EU: Article 29 Group Publishes Draft of a Guideline on GDPR Data Portability Requirement

The Article 29 Group has published the draft of a guideline dealing with the right to data portability, a requirement by the new EU General Data Protection Regulation (GDPR).

This right to data portability only applies to data that is made available by the individual concerned and that is automatically processed by the responsible party. The Article 29 Group stresses that the phrase "made available by the individual concerned" should not be defined too narrowly. This would, therefore, not only include data that is entered into (web) forms, but also data that is generated when using a service. Given as an example of this is, inter alia, the music playlist, including how frequently a title was accessed at an online music service. Data that has not been provided by the individual concerned includes data that has been generated by the responsible party or that has been derived from the data provided. Thus, for example, the individual concerned would be entitled to access his/her logged pulse rate (heart rate), but not the classification of "occasional jogger," which is derived using an algorithm.

The right to data portability, as required by GDPR, only exists if the data processing is based either on consent, or on the fulfillment of an agreement with the individual concerned.

The paper tackles the question of how data is to be made available. The Article 29 Group does not make a concrete statement in this regard, but brings up, in particular, the creation of APIs, which are to be developed for the simple exchange of data. Depending on the format selected, it is important that it be interpretable, which is to say readable by other services.

The individual concerned should be informed at an early stage of the right to data portability. If the use of the service ends, the responsible party should have already pointed out the right to data portability at an earlier stage.

The Article 29 Group points out that the responsible party must verify the identity of the individual concerned before providing the data, which could be done using a login name and password in the case of online services.

Last but not least, it should be noted that transmission of the data must be secure in order to prevent a data breach. In order to protect the data on the end device belonging to the individual concerned, for example after downloading, the Article 29 Group proposes encryption techniques, about which the responsible party should inform the individual concerned.

This new GDPR requirement of the right to data portability itself is already amazing. Until now, the exchange of personal data between different services via APIs was more a data protection problem; however, this exchange now helps protect against the "lock-in effect" and allows the individual concerned to pass his/her data on even more easily to even more services. Practical application will tell whether the transfer of the data can still be overseen by the individuals concerned, and whether or not the collection of personal data on poorly protected end devices will lead to additional risks for the individuals concerned.

Further information:

Photo: © finecki - Fotolia

Rating: 5 (1)

© 2012 - 2019 |  2B Advice LLC - the privacy benchmark
7220 Avenida Encinas Ste 208 | Carlsbad | CA | 92011 | Phone: +1 (858) 366-9750 | Fax: +1 (212) 898 1248 | Email:
The pages do not contain any legal advice | No responsibility for the accuracy of the information. Please also notice: Privacy Notice | Legals

2B Advice GmbH Italy
2B Advice GmbH Germany | 2B Advice s.r.o. Slovakia United States of America | Slovakia | Germany | San Diego | Bonn | Berlin | Munich | Brezno | Verona