Understanding GDPR Article 20: The Right to Data Portability
GDPR Article 20 deals with a data subject’s right to receive a copy of their data, as soon as it’s been collected, and throughout the processing operation.
When providing the data to the subject, organisations need to ensure that it’s easily-accessible, in a common format, and free from any errors.
GDPR Article 20 Legal Text
EU GDPR Version
Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
- In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
UK GDPR Version
Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
- the processing is carried out by automated means.
- In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
- The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Technical Commentary
There are four key rights to consider, when discussing the concept of data portability:
- a data subject’s underlying right to ‘data portability’;
- a data subject’s right to have personal data directly transmitted to another controller;
- the right to erasure;
- the rights and freedoms of third parties (i.e. other data subjects) when considering the transfer of data.
ISO 27701 Clause 7.3.8 and EU GDPR Article 20
In this section we talk about GDPR Articles 20 (1), 20 (2), 20 (3) and 20 (4)
Providing a Copy of PII
ISO requires organisations to provide a copy of an individual’s data in an easily-accessible format that’s clear, error-free and pertains only to the person who made the request.
If data has been de-identified, organisations should not attempt to re-identify PII, unless legally required to do so.
Organisations should also adhere to their responsibilities regarding the direct transfer of PII to another organisation.
Index of Linked EU GDPR Articles and ISO 27701 Clauses
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 20 (1) to 20 (4) | ISO 27701 7.3.8 | None |
How ISMS.online Helps
We’ve got you covered
Although GDPR is a standalone regulation that you can get certified for independently, there is great benefit in taking a complementary approach alongside other key ISO standards.
For example, as a risk management standard, ISO 27001 provides comprehensive controls around the protection of information assets, while ISO 27701 provides the same, but with a specific focus on data privacy. Approaching GDPR alongside one or both of these standards will give you and your customers maximum assurance.
Our intuitive platform makes it easy to work towards multiple information security and data privacy goals, mapping your work across multiple standards and frameworks, cutting out duplication and repetition where they intersect.
After you’ve successfully achieved ISO 27001, ISO 27701 or GDPR certification, you’re in an excellent position to expand your data privacy posture to include one of our other regional privacy frameworks:
- POPIA
- BS 10012
- Australian Privacy Principles
- NIST Privacy Framework
- OECD Privacy Guidelines
- APEC Privacy Framework
- And more
Find out more by Booking a hands on demo.
