Artikel 12
Beperking inlichtingenplicht jegens minister
Data Portability
Right to receive and transfer personal data
data portability data transfer article 20
Overview
Legal Framework
The right to data portability is established by Article 20 of the GDPR. This article provides data subjects with the right to receive the personal data they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit that data to another controller without hindrance. This right applies where the processing is based on consent or on a contract, and is carried out by automated means. The right to a copy of personal data, as articulated in Article 20, is distinct from the broader right of access under Article 15. As explained in the authoritative commentary, the data subject is entitled to a copy of the personal data itself, not necessarily a copy of the original documents containing that data, provided the essence of the right is fulfilled.
Practical Application
The core obligation for controllers is to provide the personal data in a portable format upon request. The commentary clarifies that this right is not absolute; it does not extend to data generated by the controller (e.g., analytical inferences) unless they are based on data provided by the subject. The practical interpretation requires organizations to have technical systems capable of exporting specific datasets in interoperable formats (like CSV or JSON). The case law referenced, such as Bara, underscores the importance of transparency regarding data flows, which is a foundational element for a meaningful portability right. While not a direct portability case, it reinforces that controllers cannot rely on generic legal bases to circumvent specific informational duties to data subjects, a principle that underpins the exercise of Article 20 rights.
Key Considerations
- Scope Definition: Clearly distinguish between data "provided by" the data subject (subject to portability) and data "derived or inferred" by the controller (generally not subject to portability, though related metadata may be included).
- Technical Preparedness: Implement systems that can isolate and export an individual’s data in a structured, commonly used format (e.g., via dedicated APIs or export functions) without undue delay.
- Third-Party Data: Exercise caution when responding to portability requests for data that also contains the personal data of other individuals. The right does not override the rights and freedoms of others, and such data may need to be redacted or excluded from the portable dataset.
Laws (9)
Case Law (10)
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of natural persons with regard to the processing of personal data. Each of those authorities is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down in that regulation” / “The exercise of that responsibility is of particular importance where personal data is tra
Data Protection Commissioner v. Facebook Ireland Ltd, and Maximillian Schrems
Schrems II
“[…] the standard data protection clauses adopted by the Commission on the basis of Article 46(2)(c) of the GDPR are solely intended to provide contractual guarantees that apply uniformly in all third countries to controllers and processors established in the European Union and, consequently, independently of the level of protection guaranteed in each third country. In so far as those standard data protection clauses cannot, having regard to their very nature, provide guarantees beyond a contrac
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Independence of DPA: The Directive seeks to ensure an effective, complete, and high level of protection of the fundamental rights and freedoms of natural persons. The guarantee of a DPA’s independence is intended to ensure effectiveness and reliability of the monitoring of compliance, and is an essential component of data protection. DPAs powers extend to their own Member State, but not to processing in third countries. However, DPAs are responsible for monitoring transfers from a Member State t
Data Protection Commissioner v. Schrems and Facebook
Schrems I
Necessity/proportionality: The Decision does not contain any finding regarding US rules intended to limit the interference when they pursue legitimate objectives such as national security, nor refer to effective legal protection against such interference. FTC procedures and private dispute resolution mechanisms concern compliance with safe harbor principles (against US organizations) and cannot be applied with respect to measures originating from the State. Moreover, the Commission found that if
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Right to be informed: National law that does not require the specific transfer involved in the case cannot constitute “prior information” under Article 10 of Directive 95/46 (information requirement where data is collected from the data subject), enabling the controller to dispense with his obligation to inform the data subject of the recipients of the data. (¶¶ 34–38). Article 11 (information requirement where data is not collected from data subject) requires that specified information be provi
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Personal data: Tax data transferred are personal data, since they are “information relating to an identified or identifiable natural person.” (¶ 29)
SMARANDA BARA ET AL. V. PRESEDINTELE CASEI NATIONALE DE ASIGURARI DE SANATATE (CNAS) ET AL., 1.10.2015 (“BARA”)
Bara
Processing: Both the transfer of the data by ANAF, and the subsequent processing by CNAS, constitute processing of personal data. (¶ 29)
DENNEKAMP V. EUROPEAN PARLIAMENT (15.7.2015) (“DENNEKAMP II”)
Dennekamp II
Data transfers: Articles 7–9 of Regulation 45/2001 precisely limit the possibility of transferring personal data so as to make it subject to strict conditions which, if not fulfilled, prohibit any transfer. Those conditions always include the necessity of the transfer in the light of various aims. (¶ 58)
V & EDPS V. EUROPEAN PARLAMENT, 5.7.2011 (“V v. European Parliament”)
V. v. Parliament
Lawful Basis: The applicant did not consent to the transfer of her medical file by the Commission to the European Parliament. The transfer was not “necessary for the purposes of complying with the specific rights and obligations of the controller in the field of employment law,” in accordance with Article 10(2)(b). The Parliament’s obligation to control fitness for duty could have been achieved by less intrusive means. Nor does Article 10(3) justify the transfer. (¶¶ 137–139)
PARLIAMENT V. COUNCIL (PNR)
PNR
Transfers: Where the transfers of personal data are authorized under an agreement that was adopted ultra vires, the authorization is void.
