🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Find out everything about the right to portability in the GDPR

Home GDPR Find out everything about the right to portability in the GDPR

We meet again for the rest of our series of articles devoted to the rights of people with the right to portability. This article follows our 1 min video to understand everything from Monday May 24. Follow us on LinkedIn so you don't miss any news!  

Lie comfortably on your deckchair and off you go, we'll explain everything to you in 5 minutes! ☀

 What are people's rights?  

The GDPR mentions the rights of individuals in chapter 3 of the GDPR. Not all rights are systematically applicable to all processing, their application depends in particular on the legal basis of the processing.  

With our old articles and those to come, we explain the following rights to you:  

  • Right of access,  
  • Right of rectification,  
  • Right to object (and right to withdraw consent),  
  • Right to erasure,  
  • Right to portability.  

 Understand everything about the right to portability  

The right to portability is mentioned in Article 20 of the GDPR. This is a new right, enshrined in the GDPR. It gives the data subject the possibility of having the personal data they have provided transmitted to the data controller. The data must be transmitted to it in a commonly used and machine-readable format. Then, the person can choose to transmit this data to another data controller or request the initial data controller so that the latter transmits the data directly to another data controller.  

 The difference between the right to portability and the right of access lies in the objective pursued by the data subject. By exercising their right to portability, the person obtains their data with the aim of providing it to another data controller. The right to portability aims to give more power to data subjects over the management of their data. This right facilitates the transmission of data between data controllers, under the direction of the data subject. 
  

This new right is likely to encourage the interoperability of data formats used by service providers and thus give data subjects the possibility of easily changing service providers. To illustrate, a data subject can ask a platform such as Deezer to provide their data to them in order to then transfer it to Spotify.  

Recital 68 of the GDPR encourages data controllers to implement arrangements so that the right to portability is processed automatically, between data controllers, at the request of the data subject.  

In the event that data processing is subcontracted, the contract concluded between the parties must provide for technical and organizational measures to respond to requests to exercise rights. This then requires the processor to cooperate with the data controller to respond to requests, including the exercise of the right to data portability.  

Finally, it should be noted that exercising the right to portability does not automatically imply the deletion of data. If the person wants to have their data deleted from the information system of the initial data controller, they must make another request such as erasing their data.    

 Conditions for exercising the right to portability  

The right to portability applies provided that the following conditions are met:  

 1era condition of application: The legal basis for the processing  

To exercise the right to portability of personal data, processing must be based on the consent of the data subject or the performance of a contract.  

 2th condition of application: Treatment  

The right to portability only applies to automated data processing.  

 3th application condition: The data concerned  

The right to portability only applies to personal data that has been provided directly by the data subject. Pseudonymized data falls within the scope of the right to portability. Indeed, this process is reversible and the data can be linked to the person. However, this is not the case for anonymized data.    

The data "provided by the data subject" are on the one hand the data that they provide for example in a collection form (such as when creating a customer or user account), this will be for example the name, first name, email address, etc. But on the other hand, it is also about the information that arises from its activity. In other words, this is the data that the person generates using the data controller's service. In this sense, a search history or a playlist on a streaming application falls within the scope of the right to portability, because this data is considered to be directly provided by the person.  

 This is not the case for data that is said to be deduced or derived, it is created by the data controller based on the data provided by the person. This data is generated by the data controller, without being provided directly by the data subject. These could, for example, be suggestions provided by a music streaming application: the platform deduces a profile based on the user's listening.4th application condition: the data format   

  It should be noted that data transmitted in exercise of this right must be in a structured, commonly used format that is easily machine readable. Supervisory authorities encourage data controllers to choose data formats adapted to the type of data concerned, preferably using open and interpretable formats.

 

 Limits to the right to portability  

The exercise of the right to portability must not infringe the rights and freedoms of third parties. This involves not only not transmitting the data of a third party, but also respecting intellectual property and business secrets.  

Data of third parties may be transferred in certain cases without their consent. This is for example the case when a person exercises their right to portability with a telephone operator. In this context he can obtain communication from his contact directory. The data controller must transfer the data contained in this directory so that the right to portability is respected. This directory, however, contains the personal data of people who have not consented to their data being transferred to another data controller.  The data may be transferred to the new data controller provided that the latter does not use them in its own interest. This transfer must simply serve the interest of the person exercising their right, who uses the data for the same purposes, for personal use and under their own responsibility. The new data controller cannot, for example, reuse this data for commercial prospecting purposes.  

 Data Comply One (formerly Mission RGPD) and the right to portability  

You do not have time? You are lost? Are you having trouble managing your compliance and more specifically people's rights?  

Data Comply One (formerly Mission RGPD) allows you to create a rights exercise form. On the Data Comply One platform (formerly Mission RGPD), you have a unique link to make available to people (on the showcase website, in the various emails, etc.). When the person wants to exercise a right, they fill out this online form directly. Once the form is completed, the request to exercise rights is automatically completed in the Data Comply One platform (formerly Mission RGPD), all you have to do is respond using our templates!  

Manage your compliance with ease and peace of mind!  

Request your demo
Other articles
on the same subject