The right to data portability under the GDPR and D-DPA
With this newsletter, we aim to provide a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the revision of the Swiss Draft Data Protection Act (D-DPA). Although a draft version of the revised D-DPA has been published, it is still subject to debate.
In our previous article, we discussed the rights related to automated decision-making and profiling under the GDPR and D-DPA. This article focusses on the right to data portability.
The right to data portability under the GDPR
Under the GDPR, the right to data portability allows data subjects to obtain their data from a particular controller in order to transmit them to another controller.
Where technically feasible, data subjects have the right to have their personal data transmitted directly from one controller to another. This right aims to give data subjects more control over their personal data, while enabling them to switch from one service provider to another without losing their cumulated data.
For example, data subjects may request their previous telecom provider to supply personal data relating to their mobile phone use, thus allowing a new telecom provider to identify a price package that corresponds best to their habits.
The right to data portability only applies to personal data which:
- data subjects have provided to the controller. This includes data actively and knowingly provided by data subjects (e.g. mailing address, user name, age, etc.), as well as data which relate to the data subjects’ activity, or which result from the observation of their behaviour (e.g. search history, traffic data, location data, etc.). In contrast, personal data inferred or derived from the analysis of data provided by data subjects which was generated by the data controller as part of data processing (e.g. a credit score or the outcome of an assessment regarding the health of a data subject), do not fall within the scope of the right to data portability.
- were processed based on the data subjects’ consent, or on the necessity to fulfil a contract.
- were processed by automated means. The right to data portability therefore does not cover paper files.
The controller must provide the personal data free of charge and in a structured, commonly-used and machine-readable form. In other words, the format must support re-use.
In addition, personal data must be provided without undue delay and within one month of receipt of the request from the data subject (or within a maximum of three months for complex cases).
No right to data portability under the D-DPA
The draft DPA does not provide any rights to data portability. Accordingly, no corresponding obligation for data controllers exists under the D-DPA.
Comply with the highest standards
The safest approach for controllers is to comply with the highest standards of both the GDPR and the D-DPA by ensuring the ability to comply with the right to data portability of data subjects.
Organisations should therefore:
- Ensure they are able to deliver all personal data provided by data subjects in a format which supports re-use without delay.
- Set up internal procedures and protocols for handling requests from data subjects who are exercising their right to data portability. Such protocols should also include procedures for verifying data subjects’ identity.
- Carry out regular checks to make sure systems are working as intended.