The right to transfer personal data and the obligations of administrators


The General Data Protection Regulation (GDPR) will enter into force in May 2018. The GDPR broadly regulates the rights of people whose personal data is processed. The GDPR will introduce the so-called the right to transfer personal data. What is this right and what are the obligations of personal data administrators?

The right to transfer personal data - what is it?

The right to transfer personal data has been regulated in Art. 20 GDPR. As stipulated in this provision, each person has the right to receive from the administrator the personal data provided to the administrator. The administrator is obliged to provide personal data in a structured format (e.g. in a pdf file). The transferred file is to be of such a format that it is possible to read it by computer. It is important that the transfer of personal data will include not only personal data provided to the administrator, e.g. when concluding a contract, but also other personal data generated during the term of the contract. This means that the right to transfer personal data will apply to all data that the administrator has collected about a specific person. For example, if the customer places different orders during the term of the contract, the information about the date of each order, as well as the delivery address data will be covered by the right to data portability.

Who can exercise the right to data portability?

Any person wishing to exercise their right to transfer personal data will be able to request that the current data administrator send the data to another administrator. This is to facilitate the use of the services of other entities to which anyone will be able to provide historical data about him. In the event of a large amount of data collected by administrators, the information generated will be very extensive. However, the GDPR does not limit the right to data portability quantitatively, therefore it should be considered that this right covers all personal data "generated" by the controller.

In order to respond to the GDPR requirements, personal data administrators will have to prepare their IT systems to quickly respond to requests from individuals for the portability of personal data. It can certainly turn out to be costly, as not all IT systems used by administrators are adapted to generate such extensive information as required by Art. 20 GDPR.

Consequences of not providing personal data

It should be remembered that the GDPR introduces pecuniary sanctions for violating the law, including the right to data portability. Failure to provide data in accordance with Art. 20 GDPR may expose the data controller to a fine of up to EUR 20,000,000.When imposing a penalty, GIODO will be required to take into account, inter alia, previous breaches of the GDPR or the degree of cooperation with the administrator during the control procedure.

Considering the complexity of the solutions adopted in the GDPR, as well as the wide range of changes in the field of personal data protection, it is worth considering the implementation of personal data protection procedures in every organization.

Łukasz Łyczkowski