The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.
Question: Does a company’s reason for processing information impact whether it must honor a right for data portability?
Answer: Yes. The right to receive personal data in a portable format is not an absolute right and only applies in a narrow set of circumstances.
When determining whether a right to data portability must be honored one of the factors that companies look to is why they collected the information in the first place, and their purpose in continuing to use it. The GDPR recognizes six situations in which a company may process personal data. When processing is based on some of those situations, referred to as permissible purposes, a request for portable data may always be denied; when processing is based on other permissible purposes a request for portable data may, or may not, need to be honored depending upon additional factors.
The following chart indicates which permissible purposes confer which substantive rights on individuals, and highlights those that relate to the right to receive data in a portable format. A “Y” indicates that an individual’s request may have to be honored; a “X” indicates that in almost all situations an individual’s request can be denied.
Permissible Purpose
|
Right to be forgotten
|
Right to Access data
|
Right to data portability
|
Right to rectification
|
Right to object to processing
|
Consent
(i.e., Article 6(1)(a))
|
Y
|
Y
|
Y1
|
Y
|
Y2
|
Contract
(i.e., Article 6(1)(b))
|
Y
|
Y
|
Y3
|
Y
|
X
|
Compliance with legal obligation
(i.e., Article 6(1)(c))
|
X
|
Y
|
X
|
Y
|
X
|
Protecting vital interest of data subject (i.e., Article 6(1)(d))
|
Y
|
Y
|
X
|
Y
|
X
|
Public interest
(i.e., Article 6(1)(e))
|
Y4
|
Y
|
X
|
Y
|
Y
|
Legitimate interest of controller
(i.e., Article 6(1)(f))
|
Y5
|
Y
|
X
|
Y
|
Y
|
[View source.]