The General Data Protection Regulation (AVG) introduces a right to portability of personal data (Art. 20 AVG). The right complements the right of inspection (art. 15 AVG). It entitles the data subject to the transfer of personal data concerning him/her by the controller to another controller in a number of situations (see below) (see also WP 242; see also recital 68 AVG). This checklist has been drawn up from the perspective of the "sending" controller.
The right to portability does not include all (personal) data held by the controller. It must concern collections of personal data that the data subject has himself provided to the controller (recital 68 AVG). Think of files on social media or order lists. The term "provide" must be interpreted broadly (see below).
A request for transfer does not affect the data subject's other rights (inspection, correction, erasure). This means that a copy is transferred upon transfer. If the data subject wants all data to be deleted, he or she must make a separate request to the data controller.
is the data processing system set up to comply with requests (Art. 25(1) AVG, last sentence: data protection by default settings);
is there an analysis of organization/sector specific requests (is there already a definition of standard data sets for transfer);
is the data subject informed about his right to portability (art. 13(2)(b), 14(2)(c) AVG);
does the request concern personal data (in the case of a document containing an opinion: only the personal data contained in the opinion);
does the request concern personal data provided by the data subject to the controller (art. 20(1) AVG);
the concept of provision is given a sufficiently broad interpretation (not only social media pages but also order lists of books or music via an online shop); see also WP 242;
it has been taken into account that also "observed data" such as, for example, via e-health devices may be covered;
it concerns processing on the basis of consent or agreement (art. 20(1)(a) AVG);
it concerns automated processing (art. 20(1)(b) AVG);
concerns processing necessary in the framework of public authority or public interest (then no right to transfer) (Art. 20(3) AVG);
concerns the request own analyses and processing by the controller on the basis of the provided data (then no right to transfer (WP 242 p. 10));
asks the data subject to provide the personal data only to himself (art. 20 para. 1 AVG);
asks the data subject to the data controller to provide the personal data to another data controller (art. 20 paragraph 2 AVG);
it is technically possible to have the data sent directly to the other data controller (Art. 20 paragraph 2 AVG);
sectoral standards have been agreed upon for data exchange between data controllers;
there is concurrence with another legal data portability regulation (in which case the data subject must specify which regulation he invokes (e.g. in the case of a request under the Payment Services Directive 2 -PSD 2)).
starting point is that data subject requests the data for purposes intended by the legislator ("strengthening control over one's own data"). If the data subject is concerned with causing a nuisance to the controller, the controller need not comply with the request:
- for what purpose is the data subject requesting the data;
- is there a misuse of right or abuse of power (3:13 DCC);
- is there a lack of an interest (3:303 DCC).
are there rights and freedoms of others that oppose transfer (Art. 20(4) AVG; Art. 23(1)(i) AVG); [note: complex subject matter: see WP 242, p 11/12];
is there a violation of intellectual property rights or secrecy obligations (Recital 63 AVG; see also WP 242 p. 12);
is there one of the other exceptions of Art. 23 AVG or Art. 41 and 47 UAVG, respectively.
a procedure has been set up to follow up on a request (see also checklist 21 for inspection requests);
the statutory deadlines are taken into account; art. 12 paragraph 3 AVG is based on one month; a simple identification procedure is involved (art. 12 paragraph 2 AVG);
there is reason to ask for a reimbursement of costs (art. 12 paragraph 5 AVG); in principle, no costs may be charged; in the event of excessive requests, this may be done.
data subject must be informed without delay but at the latest within one month about the refusal and his/her right to object to AP or court (Art. 12(4) AVG);
data subject can request AP to mediate (Art. 35, 36 UAVG);
data subject can start petitioning court proceedings (Art. 35, 36 UAVG);
data subject has started the proceedings in time (see deadlines Art. 35 and 36 UAVG).
The data subject has the right to "his" personal data. The receiving data controller is not unreservedly free to start using data that also relate to third parties if this again requires the consent of those third parties (WP 242, p. 11/12).
This is a checklist from the publication Checklist Privacy AVG: privacy policies in 57 checklists
This article can also be found in the AVG file
