Right to data portability

The data subject has the right to receive the personal data that he or she has provided to a controller in a structured, commonly used and machine-readable format and, if desired, transmit that data to another controller.

The data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

This right applies

  • only to the automated processing of personal data
  • when the personal data concern the data subject and was provided by him or her
  • when the processing of the personal data is based on consent or a contract and
  • if the transfer of the data does not adversely affect the rights and freedoms of third parties.

The right does not apply to data that the controller has created on the basis of data supplied by the data subject (e.g. health assessments) or that has been compiled through the analysis of data generated by observing the data subject (such as profiling).

Neither does this right exist if the processing of personal data contained in research materials, cultural heritage materials or the descriptions of such materials for purposes of archiving is necessary and proportionate with regard to the public interest and the rights of the data subject, and the right would be likely to prevent or seriously impair the achievement of the specific purposes of such processing.

Also take the other rights of the data subject into account

Controllers must also take the other rights of data subjects into consideration and are required to pay special attention to informing the data subject: data subjects must be informed openly of the right to data portability and what the right means with regard to the controller in question.

When a data subject exercises his or her right to data portability, this does not limit the use of any other rights provided by the GDPR. The data subject can continue using the controller’s service and enjoying its benefits even after the transfer. The transfer of data from one system to another will not automatically cause the data to be erased from the controller’s systems or affect the original storage time. The data subject can continue to exercise his or her rights for as long as the controller processes his or her data.

The right to data portability may not have an adverse effect on the rights and freedoms of others.

When a data subject requests the transfer of data

The controller must identify the data subject as the person to whose data the transfer request applies. For example, the controller may have verified the data subject's identity before entering into the agreement or obtaining consent for the processing. This personal data can then be used to confirm the data subject's identity also in connection with fulfilling the rights of the data subject.  If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.

The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request.

If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

How should the controller receiving the data react?

The receiving controller is responsible for ensuring that the data transferred from one system to another is necessary with regard to the new processing. The receiving controller does not have the right to process personal data that is unnecessary with regard to the purpose of the processing, even if such data is delivered to it in connection with the transfer. If the data is not relevant to the purposes of the new processing, it should not be stored or processed.

The receiving organisation becomes the new controller of the transferred personal data. Controllers are required to comply with the principles and obligations confirmed in the GDPR. For this reason, the receiving controller must announce the purpose of the new processing clearly and directly before making the data transfer request to the transferring controller. The controller must apply the data-protection principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, integrity and confidentiality, storage limitation and accountability.

In what form should the data be transferred from one system to another?

The personal data must be transferred in a structured, commonly used and machine-readable format. This does not mean, however, that controllers are required to maintain compatible systems. In order to preserve the precise meaning of the transferred data, controllers must also deliver as much accurate and precise metadata as possible with the actual data.

The GDPR does not give specific recommendations on the format of transferred personal data, as the most appropriate format varies between sectors and types of data. The stakeholders and trade organisations of different sectors are encouraged to cooperate and draw up compatible standards for fulfilling the requirements related to this right.

Can the request be refused?

The controller evaluates whether or not the right can be fulfilled. If the controller finds that the right cannot be fulfilled, it is entitled to refuse the request, and the data subject can then refer the matter to the Data Protection Ombudsman.

The controller can refuse the request if fulfilling the right would have an adverse effect on the rights and freedoms of others

or if the data subject's requests are manifestly unfounded or excessive. Alternatively, the controller can then charge a reasonable fee for fulfilling the request.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the Data Protection Ombudsman and the availability of judicial remedies.

Read more:

GDPR: Articles 12 and 20