Exercise Your Rights- Article 20 – Transfer your data!
Do you need your electronic files from your old gym or health clinic to be transferred to your new one? Would you like to a receive of a readable copy of the heart rate log from your fitness band or monitor? The GDPR can facilitate these tasks via its introduction of a right to data portability. If these scenarios seem similar to recent changes of information that you want or need, read on to find out how to exercise your right to transfer your data…
Your Right to Data Portability
What is a right to data portability?
The right to data portability is a new right introduced under the GDPR. As a data subject, it allows you to receive, process and transfer your personal data according to your wishes, and to manage and reuse your personal data yourself.
With the right of portability, you can:
- transfer your personal data from one controller to another (eg switching accounts) without further barriers;
- store your personal data from a controller on a private device for your own reuse;
- receive a copy of your personal data in a format that allows you to easily reuse it.
The technical elements of transferring or transmitting data are the controller’s responsibility, not yours. The GDPR encourages controllers (ie the companies or organisations deciding how to store, collect and use your data), to implement simple and interoperable mechanisms for transferring data. It also prohibits the old controllers from imposing barriers to transmission, such as charging fees to individuals who make transfer requests, and prohibits the new controllers from using your transferred data for their own purposes.
Step 1: Identify where to send your request
Step 4: What if the controller does not answer or refuses my request?
What personal data can I transfer?
You can transfer or receive any personal data that:
- you have provided to the controller to whom you are making the request;
- uses consent or contract as its basis for processing (if you do not know the basis for processing your data, you can find out by making an access request);
- is processed by automated means, ie is not a paper file.
The notion of “data you have provided to the controller” is not limited to personal information you provide directly or knowingly to the controller. It also includes personal data generated by your activity. Examples of generation by activity could include your search history on your computer or phone, location data from a running app, or data about your heart rate collected by a wearable device. However, in order to be transferred this data can of course not be anonymous: the controller must be able to link it to you, eg via an account name or number or a device number.
When can I transfer my personal data?
You may not be able to transfer or receive your data from a controller in every situation, particularly if the personal data in question does not fit the criteria above.
To have your data transferred directly to another controller, the GDPR specifies that the portability must be “technically feasible”. If technical impediments prohibit direct transmission, the controller must explain them to you.
How does a data portability right interact with my other GDPR rights?
To confirm whether exercising your right to portability is the most suitable move for you, we recommend first considering how in interacts with other GDPR rights.
The right of access complements your right to portability by allowing you to confirm whether the controller can actually transfer or transmit the data you want to transfer or use. Exercising your right of access can confirm:
- if your data is processed on a basis that allows for data portability;
- if the controller has retained the data in question, eg has not deleted it because of the expiration of a lawful storage period;
- If the controller is processing your other personal data of and about which you did not know, but now also want transferred.
Transfer does not guarantee erasure. Exercising your right to data portability will not automatically activate your right to data erasure. This means that transferring your data from one controller to another will not guarantee that the first controller will delete it. To ensure your data is deleted from a controller’s systems, you will need to exercise your right to erasure
Like any other GDPR right, the right to data portability does not prevent you from continuing to use and benefit from a controller’s services after you have made a portability request to them.
How do I exercise my right to portability?
Step 1: Identify where to send your request
A request to transfer your data should be addressed to the controller (the organisation/entity/administration/company processing your data).
A transfer request can be done by email, letter, or even fax, as long as you leave a written record of the request. You can simply email (or address your letter to) a company or state body who is processing the personal data you want transferred to another controller or transmitted to you.
The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the fault of the controller, not yours - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.
- Inform the controller that you are asking for the transfer of your data and where you want them to be transferred (eg receiving a copy on your private device, receiving a copy for re-use with another provider, or transmit them directly to another provider).
- Specify your name or other identifier used by the controller (eg an account username). To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname.
- Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.
If you prefer, you can also use the tools provided by mydatadoneright.eu. Their system will write and send the transfer request for you.
Once the controller receives your request, it has one month to respond. This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.
The controller can ask you additional information to confirm your identity in case of doubt. However, such a request should be limited to the additional information necessary to confirm who you are. The additional information cannot be disproportionate, having considered the context of the processing of your data (eg a shop asking you a copy of your passport to change the address of a loyalty card would be disproportionate).
The controller will have to explore different options to transfer your data, eg a direct transmission of the overall dataset of portable data (or several extracts of parts of the global dataset), or an automated tool that allows extraction of relevant data. The GDPR places requirements on data controllers to provide the personal data requested by the individual in a format, which supports re-use.
In a response to a transfer request, the controller must provide you or the other controller with your data in a format that is structured, commonly used, and machine readable. This means that the data should be organised and structured in a format you can read, as well as in a widely used format that can be automatically read and processed by a computer. It is also the controller’s responsibility to ensure that your data is sent securely and to the correct destination.
If you ask for a direct transfer of your data to another provider, then the controller may refuse if he demonstrates that such a transfer is not technically feasible, and explains the reasons why.
Step 4: What if the controller does not answer or refuses my request?
If the controller:
- rejects your request without a satisfactory explanation,
- tries to unjustifiably charge you for your request,
- does not respond after a month (or an extended period of maximum 3 months),
you are entitled to file a complaint with a data protection authority (eg the DPA where you live or work), and the controller should inform you about that.
If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at info@noyb.eu to discuss further steps.