Article Post on 27 April 2017

Guidelines on the Right to Data Portability

_ The Article 29 Working Party, comprised of members of all the National Data Protection Authorities of the European Union, on 13 December, 2016 adopted Guidelines on the right to data portability.

Article 20 of the General Data Protection Regulation (GDPR), dated 27 April 2016, introduces a new right for data subjects. Pursuant to this, they have the right to receive their own personal data, which they have provided to a controller for processing either by their consent or in the performance of a contract, and for processing carried out by automated means, ‘in a structured, commonly used, and machine-readable format.’ The subjects have the right to transmit their data to another controller without hindrance.

As this new right aims to support the free flow of personal data, to foster competition between controllers, and to facilitate switching between different service providers, the Article 29 Working Party issued guidance on how to interpret and implement this right to data portability.

The Guidelines deal with the following practical questions:

  • What are the main elements of data portability?
    Regarding the provision of Article 20 of the GDPR, the Guidelines define such elements as the ‘right to receive personal data’, and ‘data portability tools’.
  • When does data portability apply?
    • Which processing operations are covered by the right to data portability?
      Processing operations based either on the data subject’s consent or a contract.
    • What personal data must be included?
      Personal data concerning the data subject, which he/she has provided to a data controller.
  • How do the general rules governing the exercise of data subject rights apply to data portability?
    • What prior information should be provided to the data subject?
      The availability of the new right to data portability.
    • How can the data controller identify the data subject before answering his/her request?
      With, at least, the implementation of an authentication procedure.
    • What is the imposed time limit imposed for answering a portability request?
      Without undue delay and, in any case, within one month of receipt of the request, even if it concerns a refusal.
    • In which cases can a data portability request be rejected or a fee charged?
      This is prohibited, unless it can be demonstrated that the requests are manifestly unfounded or excessive.
  • How must the portable data be provided?
    • What is the expected format?
      A format that supports re-use, and it must facilitate interoperability.
    • How to deal with a large or complex personal data collection?
      The data subject must be placed in a position to fully understand the definition, schema and structure of the personal data.
    • How can portable data be secured?
      The data controller is responsible for taking all the security measures needed to ensure that the personal data is securely transmitted to the right destination and for recommending the appropriate formats to help the data subject to protect the data received.


For any additional information on this topic, please contact Emmanuelle Ragot, Partner and Head of IP/TMT.

Share this content