How to Demonstrate Compliance With GDPR Article 20

GDPR Compliance Software

Book a demo

double,exposure,of,business,man,hand,working,on,blank,screen

GDPR Article 20 deals with a data subject’s right to receive a copy of their data, as soon as it’s been collected, and throughout the processing operation.

When providing the data to the subject, organisations need to ensure that it’s easily-accessible, in a common format, and free from any errors.

GDPR Article 20 Legal Text

EU GDPR Version

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

    • the processing is carried out by automated means.

  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

  3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

UK GDPR Version

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

    • the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

    • the processing is carried out by automated means.

  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

  3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Jump to Topic

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Technical Commentary

There are four key rights to consider, when discussing the concept of data portability:

  1. a data subject’s underlying right to ‘data portability’;

  2. a data subject’s right to have personal data directly transmitted to another controller;

  3. the right to erasure;

  4. the rights and freedoms of third parties (i.e. other data subjects) when considering the transfer of data.

ISO 27701 Clause 7.3.8 and EU GDPR Article 20

In this section we talk about GDPR Articles 20 (1), 20 (2), 20 (3) and 20 (4)

Providing a Copy of PII

ISO requires organisations to provide a copy of an individual’s data in an easily-accessible format that’s clear, error-free and pertains only to the person who made the request.

If data has been de-identified, organisations should not attempt to re-identify PII, unless legally required to do so.

Organisations should also adhere to their responsibilities regarding the direct transfer of PII to another organisation.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 20 (1) to 20 (4)ISO 27701 7.3.8None

How ISMS.online Helps

We’ve got you covered

Although GDPR is a standalone regulation that you can get certified for independently, there is great benefit in taking a complementary approach alongside other key ISO standards.

For example, as a risk management standard, ISO 27001 provides comprehensive controls around the protection of information assets, while ISO 27701 provides the same, but with a specific focus on data privacy. Approaching GDPR alongside one or both of these standards will give you and your customers maximum assurance.

Our intuitive platform makes it easy to work towards multiple information security and data privacy goals, mapping your work across multiple standards and frameworks, cutting out duplication and repetition where they intersect.

After you’ve successfully achieved ISO 27001, ISO 27701 or GDPR certification, you’re in an excellent position to expand your data privacy posture to include one of our other regional privacy frameworks:

  • POPIA
  • BS 10012
  • Australian Privacy Principles
  • NIST Privacy Framework
  • OECD Privacy Guidelines
  • APEC Privacy Framework
  • And more

Find out more by Booking a hands on demo.

It helps drive our behaviour in a positive way that works for us
& our culture.

Emmie Cooney
Operations Manager, Amigo

Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more