Guidance (28)
View all 28Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 10/2020 on restrictions under Article 23 GDPR
Guidelines on restrictions under Article 23 GDPR
Version history
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
The GDPR does not provide for a legal definition of the notion 'transfer of personal data to a third country or to an international organisation'. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer: - 1) A controller or a processor ('exporter') is subject to the GDPR for the given processing. -...
Guidelines 8/2020 on the targeting of social media users
Guidelines on the targeting of social media users
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Versiegeschiedenis
guidelines wisselwerking toepassing artikel 3 en hoofdstuk V AVG
De AVG bevat geen juridische definitie van het begrip 'doorgifte van persoonsgegevens aan een derde land of aan een internationale organisatie'. Daarom verstrekt de EDPB deze richtsnoeren om te verduidelijken op welke scenario's de voorschriften van hoofdstuk V volgens hem moeten worden toegepast en heeft hij daartoe drie cumulatieve criteria vastgesteld waaraan een verwerkingsactiviteit moet voldoen om als een doorgifte te worden aangemerkt: - 1) Een verwerkingsverantwoord...
Guidelines 04/2021 on Codes of Conduct as tools for transfers
Guidelines on codes of conduct and monitoring bodies
The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...
Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
Guidelines on derogations of Article 49
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)
Guidelines on the territorial scope of the GDPR
Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement
Guidelines on the use of facial recognition technology in the area of law enforcement
More and more law enforcement authorities (LEAs) apply or intend to apply facial recognition technology (FRT). It may be used to authenticate or to identify a person and can be applied on videos (e.g. CCTV) or photographs. It may be used for various purposes, including to search for persons in police watch lists or to monitor a person's movements in the public space. FRT is built on the processing of biometric data , therefore, it encompasses the processing of special categories ...
ARTICLE 29 DATA PROTECTION WORKING PARTY
Guidelines on transparency
Guidelines 02/2021 on virtual voice assistants
Guidelines on virtual voice assistants
A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the latest years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal...
Richtsnoeren 2/2018 inzake afwijkingen op grond van artikel 49 van Verordening 2016/679
guidelines afwijkingen van artikel 49
Richtsnoeren 10/2020 met betrekking tot de beperkingen krachtens artikel 23 AVG
guidelines beperkingen rechten van betrokkenen
Richtsnoeren 05/2022 voor het gebruik van gezichtsherkenningstechnologie in het kader van rechtshandhaving
guidelines gebruik gezichtsherkenning bij rechtshandhaving
Steeds meer rechtshandhavingsinstanties passen gezichtsherkenningstechnologie toe of zijn voornemens deze toe te passen. De technologie kan worden gebruikt om een persoon te authenticeren of te identificeren en kan voor video's (bijv. CCTV) of foto's worden ingezet, maar ook voor andere doeleinden, waaronder het opzoeken van personen op signaleringslijsten van de politie of het volgen van de bewegingen van een persoon in de openbare ruimte. Gezichtsherkenningstechnologie is gebaseer...
