The right to data portability according to the European Supervisory Authorities
Recently, the Association of European Data Protection Supervisors (“Art. 29 Group”) published a working paper with guidelines on the new right to data portability (also “data portability”; Working Paper No. 242).
The requirements set go beyond the statutory nomination at various points, so companies must examine the specifications carefully. This concerns the following topics:
- The right to data portability should apply not only to the personal data that had been communicated directly to the data subject, but even to data generated by user activity. Only derived and inferred data should not be covered by the scope of “provided data”. This is contrary to Art. 20 para. 1 Sentence 1 Hs. 1 GDPR, which explicitly covers only data “provided” by the data subject. It is clear that only data processed on the basis of the consent of the data subject or for the performance of a contract between the responsible party and the data subject are collected. Therefore, at least all data – also generated by user activity – are covered by the right to data portability that were directly necessary for the performance of the contract. For example, an online retailer will have to release information about each order placed earlier by a customer.
- The controller shall provide the data compatible with other data formats of other controllers, although the requirement of compatibility is only included in one recital as a non-binding recommendation (“interoperability” according to Recital 68 GDPR). According to Art. 20, provision in a commonly used data format is sufficient. The recommendation to develop and provide an API should also be understood as a voluntary measure.
- Responsible parties should be obliged to actually enter the data sent into their own systems. However, Art. 20 GDPR does not provide for an obligation to use by receiving companies, but is limited to sending by the data subject/another data controller.
Measures at the data recipient company
According to the Art. 29 Group, the company receiving the data should be obliged to check whether the data protection requirements are met with regard to the newly received data. In particular, the purpose ofthe data must be checked. Furthermore, the receiving company must immediately fulfill its duty to inform the data subject. Furthermore, third parties whose data are included in the data set sent by the data subject may have to be contacted. In such information letters, only the relevant information should be passed on and no other advertising for the receiving company should be included so as not to conflict with Section 7 para. 2 UWG.
Conclusion on data portability
Finally, the Art. 29 Group points out that IT security against access by third parties must be ensured in the same way as the inalterability of data during transmission. The target company would also have to ensure the IT measures.
It can be stated that the working paper provides support in implementing the requirements of the GDPR. Practical examples are given here that can help further. However, there are some cases in which, in our opinion, the Art. 29 Group goes beyond the legal requirements, which can lead to disputes in the further course.