Article 20 Right to data portability
Assign topic to the user
EU GDPR PERSONAL DATA PROTECTION POLICY
Top-level document that describes main roles and responsibilities.
Get it now 
EU GDPR PERSONAL DATA PROTECTION POLICY
Top-level document that describes main roles and responsibilities.
Get it now
EU GDPR PERSONAL DATA PROTECTION POLICY
Top-level document that describes main roles and responsibilities.
Get it now
(1) Indicates the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller…
(2) … the data subject shall have the right to have the personal data transmitted directly from one controller to another…
If a data subject requests to have his/her data transmitted directly from one controller to another and the recipient controller only utilizes a subset of the data provided. If at some future point the data subject requests to have his/her data transmitted again… is the new controller required to provide all of the data (including data elements that were included in the original transmission but never utilized)? Or is it ok to just transmit the data that was actually used? (just a subset of the original data)
Example:
Data Transmitted from Controller A to Controller B
· Name (prefix, first, middle, last, suffix)
· Nick Name
· DOB
· Email addresses (primary, secondary, professional…)
· Mailing address
· Title
· Credentials
· List of interests
· List of books read
Data Supported and Utilized by Controller B
· Name (prefix, first, middle, last, suffix)
· Email address (only primary)
· Mailing Address
· Title
· Credentials
Data subject requests Controller B to transmit data to Controller C… What is Controller B required to transmit to Controller C?
Answer:
I just want to begin by saying that the right to data portability as defined by EU GDPR article 20 (https://advisera.com/eugdpracademy/gdpr/right-to-data-portability/) only applies:
- to personal data “provided to” the controller by the data subject for example to photos posted to a social network or content stored on a cloud service; and
- where the controller is processing personal data is based on consent or performance of a contract.
To come back to your example Controller B, if faced with a request for data portability, will need to provide to Controller C only the data that it processes in order to provide the service to the data subject not the excess data that the Controller A provided.
Comment as guest or Sign in
Feb 07, 2018