News (16)
EU-US Data Transfers: Time to prepare for more trouble to come
As instability in the US legal system becomes undeniable and the US shows open signs of hostility towards the EU, it is time to reconsider where our data is flowing
Draft adequacy decision for Brazil: EDPB adopts opinion
Brussels, 5 November - During its latest plenary, the EDPB adopted an opinion on the European Commission’s draft decision on the adequate level of protection of personal data in Brazil.* Once adopted, the decision will ensure that personal data can flow freely from Europe to Brazil and that individuals can retain control over their data. In its opinion, requested by the Commission, the EDPB assesses whether the Brazilian data protection framework and the rules on government access to personal da
Meta to change UK terms of service, maintain data flows
> Meta plans to change its terms of service and privacy notices for U.K. users, Bloomberg reports. U.K. Facebook, Instagram and WhatsApp users will retain data rights under the U.K. General Data Protection Regulation while the company moves user data out of the EU General Data Protection Regulation's jurisdiction. A Meta spokesperson said the updates, which were planned following the U.K.'s 2020 Brexit agreement, "don't change the way we treat UK users’ data." The move als
Hunton summarises two articles from the new SCCs: the 'local laws and government access' section
Under Clause 14 of the Data Transfer SCCs, the data importer must carry out a transfer risk assessment to verify whether the laws and practices of the receiving third country could prevent the data importer from complying with the Data Transfer SCCs. If the risk assessment shows that the Data Transfer SCCs alone will not ensure an essentially equivalent level of protection for the personal data in the receiving third country, supplementary safeguards will need to be implemented, such as end-to-e
The EU-US Data Privacy Framework: A new era for data transfers?
> Legally, until an adequacy determination is granted, companies should continue to follow the European Data Protection Board’s recommendations on measures that supplement transfer tools. But, once the EU is named as a “qualifying state” (assuming it will be) and complaints can be summited, this should become less daunting. The EDPB recommendations state that companies must “assess if there is anything in the law or practice of the third country that may impinge on the effectiveness of the appro
What Happened to the Risk-Based Approach to Data Transfers?
The GDPR incorporates the RBA for all obligations of the controller in the GDPR. Where the transfer rules are stated as obligations of the controller (rather than as absolute principles), the RBA of Article 24 therefore applies. Other than the DPAs assume, this is not contradicted by the ECJ in Schrems II nor by the EDPB recommendations on additional measures following the Schrems II judgment, according to Lokke Moerel, Professor of Global ICT Law at Tilburg University and a Dutch Cyber Security
Digital Privacy Rights and CLOUD Act Agreements between US and UK
The CLOUD Act agreements between the US and UK will likely improve the digital privacy rights of US and UK citizens, but they will further undermine these rights for Third Country Persons (eg from EU). The US and UK should voluntarily extend Fourth Amendment and Article 8 protections to these persons, according to an article in the Brooklyn Journal of International Law.
Danish SA Declares Use of Google Analytics Unlawful Without Supplementary Measures
The Danish Data Protection Agency has looked into the tool Google Analytics and its settings, and the terms under which the tool is provided. On the basis of this review, the Danish Data Protection Agency concludes that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google.
Irish Data Protection Commissioner Fines Instagram EUR 405M for Children Privacy Violations
> The fine is the result of an investigation that began in 2020 and focused on the company’s processing of children’s personal data. Based on press reports, the investigation focused on children between the ages of 13 and 17 who were allowed to operate business or creator Instagram accounts. As a result, children’s phone numbers and email addresses were publicly accessible.
European regulators are finalizing a decision blocking Meta from transferring data to the US
> “Based on the facts of the case, we do not see how [Meta] could have continued its personal data transfers following the Schrems II judgment had it acted in accordance with the GDPR,” the Norwegian objection reads.
CNIL Proposes 60 Million Euros Fine Against French AdTech Company For Non-Compliance with GDPR
> The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo. […] Under the CNIL’s sanction procedure, Criteo has the right to respond to the report, both with respect to the alleged infringements and the proposed sanction.
CJEU: PNR Directive Valid if Limited to the “Strictly Necessary”
> In a landmark ruling of 21 June 2022, the CJEU (Grand Chamber), upheld the EU’s regime to collect and use records of travellers, provided that it is strictly interpreted in line with the EU’s fundamental rights. In addition, indiscriminate processing of the data in cases of flights carried out only within the EU is banned unless there is a threat of terrorism. In general, the passengers’ data must also be deleted after six months at the latest.
European Commission sued for violating transfer rules by using Amazon Web Services
The European Commission faces a lawsuit over allegations it is violating its own data protection rules by transferring citizens’ personal data on one of its websites to Amazon Web Services in the United States.
European Commission sued for violating EU’s data protection rules
The European Commission is to face a lawsuit over allegations it is violating its own data protection rules when transferring citizens' personal data from one of its websites to the United States.
Italian SA bans use of Google Analytics. No adequate safeguards for data transfers to the USA
> The Italian SA came to this conclusion after a complex fact-finding exercise it had started in close coordination with other EU data protection authorities following complaints it had received.
DeFine is a calculator for GDPR fines based on method of the EDPB
> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).