Right to data portability: How to make a data portability request
–– 15 May 2019
Know your rights. It’s your right to be able to transfer your data to another organisation, this is called the right to data portability. You also have the right to get your personal data back in an accessible and readable format.
This right is covered in Article 20 of the GDPR, as follows:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”
This guide will show you how to make a data portability request, under what circumstances you can exercise this right and what to expect from organisations.
What data does this relate to?
The right to data portability is similar to the right of access but there are some differences. For example the right only applies to data that:
- Is held electronically
- You have provided to the organisation
Data you have provided does not just mean information you have typed in, such as an email address or postal address. It may include any data the organisation has gathered from device such as location history. Examples of things included:
- Website or search history
- Traffic and location data
- ‘Raw’ data processed by objects such as smart meters and wearable devices (Think Fitbit!)
How do I transfer my data from one organisation to another?
To exercise your right to data portability you should:
- Make your request directly to the organisation
- State what you want
You can send a data portability request in any format. A request can be verbal, in writing, via social media or by using our free tool Tapmydata.
If you make a verbally we recommend that you follow up in writing because doing so gives you proof of your actions should you need to challenge that organisation at a later date.
Use a tool, make life easier
We built Tapmydata to make it easy for citizens to exercise their data rights.
When to make a portability request
You can make a portability request at any time to any organisation that:
- Is using you personal data that you have consented to
- Uses your data as part of a contract you have with them
Check out the organisation’s privacy notice which will tell you more about why it is using your data.
I am not happy with the response, what can I do?
If you are still unsatisfied, you can make a complaint to the Information Commisioner’s Office (ICO).
What should organisations do?
The organisation must provide a copy of the requested data in a commonly used and machine-readable format, such as a pdf file. The organisation may also allow you to access the data yourself through an automated tool.
Once an organisation has confirmed your identity, they should send the data to you or to an organisation you have identified.
Be careful, the organisation might not delete your data after giving it to you, or sending it to another organisation. If you want your data deleted afterwards you need to exercise your right to erasure.
Can the organisation say no?
If the organisation believes that a request is, as the law states, “manifestly unfounded or excessive” it can:
- Request a reasonable fee to deal with the request, or
- Refuse to deal with the request
In either case the organisation must tell you and justify its decision.
When should I get a response?
Organisations generally have one calendar month to respond to your data portability request. In some situations it may need more time to consider the request, and this can take up to an extra two months.
The organisation must let you know within one month that it needs more time and the reasons why.
Will it cost me anything?
Generally, no! Organisations can only charge a fee if your data portability request is as the law states “manifestly unfounded or excessive”. The organisation then may be able to ask for a fee for admin costs associated with your request.