Know your rights. The right to data portability

The right to data portability gives you the power to receive and move your personal data, such as emails, contacts, calendars, financial information, health information, favorites, friends, or content posted on social media – from one service to another or yourself.

This right is all about making your data work for you without any roadblocks. For example, when switching to a new device or app, you can ask your old app for a readable copy of your heart rate log and transfer it there. Or you can retrieve your contact list from a webmail application to build a wedding list or keep your data in a personal data store.

You have the power when it comes to your personal information.

What it is

The right to data portability (Article 20 of the GDPR) allows you to request and receive any personal data you have given to an organization. This enables you to move, copy, or transfer the data to another organization or retain it for your personal use, as you prefer.

This right is applicable when personal data is collected within the context of a contract or based on consent, specifically for digital data (not paper forms).

With the right of portability, you have the freedom to:

• Move your personal data from one controller to another, like when switching accounts with banks, pension, energy suppliers, or insurance companies, without facing obstacles.

• Save your personal data from a controller on your private device for your own use.

• Get a copy of your personal data in a format that makes it simple for you to reuse.

The technical elements of transferring or transmitting data are the controller's responsibility, not yours.

What type of data can you transfer?

Data you can transfer includes basic details like your mailing address, username, and age, as well as data resulting from your activities while using a device or service. This may be your browsing history or search activities, traffic and location data, and even "raw" data processed by connected objects like smart meters and wearable devices. In a nutshell, you must be able to move a wide range of information that you've shared or generated during your interactions with different services and devices.

Example story

Tom uses an online accounting service but decides to switch to a different one. He asks the current service, which has all his financial info, to give him that data so he can easily move it to the new service.

The current service has to provide this data in a way that's easy for machines to read, like using formats such as XML, JSON, or CSV. Giving him the data in PDF might not make it easy for him to reuse it efficiently.

How to exercise your right to portability

Step 1: Find out where to send your request

If you want to move your data, check if the controller offers a download option directly from your account. Many services provide this feature, allowing users to access and manage their information without additional steps.

If this option isn't available, you can make your request through email, letter, or fax. Ensure you keep a written record of your request. Email the company responsible for the personal information you wish to transfer. Typically, you'll find the appropriate email address in their website's "privacy policy" or "contact us" section.

Step 2: Craft your request

Let the controller know that you want your data transferred and specify where you want it to go (like getting a copy on your personal device, receiving a copy for use with another provider,

or sending it directly to another provider).

• Mention your name or any identifier the controller uses (like an account username). To help them handle your request faster, include some details that can identify your account, such

as your phone number (if provided during sign-up), username, account name, or IP address. This is especially useful if you have a common first and last name.

• If your request is attached to an email or letter, include the date in the text to help them set the deadline for your request.

Step 3: Wait for the controller's reply

After you've sent your request, the controller has a month to reply. If things get complicated or

there are many requests, they can stretch this once, but only for up to two more months. If they need clarification on your identity, they might ask for more info to confirm who you are.

What to expect

The controller will explore various methods to transfer your data, such as directly sending the entire set of portable data or specific extracts from the global dataset. They might also use an automated tool to extract the relevant data.

Next, they'll give you or the other controller your data in a structured, commonly used, and machine-readable format. This means the data should be organized in a readable format for you and in a widely used format that a computer can automatically read and process. The controller is responsible for ensuring your data is securely sent to the correct destination. If the controller denies your request without a satisfactory explanation, tries to charge you for it, or doesn't respond within a month (or an extended period of up to three months), you have the right to file a complaint with a data protection authority in your country.

In the US, the right to data portability exists under HIPAA, where individuals are entitled to request that medical information held by a health services provider be transferred to another health services provider. In addition, the CCPA currently provides a right of data portability for their respective state residents. Recent state privacy laws, including the CPRA, Virginia CDPA, the Colorado Privacy Act, the Utah Consumer Privacy Act, and the Connecticut Privacy Act, provide a similar right to data portability.

Looking to master the art of managing and safeguarding your online information like an expert? Bitdefender Digital Identity Protection has got you covered. It actively monitors your digital identity, providing timely alerts on when and how to take action. Stay informed, enhance your privacy, and fortify yourself against potential breaches.

Sources: European Commission, noyb.eu, Data Protection Laws and Regulations USA 2023