Guidelines on the right to data portability (Q3968)
Jump to navigation
Jump to search
No description defined
| Language | Label | Description | Also known as |
|---|---|---|---|
| English |
Guidelines on the right to data portability
|
No description defined
|
Statements
13 December 2016
"One of the ways in which a data controller can answer requests for data portability is by offering an appropriately secured and documented Application Programming Interface (API). "
"By granting access to data via an API, it may be possible to offer a more sophisticated access system that enables individuals to make subsequent requests for data, either as a full download or as a delta function containing only changes since the last download, without these additional requests being onerous on the data controller."
"For instance, they should offer a direct download opportunity for the data subject but should also allow data subjects to directly transmit the data to another data controller. This could be implemented by making an API available. "
0 references
5 April 2017
"Article 12 prohibits the data controller from charging a fee for the provision of the personal data, unless the data controller can demonstrate that the requests are manifestly unfounded or excessive, “in particular because of their repetitive character”...."
"... For information society services that specialise in automated processing of personal data, implementing automated systems such as Application Programming Interfaces (APIs) can facilitate the exchanges with the data subject, hence lessen the potential burden resulting from repetitive requests."
"Such hindrance can be characterised as any legal, technical or financial obstacles placed by data controller in order to refrain or slow down access, transmission or reuse by the data subject or by another data controller. ... "
"...For example, such hindrance could be: fees asked for delivering data, lack of interoperability or access to a data format or API or the provided format, excessive delay or complexity to retrieve the full dataset, deliberate obfuscation of the dataset, or specific and undue or excessive sectorial standardization or accreditation demands"
"These two different and possibly complementary ways of providing relevant portable data could be implemented by making data available through various means such as, for example, secured messaging, an SFTP server, a secured WebAPI or WebPortal."
"[A] practical way by which a data controller can answer requests for [] portability may be by offering an appropriately secured and documented API. This may enable individuals to make requests [] for their personal data via their own or third-party software or grant permission for others to so do on their behalf (including another data controller) as specified in Article 20(2) of the GDPR."
"By granting access to data via an externally accessible API, it may also be possible to offer a more sophisticated access system that enables individuals to make subsequent requests for data, either as a full download or as a delta function containing only changes since the last download, without these additional requests being onerous on the data controller."
0 references
Comment around identification and Article 11.2
0 references
working documents of WP29 on right to data portability
0 references
internal working draft with comments from WP29
0 references
internal working draft from WP29
0 references
internal working draft from WP29
0 references
internal working draft from WP29, with track changes
0 references
internal working draft from WP29
0 references