all information in all circumstances, so it may be of more limited use to you than you might have thought.
The right to get back some information
The right only applies to:
- personal information that you have provided to an organisation;
- where you have given consent or where the processing is necessary to deliver the product / service; and
- when the processing is carried out by automated means (so not paper files).
An organisation has to provide the information in a structured, commonly used and machine readable form (such as a CSV file).
The data protection regulators have taken a wider view of what information is in scope, and they have published an opinion saying that the right also includes ‘observed data’, meaning user activities or information generated by your use of a product / service. Examples would be raw data processed by a smart meter or connected objects, activity logs, website history, or raw data such as the heartbeat tracked by a wearable device.
The European Commission (who drafted the first version of GDPR) do not agree with the regulators and think their view is incorrect. However, the regulators have not amended their guidance, so this may be an area of GDPR that has to be tested in the courts to decide what information the portability right applies to.
The right to have the information sent automatically to another organisation
If you request it, an organisation has to transmit the information directly to another organisation – if this is technically feasible.
What does that mean in practice?
In practice the best way to get all the information an organisation holds about you is by making an access request. However, you may find that certain information is useful to you when changing providers, such as in relation to your bank, mobile phone, energy company and so on. In these cases the portability right might be more helpful.
GDPR does not oblige organisations to set up interoperable systems so it is unlikely that many providers will have the technical ability to port your personal data directly to another organisation. However, some sectors may have already decided to look into this, or may offer it as part of other obligations. It is also possible that some sectors may voluntarily decide to develop their services in a way that offers interoperability.
When does the right not apply?
As set out above, this right only applies to certain data in certain circumstances.
The UK’s Data Protection Act 2018 to implement GDPR has exemptions that mean that an organisation may not have to comply with your portability request in certain circumstances. For example, where your information is being processed for the prevention or detection of crime, where the organisation is required to disclose it as part of legal proceedings or where another law requires the organisation to publish the information. The exemptions are not blanket ones though, they only apply to the extent that complying with the portability right would prejudice the crime prevention purpose or prevent the required disclosure. This means that if an organisation is able to comply it should do so.
The organisation also has to be able to verify your identity before taking action as a result of your request.
Fees and timescales
Under GDPR the organisation has 30 days to respond and cannot charge a fee.
However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The UK Data Protection Act 2018 allows the Government to set limits on the fees (which they haven’t yet put in place). Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.
What is Yoti doing?
We are bringing in the ability to export your attributes directly from the app, and your password information from Yoti Password Manager.
You can make a portability request to firstname.lastname@example.org.