The Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection) received your questions regarding the right to data portability under Article 20 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR).
You explained that you are currently developing a “Data portability Request/Subject Access Request“ (hereinafter: “DR/SAR”), which is fully automated tool allowing data subjects to easily execute their right to data portability within the meaning of Article 20 GDPR and their right to access within the meaning of Article 15 GDPR. This request, however, only deals with one of the part of the tool which allows data subjects to have their data transmitted directly from one data controller to another under Article 20(2) GDPR. To avoid neglect in terms of privacy or data protection and to assure that your thought process is correct you requested an expert opinion of the Information Commissioner on the entire concept and technical background of “DR/SAR”. You also attached a .pdf file describing the concept as well as essential features and functionality of “…” service in detail to the request.
The Information Commissioner initially emphasises that it is only possible to provide specific opinion and answers to your questions in the course of an inspection procedure where all aspects of data processing and its compliance with the relevant GDPR provisions are assessed in the context of a specific use case. Hence, at this point, and in relation to your description of the functioning of the tool “DR/SAR”, it is only possible to provide general comments, as follows bellow.
Firstly, it is important to highlight the purpose of the right to data portability. In essence, data portability provides the ability for data subjects to obtain and reuse their data for their own purposes and across different services. This right facilitates their ability to move, copy or transfer personal data easily from one IT environment to another, without hindrance. In addition to providing consumer empowerment by preventing “lock-in”, it is expected to foster opportunities for innovation and sharing of personal data between data controllers in a safe and secure manner under the control of the data subject. The rationale behind Article 20 GDPR is therefore not to pursue economic benefit.
Furthermore, the Information Commissioner emphasises that the right to data portability applies under 3 cumulative conditions:
- the personal data requested should be processed, by automatic means (i.e. excluding paper files) on the basis of the data subject’s prior consent or on the performance of a contract to which the data subject is a party (excluding the other four legal bases provided by the GDPR);
- the personal data requested should concern the data subject and be provided by him (knowingly and actively by the data subject as well as the personal data generated by his or her activity);
- the exercise of this right should not affect adversely the rights and freedoms of third parties.
The GDPR obliges the data controller to react appropriately to data subjects wishing to exercise their rights. It does not instruct the controller or the data subject to use specific technical means for execution of the rights, but rather leaves room for different solutions in the context of procedural rights and guarantees as specified in Articles 12-23. In our opinion the controller must react appropriately to all requests for execution of data subjects’ rights that are received in a way admissible, considering procedures provided for in the GDPR and potential national legislation, regardless of the technical means used for this, whether it is by post, e-mail, specific application, etc. It is also important to stress that Article 12 of GDPR prohibits data controller from charging a fee for the provision of the personal data (unless the requests are manifestly unfounded or excessive).
Article 29 Data Protection Working party stated in its Guidelines on the right to data portability (WP 242 rev.01) that data subjects may make use of a personal data store, personal information management system or other kinds of trusted third-parties, to hold and store the personal data and grant permission to data controllers to access and process the personal data as required, so data can be transferred easily from one controller to another (WP29). On personal information management systems, see, for example, EDPS Opinion 9/2016, available at https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2016/16-10-20_PIMS_opinion_EN.pdf.
Finally, the Information Commissioner points out that it is not in its competence to approve particular business models, concepts, technical/IT solutions or applications. In the case of IT solutions that could have significant consequences on the protection of personal data of individuals, it is advisable to carry out an appropriate data protection impact assessment (hereinafter: DPIA). Such impact assessment should not be performed by the Information Commissioner instead of the controller.
Information Commissioner of the Republic of Slovenia