Right To Data Portability
The Right to be forgotten and the Right to Data Portability are some aspects that was laid down in the European Union’s General Data Protection Regulation (data portability GDPR), passed in April 2016, and will be applicable in all EU countries from May 25, 2018. Article 20 of the new General Data Protection Regulation introduced a new right for data subjects, defined as the “right to data portability” (data portability EU), based only on electronic processing, thus different from the Right of Access. The definition of data portability is: it allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability (right to data portability GDPR).
Guidelines on data protection officers declares that he has the right to transmit such data to another holder of the processing without any objections by the first owner, for example another company. The data must be provided “without undue delay, and within one month”. This can be extended by two months where the request is complex or you receive a number of requests. You must inform the individual within one month of the receipt of the request and explain why the extension is necessary. The goal of the right to data portability is to ensure the transfer of your data between an online service and another; So people can move from one service provider to another, preventing the formation of the “lock-in” (blocking within a service). In this sense, individuals have greater control over their personal data and also create more competition between companies in the market law, which is able to guarantee principles of innovation and development.
The right is limited to personal data, so it does not apply to anonymous data, but instead applies to those data that are partially anonymous, as they are linked to personal data. It’s not limited to the personal data communicated by the data subject to the data controller (mail address), but also extends to the personal data generated and collected by the person concerned (location data, search history). On the contrary, the data generated by the holder does not fall into the data based on the analysis of the data provided or collected by the person concerned (eg credit score).
The Article 29 Working Party on data portability published the guidelines to exercise the right to data portability, for example, explaining the possible case in which data transfers may be related to data from other people; This is the case for telephone operators where telephone traffic always implies reference to other people’s data (telephone numbers). The data subject also has the right to receive such data, but WP29 has made it clear that if the data is transferred to another provider, he or she has the obligation not to process the data of other people. Such a right “must not interfere with the rights and freedoms of others”, specifying that in the event that “a certain set of personal data concerns more than one person, the right to receive personal data should not affect the rights and freedoms of others concerned. ” Above all, it is of fundamental importance that the right to data portability does not obstruct the right of cancellation and all the constraints imposed by the Regulation to such a right, so as not to result in the deletion of the data when it is provided for The execution of the contract.