You are here:
28 January 2019 / news

The right to data portability under the GDPR and draft DPA

With this newsletter, we aim to provide a practical overview of the most relevant changes resulting from the General Data Protection Regulation (GDPR) and the revision of the Swiss Data Protection Act (DPA). Although a draft version of the revised DPA has been published, it is still subject to debate.

In our previous article, we discussed the rights related to automated decision-making and profiling under the GDPR and DPA. This article focusses on the right to data portability.

The right to data portability under the GDPR

Under the GDPR, the right to data portability allows data subjects to obtain their data from a particular controller in order to transmit them to another controller.

Where technically feasible, data subjects have the right to have their personal data transmitted directly from one controller to another. This right aims to give data subjects more control over their personal data, while enabling them to switch from one service provider to another without losing their cumulated data.

For example, data subjects may request their previous telecom provider to supply personal data relating to their mobile phone use, thus allowing a new telecom provider to identify a price package that corresponds best to their habits.

The right to data portability only applies to personal data which:

  • data subjects have provided to the controller. This includes data actively and knowingly provided by data subjects (e.g. mailing address, user name, age, etc.), as well as data which relate to the data subjects’ activity, or which result from the observation of their behaviour (e.g. search history, traffic data, location data, etc.). In contrast, personal data inferred or derived from the analysis of data provided by data subjects which was generated by the data controller as part of data processing (e.g. a credit score or the outcome of an assessment regarding the health of a data subject), do not fall within the scope of the right to data portability.
  • were processed based on the data subjects’ consent, or on the necessity to fulfil a contract.
  • were processed by automated means. The right to data portability therefore does not cover paper files.

The controller must provide the personal data free of charge and in a structured, commonly-used and machine-readable form. In other words, the format must support re-use.

In addition, personal data must be provided without undue delay and within one month of receipt of the request from the data subject (or within a maximum of three months for complex cases).

No right to data portability under the DPA

The draft DPA does not provide any rights to data portability. Accordingly, no corresponding obligation for data controllers exists under the draft DPA.

Comply with the highest standards

The safest approach for controllers is to comply with the highest standards of both the GDPR and the DPA by ensuring the ability to comply with the right to data portability of data subjects.

Organisations should therefore:

  • Ensure they are able to deliver all personal data provided by data subjects in a format which supports re-use without delay.
  • Set up internal procedures and protocols for handling requests from data subjects who are exercising their right to data portability. Such protocols should also include procedures for verifying data subjects’ identity.
  • Ensure their privacy policy sufficiently informs data subjects about their right to data portability.
  • Carry out regular checks to make sure systems are working as intended.


DATA PROTECTION - GLOSSARY

This document provides an overview of the definitions included in the draft of the Swiss data protection act dated 15 September 2017 (D-DPA) and Regulation (EU)... read more

Automated decision-making and profiling under the GDPR and DPA

Rights related to automated decision-making and profiling under the GDPR and DPA read more
Rights to withdraw consent, object and lodge a complaint with a supervisory authority under the GDPR and DPA

Rights to withdraw consent, object and lodge a complaint with a supervisory authority under the GDPR and DPA

Learn more about the rights to rectification, erasure and restriction under the GDPR and DPA. read more