The Article 29 Working Party (WP29), an independent European Union Advisory Body on Data Protection and Privacy, composed of representatives from each of the EU Member States, the European Data Protection Supervisor, and the representative of the European Commission, has issued guidance on the application of this new right. According to the published guidelines, the right to data portability applies only to data controllers. Nevertheless, data processors have a contractual obligation to assist data controllers in answering data portability requests.
The right to data portability is not a general right, instead for Article 20 to apply three cumulative conditions need to be met:
The personal data needs to be automated, meaning that the new right cannot be exercised to e.g. paper files. It also needs to be processed on the basis of prior consent of the data subject (e.g. by filling out an online form), or by contract to which the data subject is a party to.
It is essential that the requested personal data concerns and is provided by the data subject. Anonymous data does not fall under the scope of Article 20, however, pseudonymous data does if it can be clearly linked to the data subject; hence, personal data includes data that is observed from the activities of users, including raw data processed by a smart meter or other types of connected objects, activity logs, history of website usage or search activities. Moreover, “provided by” is a wording that requires broad interpretation to include both data provided actively and knowingly by the data subject (e.g. age, date of birth, contact information etc.), but also data provided indirectly by the data subject (e.g. by using services or devices producing metadata including search histories, location data etc.), however, excluding personal data inferred or derived by the data controller from data provided by the data subject (e.g. a credit rating or health score resulting from the application of algorithms to the data subject's personal data).
The right should not adversely affect the rights and freedoms of third parties. Under this rule when data is transferred under a data portability request and third party data is included in the requested data set, the new data controller should only process these data when there is an appropriate legal ground to do so (i.e. purely personal or household activities) .