Lexicon > Right to portability
IT Glossary
The right to portability of personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:
- The right to information;
- The right to access;
- The right of rectification;
- The right to erasure;
- The right to limitation of processing;
- The right to data portability;
- The right to object.
Under the right to portability, data subjects may request from the controller the receipt of their data in a structured, commonly used and machine-readable format.
The data may then be transferred to another controller without the controller to whom the personal data were originally transferred being able to object.
This transmission can be carried out directly between the two data controllers if the data subject so requests, and only when technically possible. Data controllers are thus encouraged to develop interoperable formats that allow data portability.
However, the right to portability can only be exercised in the following cases:
- The processing is based on consent; OR
- The processing is based on a contract; AND
- The treatment is carried out using automated processes.
Finally, the exercise of this right to portability does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and must not infringe rights and freedoms.
GDPR
“To further strengthen their control over their own data, data subjects should also have the right, where personal data are processed by automatic means, to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, machine-readable and interoperable format and to transmit them to another controller. Data controllers should be encouraged to develop interoperable formats for data portability […]”
Recital 68 of the GDPR
Point of jurisprudence
The District Court of Amsterdam recalls that ” the format in which the information is to be provided must allow for interoperability, meaning that the data can be shared in a variety of computer formats, […] and can be considered as part of the main public file formats such as XML, JSON, CSV”.
Rechtbank Amsterdam, 11 March 2021, No. C/13/687315 / HA RK 20-207
The Bouchara firm assists you in particular in :
- Making your organization GDPR compliant;
- The drafting of data protection policies (privacy policy, computer charter …);
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.
We are also the external Data Protection Officer of many data processors and subcontractors.
