The Article 29 Working Party has now adopted and published WP 242/16 Guidelines on the right to data portability.
Article 20 of the GDPR creates a new right to data portability, which allows for data subjects to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller. The Article 29 Working Party’s guidance on the way to interpret and implement the right to data portability clarifies the conditions under which this new right applies, taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject.
The Working Party provides concrete examples and criteria to explain the circumstances in which the right applies. For example, it is suggested that the right to data portability cannot be undermined and limited to the personal information directly communicated by the data subject, for example, on an online form.
The guidelines suggest that data controllers should start developing systems that allow data portability requests to be answered where these are not already in place. They should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.
The Article 29 Working Party recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.