The GDPR has extended and reinforced the rights of individuals with regard to the processing of their personal data. Within this framework, one completely new right was created, namely the right to data portability. This means that individuals can both request their personal data in a structured format and have their personal data transferred from one controller to another.
On 13 December 2016, the Article 29 Working Party (‘WP29’), the independent advisory and consultative body for European data protection authorities, published guidelines on how and when the right to data portability applies. You can find these guidelines here.
Right to data portability
The right to data portability is set out in Article 20 of the GDPR. It allows individuals to obtain their personal data in a structured, common and machine-readable format and to transfer this personal data freely to another controller. If it is technically possible, the individual can even request that data is transferred directly from the old to the new controller.
When does the right arise?
The right to data portability is subject to certain strict conditions:
1. Data provided by and concerning the individual data subject
Only data provided by and concerning the individual is eligible. According to WP29, “provide” should be interpreted in such a way that not only actively and consciously provided data is eligible, but also data created and provided by the use of services or devices (e.g., search histories, playlists, online book lists, etc.).
In our view, this interpretation does not mean that an applicant would, for example, have the right to have the results of personality tests that he took for a potential employer transferred to another potential employer. This scenario involves a subjective assessment and analysis of the personality of the applicant and is not personal data that the applicant provided or produced.
Given the restriction to personal data provided by the individual personally, the right to data portability seems to us to have relatively little impact on, for example, HR practice (however, for its relevance at the end of the employment relationship, see below).
2. Processing activities based on consent or on the execution of an agreement
The right to data portability only applies to processing for which the individual has given consent or that is necessary for the execution of an agreement to which the individual is a party, for example, the purchase of music from a streaming service. Processing on the basis of other legal grounds (such as to fulfill a legal obligation) is excluded from the scope of the right to data portability.
3. Processing activities via automated procedures
The processing must be performed using automated procedures, which implies that solely paper data are excluded.
4. No prejudice to the rights and freedoms of others
The right to data portability must not prejudice the rights and freedoms of others (e.g. the right to privacy, the right to access and information, etc.).
5. Obligation to provide preliminary information
The controller must inform individual data subjects regarding their new right to data portability. The exact point at which this needs to happen depends on whether the data are directly or indirectly received from the data subject (see Articles 13 and 14 of the GDPR).
Dealing with the request
When a controller receives a request to transfer data, they must provide information on the action they have taken following this request without delay and at the latest within a month.
No charge should be made for the transfer, except where requests are clearly unfounded or excessive, because of their repetitive character.
The end of the employment relationship
The question arises to what extent the right to data portability applies at the end of the employment relationship. Does the ex-employee have, for example, the right to transfer the mobile phone number that was given to him or her or the contact data of contacts in Outlook?
WP29 emphasises that for the right to data portability to apply in an HR context it is necessary to check specifically to what extent the various conditions (see above) are fulfilled each time.
Given these conditions, it seems to us that an individual’s right to transfer data to a new employer should be interpreted narrowly to cover only basic data that are provided by, and concern, the employee personally (e.g., address, bank account number, family situation).
The transfer of other data, such as a mobile phone number or contact data in Outlook, is likely to affect the rights and freedoms of the employer (which may include the right to keep a phone number and the right to confidentiality of business information) or third parties’ right to privacy. Time will tell precisely where the limits will be.