Within data protection law, the sixth right people have is the right to data portability. People can ask for the personal data they gave, and receive it in a structured, commonly used, and machine readable format. They may also request a secondary controller to receive the information as well.

This right allows people to reuse their own data across different services, such as moving, copying or transferring data from one IT system to another in a safe and secure way.

Like all requests, it can be done verbally, online, or in writing, to any part of your organisation. You must first be certain of their identity, and that they can be asking for that person’s data.

When does the right to data portability apply?

This request only applies when you are a controller of their data, and you are processing through automated means. Additionally, your lawful basis for processing must be either consent, or for the performance of a contract.

The right only applies to the requestor’s personal data, not to their data that has been genuinely anonymised. If there is a third party involved, such as in a joint bank account, you must consider whether sharing the data will affect the third party’s rights and freedoms, or attempt to also gain their consent.

The right cannot be manifestly unfounded or excessive, or if there is an overriding lawful basis.

What should I do?

If you are refusing the request, you must inform them why you are refusing, of their right to complain to a supervisory authority (such as the ICO), and their ability to legally fight for this right.

If the data portability request is valid, you must respond as soon as possible, and within a month.

You must provide the data in a structured, commonly used and machine-readable format. Ideally, it will also be interoperable. This will change depending on your industry, but common formats include CSV, XML and JSON.

If you need any more information regarding the right to data portability, how to share the data in an appropriate format, or other advice on dealing with data privacy rights, feel free to contact us.

Next week, we’ll be looking at the right to object.