The GDPR Article 20 introduces a new right to “data portability” to enable data qwners to easily move or copy their personal data to another environment . The Opinion of the WP29 clarifies the conditions of application and provides concrete examples to explain the circumstances in which this right applies.
The Opinion states that this right is only applicable if the data processing is based on the consent (or the need to perform a contract) and is limited to the personal data provided by the data owner (including personal data concerning activities of the person concerned or arising from the observation of his behavior, but not by a subsequent analysis of that behavior).
Data Controllers must inform data owners about the availability of portability rights (eg before the closing of an account) and are encouraged to ensure interoperability of the data format provided within a a portability request. This last point is of particular relevance to the IT world, wich will be expected to make these obligations viable. Existing systems could require cumbersome interfaces for extraction and data normalization, while it will be an issue to keep in mind during the design phase for the systems to come: privacy must be “by design”, right?