The GDPR has extended and reinforced the rights of individuals with regard to the processing of their personal data. In this framework, one completely new right was created, namely the right to data portability. This right entails that an individual on the one hand can request his personal data in a structured format and on the other hand can simply transfer these from one controller to another.
The Article 29 Working Party (WP29), the independent advisory and consultative body of European data protection authorities, published on 13 December 2016 guidelines with regard to the specific application of the right to data portability. You can find these guidelines here.
1. Right to data portability
The right to data portability is inserted in Article 20 of the GDPR. It gives a data subject the possibility to obtain his/her personal data in a structured, common and machine-readable format and to transfer these freely to another controller.
Insofar as technically possible, the individual can even request that his data are transferred directly from the old to the new controller.
2. Application conditions
The right to data portability is subject to certain strict application conditions:
(i) Data provided by the data subject and concerning him
Only data the individual provided himself and data that concern him are eligible.
According to the WP29, the notion of “provide” should be interpreted in a way that not only actively and consciously provided data are eligible, but also data created and provided by the use of services or devices (e.g., search histories, playlists, online book lists etc.).
This interpretation can, in our view, not have as a consequence that an applicant would for example have the right to have the results of personality tests that he participated in at a potential employer transferred to another potential employer. In that case, it is indeed a subjective assessment and analysis of the personality of the applicant and not personal data that this applicant provided or produced.
Given the limitation to the personal data provided by the individual himself, the right to data portability seems to us to have relatively little impact with regard to e.g. HR (however, for the relevance at the end of the employment relationship, see point 5).
(ii) Processing activities founded on consent or the execution of an agreement
This must concern the processing for which the individual has given his consent or that is necessary for the execution of an agreement.
Processing on the basis of other legal grounds (e.g., a legal obligation) are excluded from the application scope.
(iii) Processing activities via automated procedures
The processing must be performed via automated procedures, which implies that mere paper data are excluded.
(iv) No prejudice to the rights and freedoms of others
The right to data portability can not prejudice the rights and freedoms of others (e.g., the right to privacy, the right to access and information etc.)
3. Preliminary information obligation
The controller will have to inform the data subject about the new right to data portability. The exact point at which this needs to happen depends on whether the data are directly or indirectly received from the data subject (see Articles 13 and 14 of the GDPR).
4. Treatment of the request
In case of a request to transfer, the controller will have to provide without delay and at the latest within a month information on the consequences that have been given to this request.
The transfer should be without costs, unless for requests that are clearly unfounded or excessive, because of their repetitive character.
5. Relevance at the end of the employment relationship
The question arises to what extent the right to data portability applies at the end of the employment relationship. Does the ex-employee for example have the right to transfer the mobile phone number that was given to him or the contact data of his contacts in Outlook?
The WP29 emphasises that for the application of the right to data portability in an HR context it must be specifically checked each time to what extent the various conditions (see point 2) are fulfilled.
Given these conditions, it seems to us that the right to data portability to a new employer should be interpreted in the sense that it concerns only basic data that are provided by the employee himself and that concern him (e.g., address, bank account number, family situation).
The transfer of other data, such as a mobile phone number or contact data in Outlook, would indeed seem to quickly affect the rights and freedoms of the employer (e.g., the right to keep the number and the right to confidentiality of business information) and/or of third parties (e.g., the right to privacy). Time will tell where precisely the limits will be.