Right to data portability
People have the right to receive the personal data that organisations have of them. This enables them, for example, to transfer their data easily to another provider of the same type of service. They also can ask organisations to transfer their data directly to another organisation. This is called the right to data portability, or the 'right to have data transferred'.
On this page
When transfer of data is and is not possible
The right to data portability does not apply to all types of data. Firstly, people can only have digital data transferred. The right to data portability therefore does not apply to paper files. Secondly, transfer of data is only possible if an organisation processes personal data with someone's consent or if the data are necessary for the performance of a contract with that person. This also includes, for example, the titles of books someone bought in an online shop or songs that the person listened to through a music streaming service.
All personal data provided
An organisation that receives a request for transfer of data from someone has to make all personal data available that this person has provided to the organisation. This does not only concern data that someone has provided actively and consciously, such as the account data entered in an online form (email address, user name, age, etc.) It also concerns the data that this person has indirectly 'provided' by using a service or a device. For example:
- someone's search history or location data;
- (raw) data such as someone's heart rate recorded through a fitness tracker;
- titles of books that someone bought in an online shop;
- songs that someone listened to through a music streaming service.
No derived personal data
The organisation is not obliged to provide derived personal data. These are data generated by the organisation itself through, for example, data analysis. Such as a credit score or a profile that the organisation has drawn up of someone.
Difference between right of access and right to data portability
The right of access and the right to data portability are not the same. The difference is in the form in which an organisation provides the personal data if someone makes a request. Besides, there are certain data that an organisation is not obliged to provide if someone asks for data portability, but must be provided if that person makes a request for access.
Form of request for access
Does someone make a request for access at an organisation? Then the organisation has to provide a copy of the data of this person. This may be an overview of the personal data or copies of the documents in which the data can be found. With this information, the requester must be able to check if the data are correct. And if the organisation processes the data correctly.
Form of a request for data portability
Does a customer ask an organisation for a transfer of personal data? Then the organisation must provide the data in a form that makes it easy for the customer to reuse the data and transfer them to another organisation. For this reason, the organisation is obliged by law to provide the data in a structured, commonly used and machine-readable format.
Difference in data
In the case of a request for data portability, the organisation is not obliged to provide derived data. But if someone makes a request for access, the organisation will have to provide these derived data.
Informing about the right to data portability
Organisations have to inform their customers about their right to data portability, if this applies. This is the case when the organisation processes data of customers based on their consent or for the performance of a contract with them.
It is in particular important that organisations explain clearly which data their customers can request using the right of access and which data using the right to data portability. And that they draw the attention of their customers to the option of data portability if customers want to terminate their contract with the organisation.
For consumers: asking for transfer of personal data
Do you want to receive the personal data that an organisation has of you? For example, because you want to terminate your contract with the organisation and want to transfer your data to another organisation? Then ask the organisation to do so in writing, by email or letter. You can use the data portability example letter of the Dutch Data Protection Authority for your request.
At Using your privacy rights, you can read about what to do if you want to ask for data portability. And what you can expect from the organisation then. For example: the organisation has to verify your identity first.
Response to a request
The organisation has to give a response to your request within 1 month.
- Does the organisation decide to transfer your data? Then the organisation will have to do this as soon as possible. That is within 1 month at the latest.
- Does the organisation refuse your request? Then the organisation will have to let you know why. Read what you can do if you do not agree with the refusal.
- Does the organisation not respond within 1 month? Read what you can do if the organisation does not respond.
For organisations: right to data portability in practice
Do you, as an organisation, receive a request for transfer of data? Take a look at For organisations: privacy rights in practice to see what you have to do to handle the request in accordance with the rules (among other things: verify the requester's identity, reply period). In addition, the following particulars apply for the right to data portability:
- determine which data you have to transfer;
- determine in which format you transfer the data;
- help your customers choose;
- avoid data breaches;
- retain the data as long as usual;
- only process necessary data of a new customer.
Determine which data you have to transfer
Determine which personal data you have to transfer and which not. You have to make available all personal data that the customer has provided to you. You have to give this a broad interpretation. Also see: When transfer of data is and is not possible.
Determine in which format you transfer the data
You have to transfer the personal data in a structured, commonly used and machine-readable format. The best format for the provision of data varies for each sector. The aim is that your customers can easily reuse their data in a different environment.
This means that you have to ensure that your customers will be able to transfer their data directly to another organisation. This can be done with, for example, an 'application programming interface' (API), enabling a connection between your system or application and the system or application of another party. This could also be a trusted third party, that stores the transferred data and can pass them on, at the request of a customer, to multiple organisations.
Besides, you have to provide not only the factual contents, but also as many relevant metadata as possible. Such as time, sender, addressee, etc. This allows the meaning of the transferred information to be preserved as well as possible.
Help your customers choose
Probably, you often process information that contains personal data of several people. Does a customer ask for the call records, for example? Then this overview will contain personal data not only of your customer, but also of the persons whom your customer has called or received calls from. You have to provide the complete overview to your customer.
Does your customer subsequently pass on the overview to another organisation? That organisation must have a legal basis for processing the data of the other people. This means that the organisation is not allowed, for example, to use these data for advertising purposes without a good reason.
It is advisable to help your customers make a careful choice with regard to the data they want to transfer to another organisation. You can do this, for example, by offering layered options for transfer. Such as the choice between all data or last year's data only. Or the choice between all contacts or selected contacts when transferring an address book.
Avoid data breaches
You are neither responsible for what a customer subsequently does with the data transferred by you, nor for the processing of these data by another organisation. You are responsible, though, for preventing the right to data portability leading to data breaches. For this reason, you always have to check the identity of your customers with due care. You can do so by offering a good authentication mechanism, for example, to ensure that you do not transfer personal data to the wrong person.
Retain the data as long as usual
You retain the data of your customers for as long as you would normally do this. You do not have to retain the data any longer for possible requests for data portability. Nor do you have to destroy the data after a request for data portability. Your customers can make a request for data portability for as long as they are a customer at your organisation.
Only process necessary data of a new customer
Do you receive data from a new customer? And did this customer request data from another organisation and subsequently transferred them to you? Then you have to consider carefully which of these data are necessary for the purpose of your data processing. You have to destroy all other data as soon as possible.
It is advisable that you give clear information beforehand to new customers about which data are necessary for the service that you offer. In this way, your customers can make a conscious choice about which data they transfer to you. This will reduce the risk that your new customers disseminate data of themselves and/or others while this is not necessary.
Also view
More information
Example letter
Do you want to exercise your right to right to data portability? Our example letter makes it easier to contact organisations.